Pentesting with Nmap
Pentesting (or penetration testing) is a type of cybersecurity test that identifies vulnerabilities, threats, and risks in networks, systems, and applications. While vulnerability scanning attempts to identify known vulnerabilities, a penetration test (or pen test) is intended to exploit the weaknesses to gain full situational awareness when it comes to cybersecurity including organizational risk, threats, vulnerabilities, and potential business impact.
Nmap is just one of many tools that a penetration tester may use during a pentest.
Why Do I Need A Pentest?
Pentesting is one of the best security practices that you can take.
Pentesting can evaluate your security controls and provide you with recommendations to enhance your overall security posture. Penetration testing can include real-world security tests using advanced hacking methods to help you identify your weaknesses and improve your security posture. Advanced penetration tests can also simulate attacks on your network using similar techniques as malicious attackers to see if you can identify active attacks!
Nmap Overview
Nmap
Nmap ("Network Mapper") is a free and open source utility for network discovery, security testing, and pentesting. Nmap can be used to map a network, scan for live hosts, discover open ports, enumerate services, identify operating systems, and so much more!
Nmap Default Scan Settings
- Scans the 1,000 most common ports
- Randomizes the scanned port order
- Normal scan timing (-T3)
- Standard user - TCP Connect() (-sT)
- Root user - TCP SYN (-sS)
Port Statuses
- open - An application is actively accepting connections
- closed - A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it
- filtered - Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall
- unfiltered - The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only used for the ACK scan, which is used to map firewalls
- open|filtered - Nmap is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response
- closed|filtered - This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan
Print Version Number
Print the version number
nmap -V
nmap --version
Print Help Page
Print the help page
nmap -h
nmap --help
Scanning As Root
Certain Nmap scans must be run with root privileges.
You may receive an error: You requested a scan type which requires root privileges. QUITTING!
Add "sudo" to the command.
sudo nmap
Canceling A Running Scan
You may need to cancel a scan if the scan is taking a long time or if you accidently started a scan.
Ctrl + c
Nmap: Discovery & DNS Resolution
List Scan
The list scan id a degenerate form of host discovery. It lists each host without sending any packets. This still performs reverse DNS resolution to learn the names of the hosts.
nmap -sL 192.168.1.0/24
Ping Scan / Do Not Port Scan
The Ping scan (disable port scan / no port scan) does not run a port scan after host discovery. This is one step more intrusive than the list scan.
nmap -sn 192.168.1.0/24
No Ping / Disable Ping
The No Ping scan (disable ping scan) skips the discovery stage altogether and forcefully scans every IP address.
nmap -Pn 192.168.1.0/24
No DNS Resolution
The No DNS Resolution scan does not perform DNS resolution. DNS can be slow and this type of scan may improve scanning times.
nmap -n 192.168.1.0/24
DNS Resolution For All Targets
The DNS Resolution scan performs DNS resolution for all targets. Normally DNS resolution is only performed against online hosts.
nmap -R 192.168.1.0/24
Nmap: Common Options
Scan A Single IP Address
Scan a single IP address using the default settings.
nmap 192.168.1.1
Scan Multiple IP Addresses
Scan multiple IP addresses by separating them with spaces.
nmap 192.168.1.1 192.168.1.2 192.168.1.3
Scan A Range Of IP Addresses
Scan a range of IP addresses.
nmap 192.168.1.50-100
nmap 192.168.1-20.50-100
Scan A CIDR Block
Scan a CIDR block.
nmap 192.168.1.0/24
Scan A Single Port
Scan a single port. The space is optional.
nmap -p 21 192.168.1.0/24
nmap -p21 192.168.1.0/24
Scan Multiple Individual Ports
Scan multiple ports by separating them with commas.
nmap -p 21,22,23 192.168.1.0/24
nmap -p21,22,23 192.168.1.0/24
Scan A Range Of Ports
Scan a range of ports using a dash.
nmap -p 21-23 192.168.1.0/24
nmap -p21,22,23,100-200 192.168.1.0/24
nmap -p21-23,100-200 192.168.1.0/24
Fast Limited Port Scan
The Fast port scan only scans the top 100 ports instead of the default top 1,000 ports
nmap -F 192.168.1.0/24
Scan Top Ports
Scan a specific number of top ports.
nmap --top-ports 10 192.168.1.0/24
nmap --top-ports 100 192.168.1.0/24
nmap --top-ports 1000 192.168.1.0/24
Scan (Almost) All Ports
Scan ports 1 - 65,535.
nmap -p- 192.168.1.0/24
Scan All Ports Including "0"
Scan ports 0 - 65,535. Port zero is invalid but nothing stops someone from specifying it in the header field. Some malicious trojan backdoors listen on port zero. This is a stealthy way to allow access without appearing on most port scans.
