NMAP - Network scanning. How to use it?

NMAP - Network scanning. How to use it?

Nmap is a powerful network scanning tool available for Windows, Linux, and macOS. It allows users to scan for open ports, discover operating systems, and perform many other network-related tasks on a target system. Widely used in penetration testing, Nmap is a valuable tool for network security professionals and enthusiasts alike.

The purpose of this blog post is to provide a guide on using Nmap for common tasks. I will document the Nmap commands I frequently use for Capture The Flag (CTF) challenges and personal projects in my home lab. This guide aims to make it easier for readers to undersnad Nmap's capabilities effectively.

Installation

Nmap is not typically installed by default on standard operating systems. However, penetration testing distributions like Kali Linux or Parrot OS come with Nmap pre-installed.

Windows

Download:

  • You can download the Windows installer from the Nmap download page. Look for the Windows installer (e.g., nmap-<version>-setup.exe).

Installation:

  • Run the installer and follow the prompts. The installer typically includes Nmap itself, as well as a graphical user interface called Zenmap (Nmap's official GUI).

Usage:

  • You can run Nmap from the Command Prompt or PowerShell. Open one of these terminals and type nmap followed by your desired options.

Linux

Installation:

  • Nmap is available through the package manager for most Linux distributions. Use the appropriate command for your distribution:

Debian/Ubuntu-based:

sudo apt update
sudo apt install nmap

CentOS/RHEL:

sudo yum install nmap

Arch linux:

sudo pacman -S nmap

MacOS

The easiest way to install Nmap on macOS is via Homebrew, a popular package manager for macOS. First, install Homebrew if you haven't already:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Then install Nmap using Homebrew:

brew install nmap

Nmap examples

1. Scan a Range of IP Addresses

To scan a range of IP addresses for open ports, you can use:

nmap 192.168.1.1-50

This scans IP addresses from 192.168.1.1 to 192.168.1.50.

2. Service Detection

To detect services and their versions running on open ports, use:

nmap -sV 192.168.1.1

The -sV option enables version detection.

3. Vulnerability Scanning

For basic vulnerability scanning, you can use Nmap's NSE (Nmap Scripting Engine) scripts. For example, to run a script to detect vulnerabilities:

nmap --script=vuln 192.168.1.1

This command uses Nmap's built-in vulnerability scanning scripts.

4. Brute Force Attack

Nmap itself does not perform brute force attacks, but you can use the ncrack tool for that purpose. However, Nmap can use scripts for brute force attacks on services like SSH or HTTP:

nmap --script ssh-brute 192.168.1.1

This runs an SSH brute force attack using Nmap scripts.

5. OS Detection

To determine the operating system of a target machine:

nmap -O 192.168.1.1

The -O option enables OS detection.

6. Saving Output to a File

To save the scan results to a file, you can use the -oN option for normal output or -oX for XML output:

nmap -oN scan_results.txt 192.168.1.1

In XML format:

nmap -oX scan_results.xml 192.168.1.1

7. Aggressive Scan

An aggressive scan provides detailed information, including host discovery, port scanning, service detection, OS detection, and script scanning:

nmap -A 192.168.1.1

The -A option enables aggressive scan mode.

8. Scan Specific Ports

To scan specific ports or a range of ports:

nmap -p 22,80,443 192.168.1.1
nmap -p 1-1000 192.168.1.1

9. Scan for TCP and UDP Ports

To scan both TCP and UDP ports:

nmap -sS -sU 192.168.1.1

The -sS performs a TCP SYN scan, and -sU performs a UDP scan.

10. Scan Using a Custom Timing Template

To adjust the timing of the scan for speed or stealthiness:

nmap -T4 192.168.1.1

The -T4 timing template speeds up the scan but may be more detectable.

My most used Nmap combination params

For most of my use cases in Capture The Flag (CTF) competitions, I commonly use the following Nmap command. Depending on the situation, I also save the output to a text file.

nmap -T4 -O -sS -sU -p- 192.168.1.1

Here's a breakdown of the command:

  • -T4: Use a faster timing template for quicker scanning (but potentially more detectable).
  • -O: Enable OS detection.
  • -sS: Perform a TCP SYN scan.
  • -sU: Perform a UDP scan.
  • -p-: Scan all 65,535 ports.
  • 192.168.1.1: Target IP address of the specific machine.

This command will perform an aggressive scan with a focus on speed, detect the operating system, and scan both TCP and UDP ports for the specified machine while covering all possible ports.