Probing the network with Nmap

Nmap is arguably one of the greatest penetration-testing tools out there. It is a network mapping utility that generates network packets for anything you are looking to put on the wire. That is what makes it such a great tool. You can generate a packet of your choice and then see how both the network and systems respond to it. But with this power comes some complexity. Nmap does have a little bit of a learning curve. I will go through some examples that I use in my lab for testing. Check out the main page of Nmap as there are tons of options available to you.

Let's look at some examples:

  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80

Here, we can also refer to the main page at https://nmap.org/book/man.html for more options and examples.

Now, let's try some real-world examples:

1. We typically use the following scan when we want to see what is up and running on the network:

Nmap -v -sS -sV -p0-65535 192.168.1.129

1. Now, let us go through this example switch by switch. First, you turn up the verbosity with -v. This will give us a better idea of what is going on. Now this isn't required, and some people don't use this, but you will like the additional information it provides.

1. Once you use this command enough you will know what is going on, and you can probably leave this off if you want.
2. Next, we will be doing a TCP SYN scan with -sS. There are a couple of different options when using TCP. I tend to use the SYN scan because it is faster than the connect, plus it is not usually affected by a firewall as much as the connects are.
3. Then, we will use -Sv,which will probe to try and determine the service and version on those ports.
4. We then specify the ports to test ( 0-65535) and finally end with the host we used.
5. We will get the output of this when running against my lab network. The output not only shows what ports are opened, but tries to figure out the service, in this case, a Cisco Identity Services Engine.

We can also do the same sort of test on UDP as well, though UDP scans will take a long time. This is because UDP is a connectionless protocol, so there is no mechanism to drop/close/reset the connection like TCP, so Nmap needs to send multiple packets just to make sure there wasn't another reason for it not to get a response back. There are ways to play around with the timers if you want a quick test, but be careful. If you speed them up too much, you will potentially miss things.

Here is my scan for UDP to see what this host has open:

Besides the TCP SYN scans and the UDP scans that we performed previously, there are certainly a large number of other types of scan. Perusing the main page will list all the different options. Each scan type has its benefits in terms of what it shows.

The built-in scripting engine, or NSE, takes Nmap to a whole different level. It allows you to use community scripts, or even your own, as part of the command. This way, you can have these scripts run in parallel and provide even more information in the output. Let's look at the following example just using the default Nmap with defined parameters and then one where I am enabling the scripting engine.

Here is the output without the scripting engine enabled:

root@pi-kali:~# nmap -p22,80,443,8888 -T4 192.168.1.129
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-06 17:33 UTC
Nmap scan report for 192.168.1.129
Host is up (0.00088s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8888/tcp filtered sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

Here is the output with the scripting engine enabled. You can see the additional information that is being displayed:

root@pi-kali:~# nmap -sC -p22,80,443,8888 -T4 192.168.1.129
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-06 17:33 UTC
Nmap scan report for 192.168.1.129
Host is up (0.00084s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
|_ 2048 7e:4c:c1:4d:e6:53:68:45:5a:a5:53:f9:98:32:13:e5 (RSA)
80/tcp open http
|_http-title: Did not follow redirect to https://192.168.1.129/admin/
443/tcp open https
| http-title: Site doesn't have a title (text/html;charset=UTF-8).
|_Requested resource was /admin/login.jsp
| ssl-cert: Subject: commonName=ise.cryptomap65535.com/organizationName=IT/stateOrProvinceName=Pennsylvania/countryName=US
| Not valid before: 2016-10-12T20:17:05
|_Not valid after: 2018-10-12T20:17:05
|_ssl-date: 2017-05-06T17:33:38+00:00; 0s from scanner time.
8888/tcp filtered sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 7.31 seconds

The scripting engine is activated using the -sC flag.

With all the information that was received from Nmap, I am certainly in great shape for my focused exploit and vulnerability scanning later in this lab. Plus, with some of the version information I got back, I can pinpoint those products as well. Knowing the difference between Apache with Tomcat versus just Apache gives us a definite advantage.