nmap -p 0-65535 192.168.1.0/24
nmap -p0-65535 192.168.1.0/24
Do Not Randomize Ports
Do not randomize the order of the ports. By default, the port order is randomized.
nmap -r 192.168.1.0/24
Only Show Open Ports
Only show the open ports.
nmap --open 192.168.1.0/24
Nmap: Not Just Port Scanning
Service Version Detection
Service version detection interrogates open ports to determine what is actually running. By default, Nmap only shows the status of the ports. Version detection will verify the service and display the version.
nmap -sV 192.168.1.0/24
Operating System Detection
Operating system detection uses TCP/IP stack fingerprinting. It sends a series TCP and UDP packets and examines every bit in the responses, performing dozens of tests.
nmap -O 192.168.1.0/24
OS, Service Version, Scripts, & Traceroute
Enable OS detection, servie version detection, script scanning, and traceroute.
nmap -A 192.168.1.0/24
Nmap: Exclusions
Exclude Hosts
Exclude specific IP addresses and networks from being scanned.
nmap --exclude 192.168.1.1,192.168.1.2 192.168.1.0/24
Exclude Ports
Exclude specific ports from being scanned.
nmap --exclude-ports 21,22,23 192.168.1.0/24
Do Not Exclude Any Ports
Do not exclude any ports. By default, some ports may be excluded including TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP GET requests, binary SSL session requests, etc.
nmap --allports 192.168.1.0/24
Nmap: Input & Output Files
Scan Hosts From A File
Scan IP addresses and networks listed in a file. There should be one IP address or CIDR per line.
nmap -iL targets.txt
Exclude Hosts From A File
Exclude IP addresses and networks listed in a file. There should be one IP address or CIDR per line.
nmap --excludefile exclude.txt 192.168.1.0/24
Save The Output In Normal Format
Save the output in normal format.
nmap -oN results.nmap 192.168.1.0/24
Save The Output In XML Format
Save the output in XML format.
nmap -oX results.xml 192.168.1.0/24
Save The Output In Grepable Format
Save the output in grepable format. This is deprecated.
nmap -oG results.gnmap 192.168.1.0/24
Save The Output In ScRipT Kidd|3 Format
Save the output in ScRipT Kidd|3 format.
nmap -oS results.txt 192.168.1.0/24
Save The Output In All Formats
Save the output in all formats excluding script kiddie format.
nmap -oA results 192.168.1.0/24
Nmap: Scan Types
TCP SYN Scan
The TCP SYN scan (stealth scan) is unobtrusive and stealthy because it never completes TCP connections. This is the default scan type for root users.
nmap -sS 192.168.1.0/24
TCP Connect Scan
The TCP Connect scan completes the connection. This take longer than the TCP SYN scan. The target network more likely to log TCP Connect scans than TCP SYN scans. This is the default scan type for normal users.
nmap -sT 192.168.1.0/24
UDP Scan
While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some penetration testers ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol.
nmap -sU 192.168.1.0/24
Nmap UDP Probes
Nmap interprets responses to UDP scan probes by:
- open - Any UDP response from target port (unusual)
- open|filtered - No response received (even after retransmissions)
- closed - ICMP port unreachable error (type 3, code 3)
- filtered - Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13)
ICMP Destination Unreachable Type 3 Code Values
Nmap only cares about codes 0–3, 9, 10, and 13, which are marked with an asterisk.
- 0* - Network unreachable
- 1* - Host unreachable
- 2* - Protocol unreachable
- 3* - Port unreachable
- 4 - Fragmentation needed but don't-fragment bit set
- 5 - Source route failed
- 6 - Destination network unknown
- 7 - Destination host unknown
- 8 - Source host isolated (obsolete)
- 9* - Destination network administratively prohibited
- 10* - Destination host administratively prohibited
- 11 - Network unreachable for type of service (TOS)
- 12 - Host unreachable for TOS
- 13* - Communication administratively prohibited by filtering
- 14 - Host precedence violation
- 15 - Precedence cutoff in effect
SCTP INIT Scan
SCTP is a relatively new alternative to TCP and UDP. SCTP combines characteristics of TCP and UDP while adding new features. The SCTP INIT scan is the SCTP equivalent of the TCP SYN scan.
nmap -sY 192.168.1.0/24
TCP ACK Scan
The TCP ACK scan never determines "open" or "open|filtered". It maps out firewall rulesets to determine if they are stateful or not, and which ports are filtered.
nmap -sA 192.168.1.0/24
TCP ACK Scan Probes
Nmap interprets responses to TCP ACK scan probes by:
- unfiltered - TCP RST response
- filtered - No response received (even after retransmissions)
- filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)
TCP Window Scan
The TCP Window scan is the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when an RST is returned. It does this by examining the TCP Window value of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window.
nmap -sW 192.168.1.0/24
TCP Window Scan Probes
Nmap interprets responses to TCP Window scan probes by:
- open - TCP RST response with non-zero window field
- closed - TCP RST response with zero window field
- filtered - No response received (even after retransmissions)
- filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)
NULL, TCP FIN, and Xmas Scans
The NULL, TCP FIN, and Xmas scans are the same in behavior except for the TCP flags set in the probe packets. These scan types are a little stealthier than even a SYN scan. Most modern IDS products can be configured to detect them. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Such firewalls try to prevent incoming TCP connections (while allowing outbound ones) by blocking any TCP packets with the SYN bit set and ACK cleared.
