Nmap (Network Mapper) is a highly popular and versatile open-source tool used primarily for network discovery and security auditing. Developed by Gordon Lyon, Nmap has become a standard in the cybersecurity field due to its wide range of functionalities and powerful capabilities. Its primary purpose is to help network administrators, security professionals, and even ethical hackers map out networks, discover connected devices, and evaluate the security posture of those systems. It does so by scanning networks, identifying active hosts, open ports, and the services running on those ports.
One of Nmap’s core features is network discovery. It can probe networks to find live hosts, which allows administrators to build a comprehensive picture of what devices are present and active within their network. This is critical for network management, as unrecognized or unauthorized devices can present significant security risks. By discovering all connected devices, Nmap helps network administrators ensure that only approved devices are communicating on the network.
Another fundamental aspect of Nmap is port scanning. Ports are communication endpoints on a device, and open ports indicate that a service or application is accessible over the network. Nmap allows users to scan for open ports, which helps them understand what services or applications are running on a device. This is crucial for security auditing, as open ports could be potential entry points for attackers, especially if they are associated with vulnerable or outdated services. By identifying open ports, network administrators can take steps to secure them, such as disabling unnecessary services or ensuring that the software is up to date.
Nmap also provides service and version detection. Beyond merely identifying open ports, Nmap can determine what services (e.g., HTTP, FTP, SSH) are running on those ports and even ascertain the version of the software. This is invaluable because older versions of software might contain known vulnerabilities that attackers can exploit. By identifying the software version, Nmap helps administrators ensure that their systems are running secure, up-to-date versions of critical services.
In addition to service detection, Nmap offers operating system detection. It can analyze network traffic and characteristics to make an educated guess about the operating system running on a remote host. This feature is useful for identifying whether devices are running operating systems that might require special attention, such as those no longer supported by the vendor (e.g., Windows XP).
Furthermore, Nmap’s Nmap Scripting Engine (NSE) enables users to write or use pre-existing scripts to perform more advanced tasks, such as vulnerability detection, brute-force attacks, or malware detection. This scripting capability significantly extends Nmap’s functionality, allowing for more customized and detailed network audits.
While Nmap itself does not exploit vulnerabilities, it plays a crucial role in identifying potential security weaknesses, making it an indispensable tool for any organization seeking to secure its network. Its ability to uncover detailed information about a network’s structure and security posture makes Nmap one of the most powerful tools in the network administrator and security professional’s toolkit.
It’s primarily used to scan networks and map out devices, identifying open ports, services running on those ports, and potential vulnerabilities. Here’s a breakdown of what Nmap does:
- Network Discovery: Nmap helps identify devices connected to a network (hosts), allowing administrators to see what’s running on their infrastructure.
- Port Scanning: It scans for open ports on devices to determine which services (like HTTP, FTP, SSH) are accessible. Open ports can sometimes indicate vulnerabilities or misconfigurations that could be exploited.
- Service and Version Detection: Nmap can determine what software and versions are running on open ports, which is crucial for identifying outdated or vulnerable services.
- Operating System Detection: Nmap can also guess the operating system of a remote host based on various network signals, helping in understanding the devices being used.
- Vulnerability Detection: While Nmap itself doesn’t exploit vulnerabilities, it can help detect potential security issues, such as unpatched services or poorly configured systems.
- Scripting Engine (NSE): Nmap has a powerful scripting engine that allows users to write custom scripts for more advanced network auditing tasks, like detecting malware, brute-forcing passwords, or performing detailed vulnerability assessments.
:-SCRIPTS STORE IN -usr/local/share/nmap/ and /usr/share/nmap/
Nmap is widely used in network security for reconnaissance, network management, and testing the security of networks.
HOST SCAN
Penetration testers utilize host scans, which involve sending ARP request packets to every system on a network to find the active hosts. It will then display the message “Host is up” after obtaining the MAC address of each host that is currently up.
- An ARP request scan identifies active devices on a local network by sending Address Resolution Protocol (ARP) requests and mapping IP addresses to their corresponding MAC addresses for network discovery.
SYNTAX:-
- nmap -sP <target range>
- nmap –sn <target range>
The syntax above explains how to use Nmap to do a host scan, which finds active hosts within a network. Since Kali Linux comes with nmap by default, open a terminal and type the following command to send an ARP request packet to each system individually.
You can see the outcome of the response that nmap produced for the active host in the image below.
command:-Nmap -sP 192.168.1.0-225(target ip)
How it works
In order to detect the IP assigned to a certain host machine, Nmap employs the –sP/–sn flag for host scans and broadcast ARP request packets.
In order to communicate that we wish to scan all 256 IPs in our network, it will broadcast an ARP request for a certain IP address (let us say 192.168.1.1-100) in that network. This IP address can be a part of the IP range [192.168.1.1-225] or a CIDR [192.168.1.1/24 for class C]. The active host will then transmit a unicast ARP packet and reply with its MAC address, indicating that the host is up.
Port Scan /TCP Scan
Nmap port scan should be used by penetration testers to determine whether a certain port on the target system is open or closed.
