NMAP - Network Mapper

Nmap is the most popular (and most featureful) port scanning tool out there. And although it appears like a small port scanning utility, it has a lot of hidden potential to serve as a powerful hacking tool.

This is precisely what we shall try to work out in this article.

In a previous article we saw how to use nmap for basic port scanning and network scanning tasks. Check it out here:

1. Faster network sweep

A common use of nmap is to find online hosts within an ip range. By default nmap takes some time to scan the range depending on the number of hosts it needs to check for.

However hackers would optimise the scanning process to scan the range very fast. Lets take a few examples

$ nmap -n -vv -sn 110.225.4.108/24 -oG - | grep -i 'Up' Host: 110.225.4.3 () Status: Up Host: 110.225.4.20 () Status: Up Host: 110.225.4.24 () Status: Up Host: 110.225.4.32 () Status: Up Host: 110.225.4.39 () Status: Up Host: 110.225.4.41 () Status: Up Host: 110.225.4.46 () Status: Up Host: 110.225.4.50 () Status: Up Host: 110.225.4.55 () Status: Up Host: 110.225.4.58 () Status: Up Host: 110.225.4.64 () Status: Up Host: 110.225.4.70 () Status: Up Host: 110.225.4.71 () Status: Up ...

The output has been truncated to keep it easy to read.

Here is a quick explanation of the options used:

"-n" don't resolve ip address to hostnames "-vv" verbose output "-sn" Ping Scan "-oG" Output in grep-able format

In the above example nmap takes around 6.67 seconds to scan 100 hosts. Now this is a bare example.

The time range can vary on many factors. So if a whole ip range like 117.194.238.1/16 (256x256 hosts) is to be scanned, it would take a lot more time. This needs to be fast. We are going to use the following 3 options to make the scan faster

1. No dns resolution 'n' - This will tell nmap not to perform dns resolution of the ip addresses, making the process faster.

2. Use the 'T' switch - The T option tells nmap what speed to operate at. T1 is slowest and T5 is fastest

3. max-rtt-timeout - This option specifies the maximum time to wait for the response.

Here is an example

$ nmap -n -vv -sn --max-rtt-timeout 500ms -T4 110.225.4.108/24 -oG - | grep -i 'Up' Host: 110.225.4.3 () Status: Up Host: 110.225.4.20 () Status: Up Host: 110.225.4.24 () Status: Up Host: 110.225.4.32 () Status: Up Host: 110.225.4.39 () Status: Up Host: 110.225.4.41 () Status: Up Host: 110.225.4.46 () Status: Up Host: 110.225.4.50 () Status: Up Host: 110.225.4.55 () Status: Up ...

This time nmap scanner 100 ips in 1.97 seconds. Thats good speed. The value of max-rtt-timout can be adjusted to further increase the speed of the scan. Lower its value, faster nmap would end the scan.

2. Cleaner output with grep

By default Nmap shows the report like this. For alive hosts, the information is presented in 2 lines.

$ nmap -n -vv -sn --max-rtt-timeout 500ms -T4 110.225.4.108/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 15:12 IST Initiating Ping Scan at 15:12 Scanning 256 hosts [2 ports/host] Completed Ping Scan at 15:12, 2.00s elapsed (256 total hosts) Nmap scan report for 110.225.4.0 [host down, received no-response] Nmap scan report for 110.225.4.1 [host down, received no-response] Nmap scan report for 110.225.4.2 [host down, received net-unreach] Nmap scan report for 110.225.4.3 Host is up, received conn-refused (0.0072s latency). Nmap scan report for 110.225.4.4 [host down, received no-response] ...

The report contains the list of all hosts whether they are up or down. However in most cases the hosts of interest are the online/up ones.

So its a better idea to list out only the up hosts and that too in a cleaner format. This is done using 2 things.

The first is output in grepable format using the option "-oG" and then grepping the output and filtering out the Up hosts. Here is a quick example.

$ nmap -n -vv -sn --max-rtt-timeout 500ms -T4 110.225.4.108/24 -oG - | grep -i 'Up' Host: 110.225.4.3 () Status: Up Host: 110.225.4.20 () Status: Up Host: 110.225.4.24 () Status: Up Host: 110.225.4.32 () Status: Up Host: 110.225.4.39 () Status: Up Host: 110.225.4.41 () Status: Up Host: 110.225.4.46 () Status: Up Host: 110.225.4.50 () Status: Up Host: 110.225.4.55 () Status: Up ...

The above format is much neater. It only lists the 'Up' or online hosts and thats what we need. On windows the find/findstr command can be used in place of grep. Its syntax is very similar.

3. Fast Port scan entire network

With the correct options, Nmap can port scan a range of hosts on a network fast enough. Port scanning also uses the same options as shown above in the network sweep section, along with few more.

