nmap

NMap Network Mapper

Nmap is an opensource networking mapping tool frequently used in order to gain an accurate picture of how a network is setup. It was written by Gordon Lyon and comes preinstalled on many Linux distros including Kali.

Port Scanning

The baseline functionality provided by Nmap is port scanning. This allows us to be able to tell what ports are open on our target machine. Nmap can conduct a basic port scan using

$nmap 192.168.56.3

This command conducts an SYN scan of the 1000 most commonly used ports on the machine at 192.168.1.1. While this is useful often times you'll want to scan all the ports on the target machine, which can be done using(results of the scan are shown here)

$nmap -p- 192.168.56.3
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-15 18:41 CDT
Nmap scan report for 192.168.56.3
Host is up (0.00080s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
1099/tcp  open  rmiregistry
1524/tcp  open  ingreslock
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
3306/tcp  open  mysql
3632/tcp  open  distccd
5432/tcp  open  postgresql
5900/tcp  open  vnc
6000/tcp  open  X11
6667/tcp  open  irc
6697/tcp  open  ircs-u
8009/tcp  open  ajp13
8180/tcp  open  unknown
8787/tcp  open  msgsrvr
34173/tcp open  unknown
34643/tcp open  unknown
38930/tcp open  unknown
40080/tcp open  unknown

The '-p-' switch tells Nmap that you want to scan all the ports on the target machine. Both of these examples are SYN scans, which is one of the most popular types of scans that Nmap is capable of due to its speed and its lowered chance of crashing the target machine. That being said there are a variety of different scan types and it is important to be familar with all of them. You can change the scan type using the '-s<X>' switch, where <X> is replaced by the letter denoting the type of scan you wish to conduct.For example:

$nmap -sU 192.168.56.3

conducts a UDP scan. Nmap can also conduct a version scan that allows us to identify what services are running on a specified port. This can be done using the '-sV' switch.

$nmap -sV -p- 192.168.56.3
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-15 18:44 CDT
Stats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 96.67% done; ETC: 18:46 (0:00:03 remaining)
Nmap scan report for 192.168.56.3
Host is up (0.00080s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login       OpenBSD or Solaris rlogind
514/tcp   open  shell       Netkit rshd
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34173/tcp open  mountd      1-3 (RPC #100005)
34643/tcp open  nlockmgr    1-4 (RPC #100021)
38930/tcp open  java-rmi    GNU Classpath grmiregistry
40080/tcp open  status      1 (RPC #100024)

Scripting Engine and Vulnerability Scanning

One of the most powerful and important to learn parts of Nmap is its built-in scripting engine sometimes called NSE. NSE allows users to write scripts in Lua to help automate a wide variety of tasks. There are a number of built-in scripts that come with Nmap that allow it to implement some of its more advanced functionality, such as vulnerability scanning.You can run a vulnerability scanning script using

nmap --script vuln 192.168.56.3

References

Nmap Official Site
- https://nmap.org/
The Basics of Hacking and Penetration Test by Patrick Engebreston
- https://www.amazon.com/Basics-Hacking-Penetration-Testing-Ethical/dp/0124116442/ref=sr_1_3?crid=5FJYSYVHJUYY&keywords=the+basics+of+hacking+and+penetration+testing&qid=1568592228&sprefix=the+basics+of+hackin%2Caps%2C184&sr=8-3
Nmap Official Book
- https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717/ref=sr_1_2?keywords=nmap&qid=1568592149&sr=8-2