Ethical Hacking 101: Getting started with Nmap
In the previous tutorial, Anirban wrote that the very first step of hacking is reconnaissance.
In this tutorial, we will be learning “How to do Reconnaissance and how to use Nmap?”
NOTE: Port scanning is the same as checking locks on various doors. So, take prior permissions or you might get in trouble.
What is Nmap?
Nmap is a tool used to scan networks like a RADAR is used to scan air. It can be used to get details like:
- Open PORTs
- Software running the Ports
- OS Name and Version
- Software versions
- Available hosts in a subnet
- Finding exploits
- And many more
Example
Suppose your friend asked you to hack his/her website😉. You used Nmap and found he is running Apache HTTP Server 2.4.24 and then with a simple google search you found it has high vulnerability risk and can easily DDoS your friend’s server.
Installation
First, you need to install Nmap before using it.
// For Debian Based
sudo apt install nmap
For any other OS, visit here.
Getting Started
In this tutorial, I will be using the IP Address of my router and a VPS (52.66.109.176).
Host Discovery
Host Discovery is used to check your target host is running or not. We can use certain args if the ping is disabled.
Read more on Host Discovery.
abhishek@hp:~$ sudo nmap -sn -PS 10.10.1.46
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 00:33 IST
Nmap scan report for 10.10.1.46
Host is up (0.0031s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Here, we can see that our host is up.
-sn means Do Not Scan any port if the host is up.
-PS sends an empty TCP packet with the SYN flag set.
Port Scanning
Port scanning is used to know which ports are open, filtered, closed.
Read more about Port Scanning.
abhishek@hp:~$ sudo nmap -F 10.10.1.46
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 00:33 IST
Nmap scan report for 10.10.1.46
Host is up (0.022s latency).
Not shown: 94 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
443/tcp open https
8888/tcp open sun-answerbook
9999/tcp open abyssNmap done: 1 IP address (1 host up) scanned in 0.52 seconds
Here, we can see that Nmap scanned my router a found 6 ports are opened for the given services.
-F scans fast by scanning only 100 ports, you can also define the ports that need to be scanned.
OS Detection
As the word suggests, OS Detection is used to know the OS host is running, so we can plan our attack according to that.
Read more on OS Detection.
abhishek@hp:~$ sudo nmap -O 52.66.109.176
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 00:47 IST
Nmap scan report for ec2-52-66-109-176.ap-south-1.compute.amazonaws.com (52.66.109.176)
Host is up (0.047s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
465/tcp closed smtps
8000/tcp open http-alt
Aggressive OS guesses: HP P2000 G3 NAS device (90%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Ubiquiti AirOS 5.5.9 (89%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), MikroTik RouterOS 6.36 (88%), Linux 2.6.32 - 3.13 (88%), Linux 3.0 - 3.2 (88%)
No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.62 seconds
Here, we can see Nmap has guessed the OS with its probabilities.
-O is used to detect OS.
Version Detection
As the word suggests, Version Detection is used to know the Service and its version running on the ports, so we can plan our attack according to that.
abhishek@hp:~$ sudo nmap -sV 52.66.109.176
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 00:55 IST
Nmap scan report for ec2-52-66-109-176.ap-south-1.compute.amazonaws.com (52.66.109.176)
Host is up (0.050s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0 (Ubuntu)
443/tcp closed https
465/tcp closed smtps
8000/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds
Here, we can see the version and name of the software running on the ports.
-sV is used to detect the service and its version.
You can practice Nmap commands here: 52.66.109.176
. I have also hidden an easter egg 🤫. Try to find it and tell me in the comments😎.
Thanks for reading.