Null Scan
The Null scan does not set any bits (TCP flag header is 0).
nmap -sN 192.168.1.0/24
FIN Scan
The FIN scan only sets the TCP FIN bit.
nmap -sF 192.168.1.0/24
Xmas Scan
The Xmas scan sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
nmap -sX 192.168.1.0/24
Nmap NULL, FIN, Xmas Probes
Nmap interprets responses to NULL, FIN, and Xmas scan probes by:
- open|filtered - No response received (even after retransmissions)
- closed - TCP RST packet
- filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)
ICMP Destination Unreachable Type 3 Code Values
Nmap only cares about codes 0–3, 9, 10, and 13, which are marked with an asterisk.
- 0* - Network unreachable
- 1* - Host unreachable
- 2* - Protocol unreachable
- 3* - Port unreachable
- 4 - Fragmentation needed but don't-fragment bit set
- 5 - Source route failed
- 6 - Destination network unknown
- 7 - Destination host unknown
- 8 - Source host isolated (obsolete)
- 9* - Destination network administratively prohibited
- 10* - Destination host administratively prohibited
- 11 - Network unreachable for type of service (TOS)
- 12 - Host unreachable for TOS
- 13* - Communication administratively prohibited by filtering
- 14 - Host precedence violation
- 15 - Precedence cutoff in effect
TCP Maimon Scan
The Maimon scan is named after its discoverer, Uriel Maimon. This technique is the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), an RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.
nmap -sM 192.168.1.0/24
TCP Maimon Scan Probes
Nmap interprets responses to TCP Maimon scan probes by:
- open|filtered - No response received (even after retransmissions)
- closed - TCP RST packet
- filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)
TCP Idle Scan
The TCP Idle scan is the ultimate stealth scan. It takes far longer than most other scan types. A 15 second SYN scan could take 15+ minutes as a TCP Idle scan. Targets will be scanned without sending packets from the attacking IP address. A side-channel attack bounces the scan off of a dumb "zombie host".
nmap -sI 192.168.1.0/24
Finding An Idle Scan Zombie Host
The first step in a TCP Idle scan is to find a zombie host. The zombie host needs to assign IP ID packets incrementally on a global basis instead of a per-host basis. There are many suitable zombie hosts on the Internet but using one is illegal without permission.
Technique 1: Perform a port scan and OS identification (-O) on the zombie candidate network rather than just a ping scan to help in selecting a good zombie host. As long as verbose mode (-v) is enabled, OS detection will usually determine the IP ID Sequence Generation type of "Incremental" or "Broken little-endian incremental".
nmap -O -v 192.168.1.0/24
Technique 2: Run the ipidseq NSE script against the zombie candidate network.
nmap --script ipidseq --script-args probeport=80
IP Protocol Scan
The IP Protocol scan determines which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the "-p" option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.
nmap -sO 192.168.1.0/24
IP Protocol Scan Probes
Nmap interprets responses to IP Protocol scan probes by:
- open - Any response in any protocol from target host
- closed - ICMP protocol unreachable error (type 3, code 2)
- filtered - ICMP unreachable error (type 3, code 1, 3, 9, 10, or 13)
- open|filtered - No response received (even after retransmissions)
TCP FTP Bounce Scan
The TCP FTP bounce scan uses FTP servers to port scan other hosts.
nmap -b ftp.domain.com 192.168.1.0/24
Nmap: Cloaking & Spoofing
Cloak A Scan With Decoys
The Decoy scan cloaks a scan with decoy IP addresses. This still includes your source IP. An IDS may report multiple port scans from unique IP addresses.
nmap -D [,] 192.168.1.0/24
Spoof The Source IP Address
Spoof the source IP address. You must include "-Pn" and "-e".
nmap -S 192.168.1.0/24
nmap -Pn -e [eth0/lo] -S 192.168.1.0/24
Nmap: Advanced Options
Timing Template
Nmap offers six timing templates to allow you to specify how aggressive you would like to scan.
