Introduction
NMAP stands for “network Mapper”. NMAP is a open-source network scanning and reconnaissance tool, to find, examine, and audit network hosts and services. It was first created by Gordon Lyon.
A network’s topology, open ports, active services, and potential vulnerabilities can all be learned about with Nmap. In order to accomplish these objectives, it combines a number of methods, such as port scanning, version detection, OS fingerprinting, and scripting. Here are a few of Nmap’s main characteristics and attributes:
1. Port Scanning: Nmap is able to scan a number of ports to find open, closed, and filtered ports on a target machine. For understanding which services are active and available, this information is essential.
2. Service detection: By examining the answers, Nmap may identify the specific services that are active on open ports. This aids in locating vulnerable services and the versions of those services.
3. Operating System Detection: By examining minute variations in how a target host responds to various network probes, Nmap can make educated assumptions about the operating system of the target host.
4. NSE (Nmap Scripting Engine) is a potent scripting engine that enables users to create their own scripts for a variety of network operations, such as vulnerability scanning, network discovery, and more.
5. Host discovery: Host discovery is the process of determining which hosts are online by issuing ICMP echo requests, TCP SYN packets, and other probes inside a certain IP range.
6. Formats: Nmap’s flexible output formats, including text, XML, and grepable output, make it suitable for a range of use cases and tool integration.
7. Flexible: Nmap is very flexible and may be tailored to meet unique scanning requirements. Users can design unique scan profiles and scripts to customize it for various conditions.
Due to the fact that ARP queries and responses do not pass via routers, ARP scanning is often restricted to local networks. ARP scans are also less intrusive than more thorough port scans that employ protocols like TCP or UDP because they don’t actually send network messages to device ports. ARP scanning should be used responsibly and in accordance with network management and security regulations by network administrators and security experts.
In the cybersecurity or networking we should know about how tool works so lets expalain how NMAP work:
- ICMP Echo Requests (Ping Scan. An Nmap ping scan contacts the target hosts with ICMP echo requests. These requests will receive a response if the host is available and responding, confirming the host’s connectivity to the network. However, depending simply on ICMP ping scans may miss these hosts because some hosts or firewalls may be set up to disregard ICMP requests.
2. TCP SYN Scans: Sending TCP SYN packets to particular ports on the target hosts is how the TCP SYN scan technique works. A host will send a SYN-ACK packet in response if it is online and the probed port is open. It responds with a RST (reset) packet if the port is closed. Because many systems are set up to reject ICMP traffic for security purposes, TCP SYN scans are more dependable than ICMP ping scans.
3. ARP Requests (Local Networks): In a local network, the Address Resolution Protocol (ARP) is used to translate an IP address into a MAC address. Nmap has the ability to send ARP requests to find hosts when scanning a local network. In local situations when hosts share the same broadcast domain, this strategy is quite effective.
In addition, map provides UDP ping scans, ICMP timestamp requests, and ICMP address mask requests as additional host discovery methods. The network configuration and level of stealth necessary determine the strategy to use. The likelihood of finding all active hosts in a network can be increased by utilizing a variety of choices and combinations.
Although these methods are crucial for network administrators and security experts, it’s important to note that they must be used ethically and lawfully. Network scanning without permission is prohibited and immoral. Always check your permissions before performing any network scanning operations.
Host Discovery with Nmap
1. Ping Scanning (ICMP Echo Request): main purpose of sending ICMP ECHO request target IP addresses is Nmap’s default and most popular method for scanning networks.
nmap -sn 192.168.1.0/24, for instance. (This does not check for open ports; instead, it makes ICMP ping requests to all hosts in the given IP range.)
2. TCP SYN Ping (Half-Open Scanning): To determine whether the host is responsive, Nmap sends TCP SYN packets to a specific port (such as port 80 or 443). Compared to ICMP pings, this approach is more covert.
nmap -PS80,443 192.168.1.0/24 is an example. (This transmits TCP SYN packets to all hosts inside the specified IP range using ports 80 and 443)
3. User Datagram Protocol (UDP) Ping: To look for UDP answers, Nmap sends UDP packets to a certain port. When ICMP or TCP ping techniques are disabled or filtered, this might be used instead.
nmap -PU53 192.168.1.0/24 is an example. (This causes all hosts inside the specified IP range to transmit UDP packets to port 53.)
4. Local Network Discovery through ARP Scan:
Nmap may use ARP requests to find hosts in local network (Ethernet) contexts.
nmap -PR 192.168.1.0/24, for instance (To find hosts on the specified local network, this uses ARP requests.)
5. NSE — Nmap Scripting Engine custom scripting:
You may write unique host finding scripts using Nmap’s NSE. This feature enables you to utilize your own host finding strategies.
