They See Me Scannin’, They Hatin’: A Beginner’s Guide to Nmap

Estimated Difficulty: 馃挏馃挏馃挏馃馃

A 1337 hax anthem

Recon, Recon, Recon

One of the most important phases of an attack, is the reconnaissance phase. Often abbreviated to recon, this phase usually consists of a variety of process and techniques to collect information about a target system. This phase may also be known as “Information Gathering” as the main goal is usually to attempt to gather as much information about a target as possible.

The recon phase is also the first step of the Cyber Kill Chain. The Cyber Kill Chain, developed by Lockheed Martin, is a framework to help identify and visualise the phases of an attack.

Interpreted From: Lockheed Martin

A huge thanks to Morgan for whipping up this excellent graphic!

Techniques that may be used during recon include: Footprinting, Host Discovery, Scanning and Enumeration. Using these techniques in cohesion helps an attacker enrich their understanding of the target, using this knowledge to help tailor their attack to be successful and “silent” to avoid detection.

This blog will primarily focus on the Scanning technique, walking through the basics of the tool Nmap.

What is Nmap?

Network Mapper (shortened to Nmap) is a port scanner used for both host discovery and target enumeration. Often the “go-to” for the first step in either an attack or a pen-test, Nmap helps you get a feel of the type of system you are attacking – identifying the types of services running with the capability to also identify potential vulnerabilities.

Nmap can be used against an entire network, to identify and scan multiple hosts, or against a single target. By default, Nmap will scan for the top 1000 most popular ports and services.

What is Port Scanning?

Port scanners are applications/tools that allow you to identify the types of ports open and running services on a system. To put it bluntly, it’s identifying the “open doors” and potential entry points into a system.

Using a port scanner is a form of active recon, as traffic/packets will be sent to the target in an attempt to identify ports and services. This is important to understand, as aggressive scanning can potentially create noise that may alert the target.

Types of Port States

Scanners help identify port states during a scan, and there are several states a port can be in. The states that Nmap recognises are: open, closed, filtered, unfiltered, open|filtered and closed|filtered.

Open: The port is actively running a service and is listening and accepting connections

Closed: The port has no application listening on it and is not accepting connections

Filtered: The port is being block and/or protected by a firewall, filter or something similar – Nmap will return a “filtered” port if it cannot determine what state the port is in

Unfiltered: The port can be accessed, but Nmap cannot determine what type of port it is

Open|Filtered: If an port does not give a response, Nmap may class it as open|filtered as it is unsure if it is open or filtered

Closed|Filtered: This state is used when Nmap cannot determine if a port is closed or filtered

For more information on port states, have a look here.

Using Nmap

The following section will detail basic syntax and options used to carry out a simple Nmap scan through a Linux command prompt/terminal using Command Line Interface (CLI). Nmap can also be used on Windows, and you can also use Nmap as a GUI by downloading ZenMap (checkout ZenMap here).

Basic Syntax

nmap <target> 

Useful Flags

Flags can be used to help specify the type of scans you want the scan to complete. This can range from identifying versions and banner grabbing to identifying the port scanning range – and so much more! Below are the flags that I have used the most in the past:

Detect Service Version

This scan will attempt to detect the version of services running on a port.

nmap -sV <target>
UDP Scan

This scan will check the UDP ports on a system.

nmap -sU <target>
OS Detection

This scan will attempt to identify the operating system (OS) running on a system.

nmap -O <target>
Full TCP Scan

This scan will complete a full TCP handshake (SYN, SYN/ACK, ACK) connection to identify ports and services.

nmap -sT <target>
SYN Scan

This scan will terminate the connection mid-TCP handshake (SYN, SYN/ACK, RST).You may want to use this scan if you would prefer to make less “noise” during your scanning phase. By terminating the connection early, sometimes the connection is not registered by the target. Sometimes this scan is dubbed a “Stealth Scan”.

nmap -sS <target>
All Ports

By default, Nmap will scan for the top 1000 most popular ports and services. Using this scan will scan for all the ports.

nmap -p- <target>
Ping Scan

Ping scans can be used to scan an entire network to identify hosts. This scan will send out pings, and list the machines that respond.

nmap -sP <target>
Aggressive Detection Scan

An aggressive detection scan will complete the following all-in-one scan: OS detection (-O), version detection (-sV), script scan (-sC), and traceroute (–traceroute).

nmap -A <target>

Using Scripts

Nmap has a huge amount of scripts that you can run along side the port scanning function. These scripts range from brute forcing credentials on a service, to further service-specific enumeration. To have a look at all the scripts Nmap has to offer, go to here.

To use a script, use the following syntax:

nmap --script=<yourchosenscript> <target>

Types of Output

You can specify the type of output from a Nmap scan by using flags. If you do not specify an output, by default Nmap will just display the output in the terminal.

XML Format
nmap <target> -oX myFile
Nmap Format

This format will be identical to the output generated by Nmap by default in the terminal. This will create a .nmap file.

nmap <target> -oN myFile
Grepable Format

This format will create a file that can grep can be used on to search for specific text. This will create a .gnmap file.

nmap <target> -oG myFile
All Format

Using this flag will create an XML, Nmap and Grepable Nmap output at the same time.

nmap <target> -oA myFile

Timing

You can set different timing settings to control the aggressiveness of the scan. Nmap has six different options, ranging from 0 to 5.