Port Status: Depending on the findings of the scan, you can notice a port status such as filtered, open, closed, etc. Allow me to clarify.
- Open: This signifies that a program is watching this port for connections.
- Closed: This means no application is listening on this port, even though the probes were received.
- Filtered: This means that the state could not be determined since the probes were not received. It also suggests that some sort of filtering is dropping the probes.
- Unfiltered: This means that although the probes were obtained, no status could be determined.
- Open/Filtered: This means that Nmap was unable to determine whether the port was open or filtered.
- Closed/Filtered: This means that although Nmap shows the port as closed or filtered.
Syntax: nmap -p [port number] <target IP range>
:nmap -sT [port number] <target IP range>
Given command will try to connect with port 135 as result if port is open then it will display state “open” as well as “service” running on that particular port.
- Command :-nmap -p135 192.168.1.46
How It Works
- Nmap defines the port range to be scanned using the -p parameter. You can use any scanning method in conjunction with this flag. In the preceding example, we used the argument –p135 to tell to Nmap that we are only interested in port 135. The CIDR /24 in 192.168.1.1/24 is applicable.which is used to indicate that we want to scan all of the 256 IPs in our network.
There are several accepted formats for the argument –p:
Port List
- Nmap –p135,139 192.168.1.46(T/ip)
When using a port list scan, penetration testers can add several ports to be scanned, which is ideal if they wish to check more than one port on the target. If one or more of the chosen ports are found to be open, this scan can be very helpful in determining their current status and reporting “host is up.”
Port Range
You can use port range scan to look through a certain range of ports on the target network, depending on what you need.
- Nmap -p1-1000 192.168.111.130(T/ip)
The aforementioned command will scan all open ports from port 1 to port 1000, determining their state and service.
All ports
Penetration testers can use the following command to list all 65535 open ports on the target system if they choose to scan them all:
- Nmap -p1-65535 192.168.111.130(T/ip) –open
The target network’s ports can be scanned using the syntax above. Please be patient while using this format as it may take some time to list all open ports. Alternatively, you can use the command below, which utilizes the parameter “-open” to expedite the process, to save time.
Specific Ports by Protocols
By default, port scan prefers to list the status of TCP ports; however, you can run the following command to scan both TCP and UDP ports:
- nmap -pT:25,pU:53<target ip>
You can also use the service name for port state scanning if you are unsure of the precise port number to use for enumeration.
Port Service Name
For port state scanning, you can also include the service name if you are unsure of the precise port number for enumeration.
- Syntax: nmap –p[service] <target>
You can see from the provided image that the above command was executed without referring to a port number, yielding the same result.
UDP Scan
While UDP services are generally disregarded in penetration tests, skilled testers are aware that they can expose critical host information or even be used to breach a host. This technique shows how to list every open UDP port on a host using Nmap.
- Syntax: nmap –sU <target>
You can see the UDP port scan result in the image below.
In order to scan particular UDP port it is suggested that you should use the flag -p for Port selection. You can see that we have selected UDP port 137 for the NetBIOS service here.
UDP Port Range
Use the –p flag to address the port range if you wish to scan a range of UDP ports or multiple UDP ports.
- Syntax: nmap -p1-500 -sU <target>
All UDP Port :- nmap -p1-500 -sU <target>
The syntax shown above can be used to scan every UDP port on the target network.
How it works:-
- UDP scan is a connection-less protocol that operates by sending a UDP packet to each destination port and analyzing the response to ascertain the port’s condition. A protocol-specific payload is provided to some popular ports, such 53 and 161, in order to boost response rate. A service that is “open” will reply with a UDP packet. An ICMP Port Unreachable message is received from the target if the port is “closed.” The port is labeled as “open|filtered” if retransmissions fail to yield a response. This could indicate that the port is open or that communication is being obstructed by packet filters.
OS Detection scan :-
Nmap is a valuable tool for OS fingerprinting in addition to open port enumeration. Penetration testers can use this scan to identify potential security flaws and identify available system functions that can be used to set particular exploit payloads.
Syntax: nmap -O <target>
- nmap –O 192.168.111.130
VERSION SCAN:-
Knowing which mail and DNS servers and versions are in use is crucial information to have when performing vulnerability assessments for your clients or companies. Having a correct version number helps greatly in determining which vulnerabilities a server is vulnerable to. You can get this information with the use of version detection. A service’s fingerprinting may also include other details about a target, like modules that are available and details about a particular protocol. In penetration testing, version scans are often categorized as “Banner Grabbing.”
- Syntax: nmap -sV <target>
PROTOCOL SCAN
An IP protocol scan can be quite useful in finding out which communication protocols a host is using. This technique demonstrates how to transmit a raw IP packet, devoid of any additional protocol header, to every protocol on the target system in order to enumerate all of the IP protocols using Nmap. Nmap will set valid header values for the IP protocols TCP, ICMP, UDP, IGMP, and SCTP; an empty IP packet will be used for the other protocols.
- Syntax: nmap -sO <target>