43 Scanning and Enumeration – Nmap Basics

Dante Rocca and Mathew J. Heath Van Horn, PhD

Network Mapper (Nmap) is a powerful tool that is used by both system administrators and hackers. In network administration, it assists in understanding which machines are online and what services they are running, which is helpful when troubleshooting common connectivity issues. In ethical hacking, Nmap is used for similar purposes but with the added goal of finding any vulnerable services we can exploit as a point of entry into the network.

Learning Objectives

  • Use Nmap to scan a host
  • Use Nmap to perform a ping scan

Prerequisites

Deliverables

  • Screenshot of subnet scan
  • Screenshot of ping sweep
  • Screenshot of detailed fingerprinting scan
  • Screenshot of stealth scan

Resources

Contributors and Testers

  • Bernard Correa, Cybersecurity Student, ERAU-Prescott
  • Jacob M. Christensen, Cybersecurity Student, ERAU-Prescott

Phase I – The Very Basics

The goal here is to familiarize students with the fundamentals of using Nmap. With no arguments, Nmap conducts a TCP SYN scan against the top 1,000 most commonly used networking ports. Keep in mind that these scans can never be 100% reliable, for they depend on the accuracy of the responses sent back by the targets (which can be manipulated). However, it is still a good starting point before planning more advanced scanning techniques.
  1. Use Eagle Net as the baseline network environment for this lab
    1. Start all machines
    2. Ensure that the Kali and Metaspolitable boxes are all able to receive IP addresses
    3. Write these addresses down for later comparison with the network scan results.  In this example, our results are:
      Kali 100.100.100.5
      Metaploitable3 – Windows 200.200.200.5
      Metasploitable3 – Linux 200.200.200.6
  2. We’re going to begin with a basic Nmap command. Navigate to the Kali box, open a terminal, and execute Nmap against the Metasploitable3-Linux box

    > nmap 200.200.200.6

    NOTE: Some Nmap commands will require superuser privilege. If you get an error saying you don’t have permission for the command, use sudo before it. Alternatively, use the command “sudo su” before beginning the lab to switch to the substitute user and you will no longer need to type sudo before each command. In a closed environment, this is fine, but using “sudo su” is generally bad practice and insecure since you are unlocking root access for everything.

  3. Allow the scan to run for a minute or two. The report will display when finished.
    Showing the results of the Nmap scan
    Figure 1 – Results of the Nmap scan of Metasploitable3-Linux machine
  4. Notice that our target machine has a large number of open ports. Each one represents a different service that is listening for new client connections
  5. Nmap accepts several different ways for specifying IP addresses, including the use of wildcards (*). Use the following command to scan all IP addresses in the range of 200.200.200.0 to 200.200.200.255

    > nmap 200.200.200.*

  6. The result should look similar to this
    Results of scan of entire subnet
    Figure 2 – Nmap scan results of the entire subnet
  7.  We can see the Nmap scan results of the entire 200.200.200.0/24 subnet (256 IP addresses).  Notice Nmap found three devices (router, Mestapoitable3 – Windows, and Metasploitable3 -Linux) and provided a report of the discovered ports open on those systems

Phase II – Scanning for hosts

Now that we have the basics down, the first step of any scan is discovering what hosts are up. You should be familiar with basic TCP packet headers.  Refer to this abbreviated reference model for this phase.

TCP Header model
Figure 3 – Abbreviated TCP Header Model
  1. The following command disables the default port scan of Nmap and performs a ping sweep (-sn) to quickly discover live hosts on the network. This is useful in identifying targets before executing slower, more intensive scans on them

    > nmap -sn 200.200.200.0/24

    Ping scan of target network
    Figure 4 – Results of the ping scan of the 200.200.200.0/24 network
  2. Again we see three devices, the router, Metasploitable3-Windows, and Metasploitable3-Linux

    NOTE: There could be ‘hidden’ hosts that are not responding to our ICMP echo messages.

  3. To treat all hosts as online (no host discovery performed first) we use the following command (-Pn = Ping no). Since this will take a while to complete, you can terminate the scan by pressing Ctrl+C

    > nmap -Pn 200.200.200.0/24

    Results of Nmap scan using the no host discovery option
    Figure 5 – Partial results of the no-host discovery scan of the 200.200.200.0/24 subnet
  4. This command is useful when you already know a host is active and you want to minimize your network traffic footprint

    > namp -Pn 200.200.200.6

    Result of nmap scan without host discovery on a specific target
    Figure 6 – Result of the Nmap scan without host discovery (no ping) against the target machine 200.200.200.6
  5. Sometimes, certain services are disabled in an attempt to avoid discovery. Nmap allows for various scanning options to see if targets will reveal information by masking network scans as other types of services. This can be useful for finding those hidden machines blocking our ICMP probes!
    1. Perform a TCP SYN discovery scan on port 22 (SSH) against 200.200.200.6

      > nmap -PS 22 200.200.200.6

    2.  Perform a TCP ACK discovery scan

      > nmap -PA 22 200.200.200.6

    3. Perform a UDP discovery scan

      > nmap -PU 22 200.200.200.6

      You will see that most of the scans produce the same results.  However, the UDP scan tells us that the host is down.  This is a good demonstration of the need to expand your scans and produce more accurate information.  Future scans using TCP SYN packets may report no active hosts, but then switching to UDP can reveal them to be up.