T0: Paranoid
T1: Sneaky
T2: Polite
T3: Normal
T4: Aggressive
T5: Insane

To use the timing options, use the T value as a flag (-T<option>)

Common Ports and Vulnerabilities

Here’s a quick rundown of some common ports (and their vulnerabilities) that you may come across in a scan – including further enumeration steps that you can take to find out more about the service.

FYI: This isn’t a complete list, there are loads other vulnerabilities/further enumeration steps that can be included in this table!

Port TCP/UDPServiceVulnerabilities/Further Enumeration Steps
21TCPFTPAnonymous Login
Upload/Download Files
Unencrypted
22TCPSSHBrute Forcing
File Transfer (SCP)
23TCPTELNETBanner Grabbing
Cleartext
Brute Forcing
25TCPSMTPEnumerate User Accounts (VRFY, EXPN, RCPTTO)
Unencrypted
Send Emails
53TCPDNSEnumerate DNS (Lookup)
Zone Transfers (Host + Dig) 
DNS Spoofing
69 UDPTFTPFile Transfer
Unauthenticated (But you may not be able to list files)
Upload/Download files
Paired with SNMP
80TCPHTTPNot Secure/Encrypted
Web Vulnerabilities
Enumerate Web Server: Nikto, Dirb(uster), Metasploit Scanners
88TCPKERBEROSSignposts DC (Domain Controller) Purpose
Compromise = Potential to Generate Tickets 
Ticket Attacks (e.g. Kerberoasting)
139TCPSMBEnumerate Machine (Enum4Linux)
RID Cycling (Enumerate Users) 
Null Sessions
Access Open Shares
143TCPIMAPTransmits Messages in Plaintext
161UDPSNMPUse of Default Community Strings (public/private)
Enumerate MIB/System/Network Information
Enumerate Default Gateways/Router Addresses 
Enumeration: snmpwalk, snmpcheck, onesixtyone
389TCPLDAP/SSLEnumerate LDAP Directories: JXplorer (GUI)
443TCPHTTPSWeb Vulnerabilities 
Enumerate Web Server: Nikto, Dirb(uster), Metasploit Scanners
445TCPNETBIOSEnumerate Machine (Enum4Linux)
Null Sessions
Access Open Shares
1433TCPMSSQLPotential Default Credentials to Database
Pre-existing Exploits
Enumeration: Metasploit, Squirrel
3306TCPMySQLDefault Credentials to Database
Pre-existing Exploits
Enumeration: Metasploit, Squirrel
3389TCPRDPRemotely Access Systems
Potentially Default Credentials (Guest Account)
Rdesktop
5800TCPVNCRemotely Access Systems
No Authentication (Older Versions) 
VNCViewer
5900TCPVNC/HTTPRemotely Access Systems
No Authentication (Older Versions) 
VNCViewer
8080TCPHTTPSimilar to HTTP (80)
Likely to be Tomcat Admin/Management Page


Further Resources

Here are some other resources that I recommend that you can use to learn more about using Nmap:

Andy Gill/ZephrFish Nmap Guidehttps://blog.zsec.uk/nmap-rtfm/
Official Nmap Documentationhttps://nmap.org/docs.html
HighOn.Coffee Nmap Cheat Sheethttps://highon.coffee/blog/nmap-cheat-sheet/

I hope that this blog has been at least some sort of use – and that you can at least go out and start scanning all the things*

Waynes World Excellent GIFs | Tenor


*please don’t scan all the things if you do not have written permission and/or it is a target that does not serve an educational purpose. If you wish to try your new-found scanning knowledge, Nmap has actually created a machine so people can test their Nmap – http://scanme.nmap.org/

8 Comments

  1. Thanks for putting all this together it’s really helpful! Didn’t realise about the Nmap machine.

  2. Dan Conn

    Another awesome blog post! Thanks!

  3. MsCyber

    Those are *literally* the linux manpages

    • Thanks for your feedback, this post was created for absolute beginners to give context behind the basic commands of Nmap and it’s usage. Would you like us to add anything further to the post to make it more comprehensive? 馃檪

    • Hi Queens. I found this website by accident.. I followed a tweet and led me here.

      I am new into infosec, cybersecurity, pentesting. And the way you explain the basic stuff about pen test is incredible. You keep it simple and useful, with nice images etc.
      Is there any materials,from Uni or your personal collections, like pdf etc you could share with me?
      The areas I am focusing is : networking, Linux, priv esc and some very basic scripting stuff.. I think you can see my email..
      My ultimate goal is the OSCP but unfortunately I can’t afford the cost atm.

      Thank you in advance and keep on the good work :))

      • Hi there, welcome to our website! 馃檪 I’m glad to hear that you’re enjoying our content so far. If you keep an eye on our website we are hoping to create a learning resources page where we will be sharing items such as pdfs, other blogs, labs etc. Thanks once again for your feedback, we hope that you enjoy our content in weeks to come!

Leave a Reply to Sophia Cancel

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.