Nmap — script discovery-example.nse 192.168.1.0/24 à is an illustration. (Using a customized script to find hosts.)
6. Target Requirement:
To define the target hosts for discovery, you can utilize input files, IP ranges, or even specific hosts.
nmap -sn -iL target_hosts.txt, for instance (Performs host discovery and reads target hosts from the input file “target_hosts.txt”).
Port Scanning with NMAP
By using Nmap, port scanning may be done on a target host or network to find out which ports are open and waiting for connections. Network reconnaissance, security analysis, and troubleshooting all require port scanning. Popular open-source network scanning program Nmap provides a number of scanning options and ways to accomplish this task successfully. Here is a brief introduction to some popular options and flags as well as common port scanning techniques:
Getting Started with Port Scanning:
Port scanning aids in locating open ports on a target system, which may signify running processes or potential security holes. Services often listen on certain ports, such as HTTP on port 80 and SSH on port 22, and ports are identifiable by a number. Open ports react to connection attempts while closed ports do not.
Commonly Used Port Scanning Techniques:
1. TCP Connect Scan (Default):
This is the most basic and common port scanning technique.
Nmap attempts to establish a full TCP connection with each target port.
Example: nmap -p 80,443 target.com
2. SYN Scan (Half-Open Scan):
· It is Also known as stealth scanning.
· Nmap sends SYN packets to target ports and observes responses.
· Faster than a full TCP connection because it doesn’t complete the handshake.
· Example: nmap -sS -p 80,443 192.168.1.1
3. ACK Scan:
· Nmap sends ACK packets to target ports.
· Used to determine if a firewall is filtering traffic.
· Example: nmap -sA -p 80,443 target.com
4. FIN Scan:
· Nmap sends FIN packets to target ports.
· Used to determine if a port is open.
· Example: nmap -sF -p 80,443 target.com
5. UDP Scan:
· Scans for open UDP ports.
· UDP is connectionless, making it harder to scan.
· Example: nmap -sU -p 53,67 192.168.1.1
Frequently Used Flags and Options:
-p or — port: Indicate the ports to be scanned (for example, -p 80,443).
-F or — fast: Only scan the 100 most popular ports.
Enables OS detection, version detection, and script scanning with the -A or — aggressive option.
Set the scan speed timing template with the -T or — timing option (for example, -T4 for an aggressive scan).
Output scan results in different forms (normal, XML, and grepable) with the -oN, -oX, and -oG options.
Service and Version Detection
In Nmap, the process of identifying not only which ports are open on a target system but also which particular services are running on those ports and their versions is known as service and version detection. For network reconnaissance, security evaluation, and vulnerability analysis, this information is useful. Nmap employs a number of methods to carry out service and version detection:
1. How Nmap Identifies Services:
Banner Grabbing: Nmap often begins by connecting to open ports and reading the initial data (banner) sent by the service. This banner may contain information about the service and its version. For example, an HTTP server might send a banner like “Apache/2.4.41.”\
Service Fingerprinting: Nmap uses a database of service fingerprints to identify known services based on patterns in the data exchanged during the connection. These fingerprints help Nmap make educated guesses about the service and version.
2. Version detection:
After locating a service, Nmap can make an additional effort to identify the precise version of that service. This is crucial since many iterations of the same service may have various flaws or features. Nmap uses the following methods to identify versions:
Service-specific Version-specific probes: Service-specific Version-specific probes are sent by Nmap to the service in order to elicit replies that will expose the precise version. For instance, to identify the version of a database server, it can send certain SQL queries to that server.
Fingerprinting: Nmap uses fingerprinting methods to compare the service’s observed behaviour and responses to a database of known service versions. New signatures and versions are continuously added to this database.
Database Matching: Nmap maintains a database of service fingerprints, which includes known patterns for various services and their versions. It compares the observed responses with entries in this database to make a best guess at the version.
Understanding Service and Version Information:
Once Nmap successfully identifies the service and its version, it displays this information in its scan results. This information is valuable for network administrators and security professionals to:
· Assess the security of the services and determine if they are running vulnerable versions.
· Plan maintenance and upgrades for services with outdated versions.
· Understand the network’s configuration and what services are exposed.
Example:
nmap -sV IP address of target_host(192.168.1.1)
Nmap Scripting
The Nmap Scripting Engine (NSE) is a powerful and extensible feature of Nmap that allows users to write custom scripts to automate various tasks related to network discovery, vulnerability scanning, and network analysis. NSE scripts are written in the Lua programming language and can be used to extend the functionality of Nmap beyond its standard scanning capabilities. Here’s an overview of the NSE and how to write custom NSE scripts.
Overview of Nmap Scripting Engine (NSE):
Purpose of Nmap Script
The NSE is designed to automate and customize Nmap scans by allowing users to execute scripts before or after the standard scanning phase.