  6. Open a Wireshark capture on the Kali box and perform the same three scans above. Observe the number and type of packets sent and received when performing each scan. You can see how ‘noisy’ each scan appears to anyone who is monitoring the network traffic

Phase III – Fingerprinting with Nmap

For hacking, we need as much information as possible about a system to determine possible vulnerabilities. Nmap provides much more information than just what ports are open on the machine.  Fingerprinting requires root privileges.
  1. Attempt to detect the operating system (-O) of a target

    > nmap -O 200.200.200.6

    This results in many possible guesses. We may not get the exact version of Linux, but it is clear that our target machine is Linux.

    Nmap results trying to detect operating system - Linux
    Figure 7 – Nmap discovered our target machine is running Linux
  2. Try an OS detection scan against our Metasploitable3-Windows machine to compare the results

    > nmap -O 200.200.200.5

    NOTE: You may have to restart the Windows machine due to inactivity

    Scan result for windows machine
    Figure 8 – Nmap scan result for the Windows machine
  3. To find the versions of services running on a host use the command

    > nmap -sV 200.200.200.6

    The results are pretty interesting. We can use OSINT techniques (such as Google) to research potential vulnerabilities for each of these services.

    Software version of scanned target
    Figure 9 – Software version scan results of our target machine
  4. Alternatively, for more detailed (and very noisy!) scan, use the A switch. This enables OS detection, script scanning, version detection, and traceroute

    NOTE: This might take a while.

    > nmap -A 200.200.200.6

    These results are also very interesting. For example, we obtained the SSH keys used to remote into the system as well as some filenames.

    Scan results of the -A scan
    Figure 10 – Scan results of the Metasploitable3-Linux target machine

    We can also see that there might be a website being hosted and the target is waiting for print commands from other devices.

    Scan results continued
    Figure 11 – Scan results continued

Phase IV – Scanning Techniques

Lastly, there are a few more techniques which we can utilize. Refer to the basic TCP headers again.

TCP Header model
Figure 3 – Abbreviated TCP Header Model 
  1. Scans can be done using different TCP header flags and produce different results
    1. We’ll start with the simple TCP SYN (stealth) scan. Open Wireshark and perform the scan below. It doesn’t look stealthy, but it is considered as such because it never completes the TCP connection. However, firewalls can easily block this scan

      > nmap -sS 200.200.200.6

    2. Execute a TCP ACK scan. Again watch the scan on Wireshark

      > nmap -sA 200.200.200.6

    3. Execute a UDP scan (this may take a while)

      > nmap -sU 200.200.200.6

    4. Execute an Xmas scan (sets all the flags on a TCP packet header, lighting up the scan like a Christmas tree!)

      > nmap -sX 200.200.200.6

    5. Execute a TCP FIN scan

      > nmap -sF 200.200.200.6

  2. Another technique we can use is to adjust the timing of the scans. Nmap uses a number between 0 and 5 to indicate the aggressiveness of a scan. The lowest value 0 indicates a “paranoid scan” that will take a very long time to complete, but is unlikely to be picked up by IDS. Using setting 5 indicates a very aggressive scan that will be sloppy, but completed at breakneck speed. To use timing, enter the following command where the # is the timer setting.  Try both the 0 setting and the 5 setting. The scans should produce the same results, but you can see on Wireshark that the packets are sent at different speeds

    > nmap -T# 200.200.200.6

  3. Finally, you can try to mask yourself by using a decoy IP address. Watch this on Wireshark and you can see that it looks like Google is scanning our target

    > nmap -D 8.8.8.8 200.200.200.6

    1. For added confusion, you can use cloak yourself within many IP addresses, so that the defender doesn’t know which one is yours

      > nmap -D RND:20 200.200.200.6

      This command executes a Decoy scan using 20 random source IP addresses.

  4. Keep in mind that most of the commands in each section can be mixed and matched together such as in the following example which will fingerprint the operating system while using a decoy

    > nmap -O -D 8.8.8.8 200.200.200.6

End of Lab

Deliverables

Four screenshots are needed to earn credit for this exercise:

  • Screenshot of subnet scan
  • Screenshot of ping sweep
  • Screenshot of detailed fingerprinting scan
  • Screenshot of stealth scan

Homeworks

Assignment 1 – Scan a website

Scan the vulnerable website scanme.nmap.org and produce the same screenshots as the deliverables.  Describe your findings in a paragraph or two.

Assignment 2 – Scan Metasploitable3 – Windows

Start the Metasplitable3-Windows VM and produce the same screenshots as the deliverables.  Describe your findings in a paragraph or two.

No Non-Printable Figures in this Chapter

License

Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Dante Rocca and Mathew J. Heath Van Horn, PhD is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book