- 0 - paranoid
- 1 - sneaky
- 2 - polite
- 3 - normal
- 4 - aggressive
- 5 - insane
nmap -T[0-5] 192.168.1.0/24
Host Timeout
The host timeout sets the maximum time to spend on each host.
nmap --host-timeout 1m 192.168.1.0/24
Fragment Packets
Fragment packets use tiny fragmented IP packets to split up the TCP header over several packets. This makes it harder for a packet filter or IDS to detect the activity.
nmap -f 192.168.1.0/24
Verbosity
There are 9 levels of verbosity (-4 to 4).
nmap -v 192.168.1.0/24
nmap -vv 192.168.1.0/24
nmap -vvv 192.168.1.0/24
nmap -v3 192.168.1.0/24
nmap -v-3 192.168.1.0/24
Debugging
There are 7 levels of debugging (0 to 6).
nmap -d 192.168.1.0/24
nmap -dd 192.168.1.0/24
nmap -d2 192.168.1.0/24
nmap -d6 192.168.1.0/24
Runtime Interaction
Increase / decrease the verbosity level.
v / V
Increase / decrease the debugging level.
d / D
Turn on / off packet tracing.
p / P
Print a runtime interaction help screen.
?
Print out a status message.
Any other key
Nmap: Scripting Engine
Nmap Scripting Engine
The Nmap Scripting Engine (NSE) runs simple scripts built in the Lua programming language. These scripts can help automate tasks.
Listing Nmap Scripts
List Nmap scripts.
ls -l /usr/share/nmap/scripts/
List "http-*" scripts (Notice the space in the command " http-").
ls -l /usr/share/nmap/scripts/ | grep " http-"
List "http-*" scripts, excluding "cve"
ls -l /usr/share/nmap/scripts/ | grep " http-" | grep -v cve
Scripting Engine Usage 1
NSE scripts
--script |||[,...]
--script=|||[,...]
Script arguments
--script-args =,={=},={,}
Scripting Engine Usage 2
Select a specific script.
nmap --script=http-headers
Select a specific script, specifying port and version detection.
nmap -p80,443 -sV --script=http-headers
Use the '*' wildcard to run all "http-*" scripts.
nmap --script "http-*"
Scripting Engine Categories
- Auth
- Broadcast
- Default
- Discovery
- DoS
- Exploit
- External
- Fuzzer
- Intrusive
- Malware
- Safe
- Version
- Vuln
Scripting Engine Usage 3
Load scripts in the default category or the safe category or both.
nmap --script "default or safe"
nmap --script "default,safe"
Load scripts in both the default and safe categories.
nmap --script "default and safe"
Scripting Engine Usage 4
Load every script except for those in the intrusive category.
nmap --script "not intrusive"
Load scripts in the default or safe categories, except http
nmap --script "(default or safe) and not http-*"
Script Timeout
Set a script timeout.
nmap --script-timeout 5m 192.168.1.0/24
Nmap: Example Commands
Example Nmap Scans
No DNS resolution, fast scan, do not exclude any ports, version detection, OS detection, no external scripts.
sudo nmap -n -F -r --allports -A -sT -T5 --script "not external"
Add decoy IP addresses and a spoofed IP.
sudo nmap -n -F -r --allports -A -sT -T5 -D -S --script "not external"
Scan all ports.
sudo nmap -n -p- -r --allports -sV -O -sT -T5 -D -S --script "not external"
Zenmap
Zenmap
Zenmap is the official Nmap Security Scanner GUI. It is multi-platform, free and open source, and easy for beginners to use.
Best Pen Test Companies
Central InfoSec was rated the "best boutique pentesting company" and the "best pentesting firm" by two independent third-party organizations that review many contributing factors.
Professional Security Services Offered by Central InfoSec
Central InfoSec offers a variety of professional security services including:
- Red Teaming
- Attack simulation to test, measure, and improve your detection and response
- Penetration Testing
- Password Audit
- Detection of weak passwords to help you improve your password policies
- C2 & Pivot Testing
- Command and control (C2) communications, pivoting, and data exfiltration testing
Best Boutique Pentesting Company
Central InfoSec was named Best Boutique Pentesting Company in the Global 100 Awards.
Best Pentesting Firm
Central InfoSec was also named Best Pentesting Firm in the Corporate Excellence Awards.
"Central InfoSec helps organizations by discovering network and web application vulnerabilities before the hackers do!"
Central InfoSec is an award-winning cyber security company that offers professional security services including Red Teaming and Penetration testing.
The Central InfoSec team consists of skilled security professionals bringing decades of red teaming, penetration testing, web application, and exploitation experience. Central InfoSec team members have achieved industry leading professional certifications including CRTO, OSCP, OSWP, GXPN, GPEN, GCPN, GWAPT, GMOB, AWS-CSS, PNPT, PenTest+, CEH, CISSP, and more.