Nmap for Vulnerability Discovery

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts.

Nmap is a very powerful utility that can be used to:

  • Identify the open ports on the host (port discovery or enumeration)
  • Detect the live host on the network (host discovery)
  • Detect the software and the version to the respective port (service discovery)
  • FIREWALL/IDS EVASION AND SPOOFING
  • Identify the operating system, hardware address, and the software version
  • Detect the vulnerability and security holes (Nmap scripts)

Usage:

nmap [Scan Type(s)] [Options] {target specification}

 Overview of Basic Scanning Options:

This section will cover basic of network scanning with Nmap.

https://secur1tyadvisory.files.wordpress.com/2015/08/1-nmap-sachin_wagh2.png?w=700

Figure: Nmap Basic Scanning Option

https://secur1tyadvisory.files.wordpress.com/2015/08/2-nmap-sachin_wagh.png?w=462&h=285

Figure: Nmap Aggressive Scan

The aggressive scan selects some of the most commonly used options within Nmap. The -A parameter is a synonym for several advanced options (like -O -sC –traceroute) which can also be accessed individually.

Nmap Scan Types:

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS]. For more detail please visit http://nmap.org/book/man-port-scanning-techniques.html

https://secur1tyadvisory.files.wordpress.com/2015/08/3-nmap-sachin_wagh.png?w=700

Figure: Nmap Scan Types

TCP SYN Scan:

The TCP SYN scan is the default option. The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending a SYN packet to the target and listening for a response. This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to the remote host. This prevents many systems from logging a connection attempt from your scan.

TCP Connect Scan:

TCP connect( ) port scanning is the most simple type of probe to launch. There is no stealth whatsoever involved in this form of scanning. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.

Version Detection:

https://secur1tyadvisory.files.wordpress.com/2015/08/4-nmap-sachin_wagh.png?w=700

Figure : Version Detection

The -sV option will attempt to identify the vendor and software version for any open ports it detects. An interesting, relatively new feature in Nmap is its ability to attain version information for various TCP and UDP services on target machines. This is done in conjunction with whatever other scans you choose to run.

Overview of Port Scanning Options:

Sometimes, need to scan outside the default range of ports to look for uncommon services or ports. This section covers the options which allow this and other port specific features.

https://secur1tyadvisory.files.wordpress.com/2015/08/5-nmap-sachin_wagh.png?w=700

Figure: Port Scanning Options

Overview of Version Detection Options:

The process of identifying a target’s operating system and software versions is known as fingerprinting. This section covers the option which allows to do Operating system detection and service version detection.

https://secur1tyadvisory.files.wordpress.com/2015/08/6-nmap-sachin_wagh.png?w=700

Figure: Version Detection Options

Overview of Timing Options:

There are six templates (numbered 0-5) that can be used to speed up scanning (for faster results) or to slow down scanning (to evade firewalls). The table below describes each timing template.

https://secur1tyadvisory.files.wordpress.com/2015/08/7-nmap-sachin_wagh.png?w=700

Figure: Timing Options

Overview of Output Options:

Nmap offers several options for creating formatted output. In addition to displaying the standard output on a screen, nmap offers to save scan results in a text file, XML file, or a single line grepable file.

 https://secur1tyadvisory.files.wordpress.com/2015/08/8-nmap-sachin_wagh.png?w=700

Figure: Output Options

Conclusion:

In this article, we discussed in detail various NMAP scan types, and the practical use of these commands to scan various devices and networks. There are so many other things that you can do with the Nmap, and we will discuss them in the future articles.