NMAP Capabilities¶
What is NMAP?¶
Nmap ("Network Mapper") is a free and open source utility for network exploration and security auditing. It was even featured in several movies, including The Matrix Reloaded, The Bourne Ultimatum, and Die Hard 4.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
Essential Nmap Parameters¶
- Ping Scan: -sn NMAP does not scan ports; it only prints available hosts.
✏️ Note: -sP is the old parameter, but it still works
-
SYN/ Stealth Scan: -sS default if using root privileges, never completes full TCP connection
-
Connect Scan: -sT default without root privileges; conducts full handshake
-
UDP Scan: -sU Nmap utilizes UDP instead of the default TCP
-
Xmas Scan: -sX sets flags FIN, PSH, and URG to “light up” the packet and identify port states
-
FIN Scan: -sF sets only FIN bit
-
Null Scan: -sN sets no bits at all, flag header is 0
-
TCP ACK Scan: -sA ACK bit set for firewall filtration
-
Version Detection: -sV Nmap uses various techniques to determine the version of the service(s) running on the open port
-
OS Detection: -O Nmap uses various techniques to make a calculated guess about the OS running on the machine
✏️ Note: Nmap, by default, scans 1,000 predetermined well-known ports. To specify a particular port (or ports), one must use -p
Speed Configurations in Nmap¶
Nmap offers various speed settings that allow you to tailor your scans based on the level of detail you need and the time you have available. These configurations help you balance between speed and thoroughness. Let's explore these configurations and see how you can use them to optimize your scanning.
1. -T0 (Paranoid)¶
- Usage: This is the slowest scan setting, designed for stealth and evasion.
- When to Use: Use
-T0
when you need to avoid detection by Intrusion Detection Systems (IDS) and firewalls. It's particularly useful in highly secure environments where stealth is a priority. - How to Use:
nmap -T0 [target]
- Details: Paranoid mode sends packets with long delays between each one, making it less likely to be detected but much slower.
2. -T1 (Sneaky)¶
- Usage: Slightly faster than Paranoid, but still focused on avoiding detection.
- When to Use: Use
-T1
in environments where some IDS/IPS (Intrusion Prevention Systems) sensitivity exists but speed is slightly less critical. - How to Use:
nmap -T1 [target]
- Details: Sneaky mode sends packets with delays, but not as extreme as Paranoid mode, providing a balance between speed and stealth.
3. -T2 (Polite)¶
- Usage: This setting is used to reduce the load on the network and avoid overwhelming the target system.
- When to Use: Use
-T2
when scanning over fragile networks or when you want to avoid any noticeable impact on the network performance. - How to Use:
nmap -T2 [target]
- Details: Polite mode introduces delays between packets, making the scan gentler on the network.
4. -T3 (Normal)¶
- Usage: This is the default scanning speed.
- When to Use: Use
-T3
for general-purpose scanning where the network is stable and there’s no particular need for stealth. - How to Use:
nmap -T3 [target]
- Details: Normal mode balances speed and accuracy, providing reliable results without overloading the network.
5. -T4 (Aggressive)¶
- Usage: This setting is faster than Normal and is used when speed is more important than being stealthy.
- When to Use: Use
-T4
in situations where you need quick results, such as in a network troubleshooting scenario or when time is of the essence. - How to Use:
nmap -T4 [target]
- Details: Aggressive mode reduces delays and times out quickly, which speeds up the scan but can be more easily detected by IDS/IPS.
6. -T5 (Insane)¶
- Usage: The fastest scanning speed, used for time-critical situations.
- When to Use: Use
-T5
when you need results immediately and stealth is not a concern, or on local networks where the risk of detection is negligible. - How to Use:
nmap -T5 [target]
- Details: Insane mode minimizes delays to the maximum, making the scan extremely fast but also very noisy, likely triggering any security monitoring tools.
Choosing the Right Speed¶
- Stealth vs. Speed: Lower
-T
values (like-T0
and-T1
) are better for stealth, avoiding detection, and scanning sensitive environments. Higher values (like-T4
and-T5
) are for speed, suited for quick diagnostics and scanning non-sensitive or local networks. - Network Conditions: Consider the stability and capacity of your network. For fragile or low-capacity networks, use
-T2
or-T3
to avoid causing issues. - Purpose of Scan: If you're doing a detailed and comprehensive security audit,
-T3
or-T4
might be appropriate. For rapid assessments or troubleshooting,-T4
or-T5
will give you the quickest results.
