Skip to content

NMAP

NMAP (the Network Mapper) is a tool for port scanning and network enumeration. We can use it to identify hosts and services.

NMAP is available for both Linux and Windows, and also has a GUI Version in Zenmap (if that is your kind of thing).

NMAP and Sudo

Most NMAP scans will try to use more advanced features of the network stack. Depending on the type of scan we try to do, we may need admin rights.

Detecting Devices with NMAP

One of the first tasks we might want to do is identify which devices are running on the network. This allows us to build a list of potential targets, before hitting them with more complex scans.

Tip

This is the way I like to do things. Building up a picture in a sequence of steps. Me might have to type a few more commands, but IMO, we get the same information, and it seems much faster to pick through the interesting parts of the data, rather than automating scans for stuff that may be worthless.

Another (equally valid, I wont look down on you) approach is to go in Guns Blazing and hit the System with everything NMAP has. Running a scan with the -A flag turns on OS Detection, Version detection etc. for all of the devices you specify.

However, each of these scans takes some time, and generates a lot of traffic.

This type of approach is known as a "Sweep scan", and will try to connect to all of the devices in a specified range of IP addresses. If there is a response from the IP address, we can mark that devices as being UP.

Sweep Scan -sn

While we call this this type of scan a Ping sweep, it does a bit more than that. The ping service is often firewalled or disabled, so we try to get a response from common ports that might be open.

  • Sends ICMP echo,
  • SYN to port 433
  • ACK to port 80 and ICMP
  • ICMP timestamp request

For example to scan the 192.168.1.x network we can do a sweep scan with 

$ sudo nmap -sn 192.168.1.1-255

#I prefer the subnet syntax
$ sudo nmap -sn 192.168.1.1/24

While the sweep scan usually gives decent results, we also have another couple of options.

Ping Sweep -sP

Another option is the Ping sweep.

This makes use of the ICMP Ping packets, which are often filtered. However, unlike the sweep scan it can run without any elevated privileges.

$ nmap -sP 192.18.1.1/24

ARP scan -PR

The final (that we will talk about) option for sweeping the network is the ARP scan

The advantage of this scan is that it is relatively fast, and since the ARP protocol cannot be blocked or filtered, if a host is running it will respond. Its main limitation though is that since the ARP protocol is not routed we will only be able to discover the hosts on our local network segment.

$ nmap -PR 192.168.1.0/24

Port Scanning

Our main use of NMAP will be to scan for open ports on the network devices.

By default, NMAP will try to use a SYN scan however if we don't have the correct permissions, it will fall back to a connect scan.

A standard port scan of a device needs no flags, we just specify the IP address (or range of IP addresses)

$ nmap 192.168.1.1
#Or for a range
$ nmap 192.18.1.1/24

We can build on the basic scan with several flags, that change the behaviour of the scan. Most of these can be combined. For example, we could do version detection, on HTTP ports, by combining $ -sV -p 80,443,8080

Changing the Port Range

By default NMAP will scan the "top" 1000 ports, (the most commonly found). WE can change this behaviour in a number of ways

  • --top-ports N specifies how far to go down the top ports list
  • -p Specifies either an individual or range of ports

For example to scan ports 22,80,443 and all the ports between 8000 9000 we can use

$ namp -p 22,80,443,8000-9000  192.168.1.1

In some situations it can be useful to scan ALL of the 65k ports. Here we can just use a - symbol

$ nmap  -p-  192.168.1.1

Tip

In CTF I quite like to do the --top-ports 100 to give me something to start looking at while I wait for a deeper scan to complete.

Avoiding the Ping Sweep.

NMAP will try to determine if a host is up before it attempts to scan it. However, if the firewall is blocking the ping / SYN requests, we can force scanning using the -Pn command

$ nmap -pN 192.168.1.1

Tip

Without the ping sweep, a connection will be attempted on every port specified. Obviously, this can take a lot of time to complete.

A strategy here is to combine some of the ping sweep options (like FIN or Xmas tree) to try and identify hosts that are actually up, then scan specific hosts.

OS and Version Detection

NMAP can also try to detect the version of software that is running on a remote. It will do this through a banner grabbing process. Connecting to the service, and checking the response against a known database.

This can be useful for both identifying potential vulnerabilities, and if the sys admin has "secured" the server by moving well known services to different ports.

To enable version detection we use the -sV flag

$ nmap -sV 192.168.1.1

OS detection may also be possible through fingerprinting. This looks for default services running on a system, that match a given OS settings. (For example winRM will only be found on a windows box). We may be able to get this information from the Version detection, as some services (looking at you Apache) give the build and OS value in the banner.

$ nmap -O 192.168.1.1

Finally we can perform a super detailed scan, complete with version and OS detection, using the -A flag.

$ nmap -A 192.168.1.1

Note

This is a proper "All of the things" approach, and can take some time to complete. Personally, I think its a bit excessive for something like a CTF (not to mention, eating the bandwidth), but its going to be a good idea if want to be through.

Other Options

There are another couple of global options that can be useful.

No DNS Lookup

Can increase scan times when we are dealing with a local machine / CTF

nmap -n

Timing Settings

Timing options let us change the "aggressiveness" of the scan. Lower timing settings will increase the time between parts of the scan. This means its "quieter" to IDS, but takes more time. Higher timing settings means the scan is faster, but has more chance of tripping IDS, and may be less accurate.

#Lowest Setting
nmap -T1

# Most Aggressive setting
nmap -T5

-T4 seems to be the best balance for speed for things like CTF, or when scanning locally.

nmap -T4 127.0.0.1

Summary

Here we have introduced some of the most common flags that can be used with NMAP This should give you a good basis for the network scanning part of the recon process.

However, there are a huge number of options, that can be used to work around various firewall settings and tailor nmap to your needs. SO its worth checking the docs (or using a cheat sheet) to help deal with specific situations.

Back to top