It can be used for various purposes, including service discovery, vulnerability scanning, and network analysis.
Nmap Script Categories:
NSE scripts are categorized into different directories based on their functionality.
Categories include discovery, vuln, exploit, auth, brute, and more, each serving specific purposes.
Integration with Scans:
NSE scripts can be integrated into Nmap scans using the -sC option, which runs default scripts, or by specifying custom scripts using the — script option.
Results Output:
NSE scripts can provide additional information and output in Nmap’s standard output or in a machine-readable format (XML or JSON).
Writing Custom NSE Scripts:
Lua Language: NSE scripts are written in the Lua programming language, so having some familiarity with Lua is essential.
Script Location: Custom NSE scripts should be placed in the scripts directory in the Nmap installation directory or in a directory specified by the — script-args option.
Script Structure
NSE scripts typically follow a structure that includes imports, script description, arguments, and the action function, which is executed when the script runs.
Access to Nmap Data: NSE scripts can access data collected by Nmap, such as host information, port states, and service versions, allowing you to make informed decisions in your scripts.
Documentation: Proper documentation is crucial for custom NSE scripts. Include comments that describe the script’s purpose, usage, and any dependencies.
Examples of Practical NSE Scripts:
HTTP Enumeration:
An NSE script can be written to enumerate web server information, such as supported HTTP methods, headers, and potentially vulnerable configurations.
Vulnerability Scanning:
NSE scripts can be used to check for specific vulnerabilities on target systems, such as Heartbleed for OpenSSL or MS17–010 for SMB.
Banner Grabbing:
Write an NSE script to perform advanced banner grabbing, collecting detailed service information for each open port.
Brute-Force Attacks:
NSE scripts can automate brute-force attacks on services like SSH, FTP, or Telnet to test weak credentials.
Network Enumeration:
Create an NSE script to enumerate network resources, such as DNS records, SNMP devices, or network shares.
Custom Port Scanning:
Develop NSE scripts to scan for specific ports or services, allowing you to focus your scans on particular aspects of a network.
Custom Service Detection:
Customize NSE scripts to identify and fingerprint custom or less-common services that Nmap may not recognize by default.
How to use Nmap Scripts:
nmap — script script1.nse,script2.nse 192.168.1.1 (Example)
When writing custom NSE scripts, always exercise caution and ensure you have proper authorization to perform the tasks you automate. Also, consider sharing your scripts with the Nmap community by submitting them to the Nmap Scripting Database (NSEDoc).
NMAP Basic Commands:
Nmap (Network Mapper) is a powerful open-source network scanning tool used for network discovery and security auditing. Here are some basic Nmap commands to get you started:
1. Scan a Single Host:
Scan a single target host or IP address to identify open ports and services.
nmap <IP address of target host>
2. Scan Multiple Hosts:
Scan multiple target hosts or IP addresses.
nmap <IP address of target host1><IP address of target host2><IP address of target host3>
3. Scan a Range of IP Addresses:
Scan a range of IP addresses using CIDR notation.
nmap 192.168.1.1/24
4. Scan Entire Subnet:
Scan all hosts on a specific subnet.
nmap 192.168.1.0/24
5. Scan a Specific Port:
Scan a specific port on a target host.
nmap -p 80 target_host
6. Scan Multiple Ports:
Scan multiple ports on a target host.
nmap -p 80,443 target_host
7. Scan All Ports:
Scan all 65,535 ports on a target host (takes longer).
nmap -p- target_host
8. Scan Using a Specific Scan Technique:
Specify a scan technique. For example, use the TCP SYN scan (default).
nmap -sS target_host
9. Perform an Aggressive Scan:
Enable aggressive scanning options to get more information.
nmap -A target_host
10. Scan UDP Ports:
Scan UDP ports on a target host.
nmap -sU target_host
These are some basic Nmap commands to help you get started with network scanning and discovery. Nmap provides a wide range of options and features for advanced network security and reconnaissance tasks, so be sure to explore the documentation and experiment with various options to meet your specific needs. Additionally, always ensure that you have the appropriate permissions and legal authorization before conducting network scans.
Conclusion
Nmap is an open-source network scanning tool that helps identify hosts, open ports, and services on a network. It uses techniques like banner grabbing, protocol-specific probes, and behavior analysis to identify services running on open ports. Nmap also detects service versions, allowing for assessing security vulnerabilities and planning upgrades. It provides information on service security, vulnerabilities, network configurations, and exposed services. However, it should be used responsibly and with proper authorization to ensure legal and ethical compliance. Nmap is crucial for security assessment, vulnerability management, network configuration, incident response, compliance, and efficient resource allocation. It is essential for maintaining a secure network environment and ensuring compliance with regulatory frameworks and standards.