Phases of Nmap¶
Now that we've explored some of the exciting applications of Nmap, let's dive into the magic behind an Nmap scan. Each scan unfolds in a series of phases, each meticulously completing before the next one kicks off. As you’ll see, there’s much more to Nmap than just port scanning.
Script Pre-Scanning¶
The adventure begins with Script Pre-Scanning, where the Nmap Scripting Engine (NSE) flexes its muscles. NSE runs specialized scripts to gather juicy details about remote systems. This phase only kicks in if you summon it with options like --script or -sC. Pre-scanning scripts run once per Nmap session, collecting broad information like network service details using tools such as dhcp-discover and broadcast-dns-service-discovery.
Target Enumeration¶
Next up is Target Enumeration, where Nmap deciphers the targets you’ve set. Whether you’re specifying DNS names, IP addresses, or CIDR notations, Nmap breaks these down into a list of addresses ready for scanning. You can even let Nmap pick the targets for you with -iR. This phase is crucial and can't be skipped, but you can make it smoother by providing straightforward IP addresses.
Host Discovery (Ping Scanning)¶
Now we get into the thick of it with Host Discovery. This phase is all about figuring out which targets are online and worth investigating further. Nmap offers a range of techniques here, from swift ARP requests to more intricate TCP, ICMP, and other probes. By default, this phase runs automatically, but you can skip it using the -Pn option if you're feeling confident.
Reverse-DNS Resolution¶
With the hosts identified, it’s time for Reverse-DNS Resolution. Nmap looks up the domain names for all the online hosts. These names can offer hints about the host's function and make reports more readable. You can skip this step with the -n option or expand it to include all targets, even those that are down, with -R.
Port Scanning¶
Here comes the heart of the operation: Port Scanning. Nmap sends out probes and classifies the responses (or lack thereof) to determine the status of ports as open, closed, or filtered. The variety and configurability of Nmap's port scanning techniques are vast. It’s the core function of Nmap, performed by default, but you can skip it with the -sn option if needed.
Version Detection¶
Found some open ports? Awesome! Now let's see what’s running on them with Version Detection. Nmap sends specific probes to these ports and matches the responses against a massive database of over 6,500 service signatures. Enable this feature with the -sV option to uncover the software behind the scenes.
OS Detection¶
Curious about the operating system? OS Detection is your next stop. Requested with the -O option, this phase uses subtle differences in how systems implement network standards to identify the operating system. Nmap compares the responses to a database of over a thousand known OS fingerprints.
Traceroute¶
Nmap also comes with a slick Traceroute feature, enabled by the --traceroute option. It maps out the network path to each host, using the best probe packets based on previous discovery phases. Traceroute often includes another round of reverse-DNS resolution for intermediate hosts.
Script Scanning¶
The main event for scripts is Script Scanning. Here, most NSE scripts run, each targeting specific hosts and ports. They perform tasks like detecting vulnerabilities, uncovering malware, gathering data from databases, and performing advanced version detection. Just like in the pre-scanning phase, NSE only runs if you ask it to with options like --script or -sC.
Output¶
Finally, all the collected information is compiled in the Output phase. Nmap displays the results on your screen or saves them to a file. It supports several formats, including a human-readable default and an XML-based option for more structured data. This phase ensures you get a clear and comprehensive report of your scan.
Script Post-Scanning¶
And if you’re not done yet, there's Script Post-Scanning. After all the scanning is complete, any scripts in this phase can process the results and provide final reports and statistics. While Nmap doesn’t include scripts in this phase by default, you can add and run your own.
Nmap Scripting Engine (NSE)¶
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features, allowing users to automate a wide variety of network tasks. NSE extends Nmap's capabilities beyond simple port scanning by using scripts written in the Lua programming language to perform detailed network reconnaissance, vulnerability detection, and much more.
To use a script simply use the '--script' option followed by the script name. All scripts used by NSE are stored in a scripts subdirectory in the Nmap distribution: /usr/share/nmap/scripts/$SCRIPT_NAME.nse
What Can It Do?¶
NSE can perform a variety of tasks, including (but not limited to):
- Information Gathering: Collecting data about network hosts and services.
- Vulnerability Detection: Identifying known vulnerabilities on the target systems.
- Malware Detection: Identifying signs of malware infections.
- Policy Compliance: Checking if systems comply with certain policies or standards.
- Brute Force Attacks: Performing brute-force attacks to crack passwords.
- ...and More! The flexibility of Lua scripting allows for a virtually limitless range of possibilities.
🏋️‍♂️ Practical Exercise!¶
Using Nmap, run a scan against 8.8.8.8