Nmap is a Tool for enumerating network hosts by analyzing their response to network queries. This tool can identify open ports and fingerprint services.
Host Enumeration
Host Discovery
Scan network range:
Scan IP list:
Multiple targets can also be specified in the same command or as a range of IPs:
Flags like --reason and --packet-trace can help in understanding the scan and your relative position to the target
Host and Port Scanning
Scans will give the following results for each port
State
Description
open
This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed
When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered
Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered
This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered
If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered
This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.
Ports for a scan can be explicitly stated -p 80,443, based on top ports --top-ports=10 or scan all ports -p-
Connect Scans -sT are most accurate, but they also establish a connection, which will be visible in log files. However, it remains to be the most stealthy scan
UDP scan -sU take longer than TCP and are difficult to scan, since they typically don’t send a response, even on success. If we get one, we know the port is open.
The version scan -sV gives a lot of service information
Saving the Results
-oA for all output types
-oG for grep-able output
-oN for normal output
-oX for XML output
XML output can be integrated into report via xsltproc
Service Enumeration
The version scan -sV will return banners of the different services
Sometimes Nmap does not return all gathered information, so it is always a good idea to manually check banners via Netcat or TCPdump
Nmap Scripting Engine
Scans can be enriched by scripts which will be executed against the port
Either use default scripts:
Or run a script explicitly, or categories of scripts
Script are categorized into 14 categories
Category
Description
auth
Determination of authentication credentials.
broadcast
Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
brute
Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default
Default scripts executed by using the -sC option.
discovery
Evaluation of accessible services.
dos
These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit
This category of scripts tries to exploit known vulnerabilities for the scanned port.
external
Scripts that use external services for further processing.
fuzzer
This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive
Intrusive scripts that could negatively affect the target system.
malware
Checks if some malware infects the target system.
safe
Defensive scripts that do not perform intrusive and destructive access.
version
Extension for service detection.
vuln
Identification of specific vulnerabilities.
Performance
For complex scans performance may be required
Presets for scan speed: -T <0-5>
Shorten request timeouts: --min-RTT-timeout
Maximum of retries if a port does not send a response: --max-retries
Amount of requests simultaneously: --min-rate
Firewall and IDS/IPS Evasion
The -sA scan is the most difficult to prevent for security measures
If we have virtual private servers at our disposal, we can be noise at first and change strategies if we get blocked by any security systems
Use decoys if IP addresses are getting blocked: -D <RND>:<amount> however these decoys need to be alive in the network
Proxy request over DNS by setting the source port to 53: --source-port 53
Cheat Sheet
Scanning Options
Nmap Option
Description
10.10.10.0/24
Target network range.
-sn
Disables port scanning.
-Pn
Disables ICMP Echo Requests
-n
Disables DNS Resolution.
-PE
Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace
Shows all packets sent and received.
--reason
Displays the reason for a specific result.
--disable-arp-ping
Disables ARP Ping Requests.
--top-ports=<num>
Scans the specified top ports that have been defined as most frequent.
-p-
Scan all ports.
-p22-110
Scan all ports between 22 and 110.
-p22,25
Scans only the specified ports 22 and 25.
-F
Scans top 100 ports.
-sS
Performs an TCP SYN-Scan.
-sA
Performs an TCP ACK-Scan.
-sU
Performs an UDP Scan.
-sV
Scans the discovered services for their versions.
-sC
Perform a Script Scan with scripts that are categorized as “default”.
--script <script>
Performs a Script Scan by using the specified scripts.
-O
Performs an OS Detection Scan to determine the OS of the target.
-A
Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5
Sets the number of random Decoys that will be used to scan the target.
-e
Specifies the network interface that is used for the scan.
-S 10.10.10.200
Specifies the source IP address for the scan.
-g
Specifies the source port for the scan.
--dns-server <ns>
DNS resolution is performed by using a specified name server.
Output Options
Nmap Option
Description
-oA filename
Stores the results in all available formats starting with the name of “filename”.
-oN filename
Stores the results in normal format with the name “filename”.
-oG filename
Stores the results in “grepable” format with the name of “filename”.
-oX filename
Stores the results in XML format with the name of “filename”.
Performance Options
Nmap Option
Description
--max-retries <num>
Sets the number of retries for scans of specific ports.
--stats-every=5s
Displays scan’s status every 5 seconds.
-v/-vv
Displays verbose output during the scan.
--initial-rtt-timeout 50ms
Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms
Sets the specified time value as maximum RTT timeout.
--min-rate 300
Sets the number of packets that will be sent simultaneously.