Port scanning should always be done using the "-sS" option to ensure tcp syn scanning.

The "-Pn" option can be used along with it to avoid ping detection.

$ sudo nmap -sS -vv -n -p80 -Pn --max-rtt-timeout 500ms 110.225.4.1/24 -T4 -oG - | grep 'open' [sudo] password for enlightened: Host: 110.225.4.108 () Ports: 80/open/tcp//http/// Host: 110.225.4.132 () Ports: 80/open/tcp//http/// Host: 110.225.4.141 () Ports: 80/open/tcp//http/// Host: 110.225.4.172 () Ports: 80/open/tcp//http/// $

The above command scanned for open port 80 on about 256 hosts in about 5 seconds. And it lists out only those hosts which have the port open. This is quick and useful.

4. Discover services - FTP, Mysql etc

The key idea behind port scanning is to discover services that are online or on the network (and those which can be hacked! ). So lets try discovering some online services on random ip ranges.

Find FTP servers

$ sudo nmap -sS -vv -n -PN -p21 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'

The above call to nmap shall list out all the ip addresses that have port 21 open. Hackers would find out such servers then see which of them are vulnerable. For example you could try such a scan on the ip range of some website. It will scan all possible servers in that range.

Find mysql servers

Why only ftp, there are plenty of other services to look for by matching the port numbers on which they run. Mysql for instance runs on port 3306. So find out mysql servers with a similar call to nmap with just a different value for port 'p' parameter.

$ sudo nmap -sS -vv -n -PN -p3306 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'

More services

There are plenty of other services to find out like telnet, http, vnc. Lots of servers out there in the public have these services open that can allow hackers to compromise their systems.

So you have to find out such ones and give them a try.

5. Grab daemon banner/welcome message - sV option

Nmap has another option " -sV " that shall fetch the daemon banner or welcome message presented by the service upon connecting.

$ sudo nmap -sS -sV -vv -n -p80 -Pn --max-rtt-timeout 500ms 110.225.4.1/24 -T4 -oG - | grep 'open' Host: 110.225.4.108 () Ports: 80/open/tcp//ssl|http/// Host: 110.225.4.132 () Ports: 80/open/tcp//http//TeamViewer httpd/ Host: 110.225.4.141 () Ports: 80/open/tcp//upnp/// Host: 110.225.4.172 () Ports: 80/open/tcp//tcpwrapped///

In the above output the port number is followed by the protocol, and welcome message received on socket connection.

Run the same command to search for open port 21 (Ftp):

$ sudo nmap -sS -sV -vv -n -p21 -Pn --max-rtt-timeout 500ms 110.225.4.1/24 -T4 -oG - | grep 'open' Host: 110.225.4.141 () Ports: 21/open/tcp//tcpwrapped///

$ sudo nmap -sS -sV -n -Pn -p3306 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open' Host: 192.168.1.10 () Ports: 3306/open/tcp//mysql//MySQL (unauthorized)/ Host: 192.168.1.89 () Ports: 3306/open/tcp//mysql//MySQL (unauthorized)/

The 'MySQL (unauthorized)' string in the output is the message given by mysql on connection.

The most information piece of information in the welcome message is the version number of the service and anything additional.

However here it seems like the welcome message has been modified to not reveal any version information.

6. Find windows machines

Just like we discovered services on remote ip addresses, its possible to find windows xp machines that are directly connected to the internet.

You can for example run a nmap scan over the ip addresses allocated by your isp to its users and find out which ips are windows machines that are online. For this we just need to scan for open samba (445) ports.

$ sudo nmap -n -Pn -p445 --max-rtt-timeout 500ms 117.194.237.1/24 -T4 -oG - | grep 'open' Host: 117.194.237.7 () Ports: 445/open/tcp//microsoft-ds/// Host: 117.194.237.33 () Ports: 445/open/tcp//microsoft-ds/// Host: 117.194.237.39 () Ports: 445/open/tcp//microsoft-ds/// Host: 117.194.237.44 () Ports: 445/open/tcp//microsoft-ds/// ........

You might be surprised to see the number of users online.

Conclusion

The above shown examples are the basics of how to use port scanning and nmap as a powerful tool to study the network around you.

Nmap now also has scripting features which allows to write custom scripts that can be used with nmap to automate and extend the scanning capabilities of nmap to a higher level.

To learn more about various options available on the nmap command run nmap with the "-h" option. It will display help information with details about all supported features and options.

$ nmap -h

On Linux systems you could read the manual pages with

$ man nmap

The manual page is also available online at:

https://linux.die.net/man/1/nmap

For a complete guide check the reference guide on the official website:

https://nmap.org/book/man.html