Nmap Learning

Nmap Learning

Table of Contents

Nmap:

It is one of the most widely used tools by hackers. It is an advanced scanner with a lot of functions compared to netdiscover.
We would be discussing some main Nmap scans . For more details refer to man page of nmap by typing ​man nmap​ on the terminal.

Syntax:​ nmap [Scan Type…] [Options] {target specification}

nmap

Some Nmap Scans:

a)Ping Scan-: ​Ping scan is used when we only want to see which devices are connected to our network. This particular scan works much like netdiscover.

So for using Ping scan we will use the nmap command with ​-sn​ option.

(root💀Dark)-[/home/nethaxstark]
└─# nmap -sn 192.168.1.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-20 19:28 IST
Nmap scan report for 192.168.1.1
Host is up (0.0015s latency).
MAC Address: BC:8A:##:##:66:6E (Qing DAO Haier Telecom)
Nmap scan report for 192.168.1.100
Host is up (0.050s latency).
MAC Address: 9C:28:##:##:A8:F2 (Xiaomi Communications)
Nmap scan report for 192.168.1.102
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.38 seconds

It can be observed that we get all the devices that are up and connected to our network. So a hacker can identify if the target is on his network or not.

 

b)Service Version Detection​-: This scanning technique is used when we identify which ports are running what service. Remember all the scans that deal with ports only scan 1000 ports by default. For scanning specific ports we use -p option with the specific port number. For detecting the service version we use -sV option.

─(root💀Dark)-[/home/nethaxstark]
└─# nmap -sV scanme.nmap.org
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-20 19:40 IST
Stats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 85.71% done; ETC: 19:42 (0:00:15 remaining)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.31s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 989 closed ports
PORT         STATE        SERVICE VERSION
21/tcp         open            tcpwrapped
22/tcp        open             ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Linux; protocol 2.0)
25/tcp       filtered          smtp
80/tcp       open            http Apache httpd 2.4.7 ((Ubuntu))
135/tcp       filtered       msrpc
139/tcp      filtered       netbios-ssn
445/tcp      filtered      microsoft-ds
554/tcp       open           rtsp?
1723/tcp      open        tcpwrapped
9929/tcp     open        nping-echo Nping echo
31337/tcp    open         tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.63 seconds

We can see which service is running, what its version is and on what port number it is running. So for a hacker this information is nothing less than a treasure map. Various techniques like banner grabbing, exploit finding etc.
can be done with this information. If some outdated service is running and it is not yet patched
then the hacker can easily use the already existing exploit and he can even get the root access.

 

c)OS Detection-​:  To identify which Operating System is used by our target we can use OS Detection method. -O option is used to perform the OS Detection. It works by matching all the fingerprints that are feeded in nmap’s code. The operating system whose fingerprint matches is returned as a result.
The result of this scan can’t be fully trusted as many fingerprints match so the results can be ambiguous as well.

(root💀Dark)-[/home/nethaxstark]
└─# nmap -O -v 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-20 19:51 IST
Initiating ARP Ping Scan at 19:51
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 19:51, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:51
Completed Parallel DNS resolution of 1 host. at 19:51, 0.08s elapsed
Initiating SYN Stealth Scan at 19:51
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 7777/tcp on 192.168.1.1
Discovered open port 6666/tcp on 192.168.1.1
Completed SYN Stealth Scan at 19:51, 0.23s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
6666/tcp open irc
7777/tcp open cbt
MAC Address: BC:8A:##:14:##:6E (Qing ######### Telecom)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Uptime guess: 0.096 days (since Wed Oct 20 17:32:27 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.294KB)

In the above command -O is for OS Detection and -v is for verbose output i.e- you will get a more informative result.

d)Aggressive Scan-​: This is one of the best and one of the loudest scans. By loudest scan I mean it is very noisy and if applied on a live server can sometime lead to DoS(Denial of Services) which was unintended by you. So this scan
needs to be used very carefully. However this scan also provides most informative results. It will identify the details of ports, services, service version, OS Detection and few other things. To use aggressive scan we need to use -A as the option.

──(root💀Dark)-[/home/nethaxstark]
└─# nmap -A 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-20 19:55 IST
Nmap scan report for 192.168.1.1
Host is up (0.0040s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.77
| dns-nsid:
|_ bind.version: dnsmasq-2.77
80/tcp open http Boa HTTPd 0.94.14rc21
|_http-server-header: Boa/0.94.14rc21
|_http-title: Did not follow redirect to http://jiofi.local.html
6666/tcp open achat AChat chat system
7777/tcp open achat AChat chat system
MAC Address: BC:8A:E8:14:66:6E (Qing DAO Haier Telecom)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 3.97 ms 192.168.1.1

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.04 seconds

This is one of the first tools that is used in penetration testing and other scanning activities.
Zenmap is the GUI of Nmap. It is more easy to use and has some interesting features which I shall leave for you to try !

 

Leave a Reply

Your email address will not be published.