9/30/2024

Nmap Basics for Penetration Testing

          ___.-------.___
      _.-' ___.--;--.___ `-._
   .-' _.-'  /  .+.  \  `-._ `-.
 .' .-'      |-|-o-|-|      `-. `.
(_ <O__      \  `+'  /      __O> _)
  `--._``-..__`._|_.'__..-''_.--'
        ``--._________.--''

Nmap, short for Network Mapper, is a free and open-source tool widely used for network discovery and security auditing. Nmap utilizes raw IP packets in innovative ways to gather information about a network. It can identify available hosts, running services (including application name and version), operating systems, firewalls or packet filters in use, and many other details. Designed for rapid scanning of large networks, Nmap also works effectively for single hosts.

Network administrators rely on Nmap for various tasks, including creating network inventories, managing service upgrades, and monitoring uptime of hosts and services, while hackers may utilize it for enumeration i.e. identifying open ports running services that may be exploitable.

Nmap is available for most operating systems but is included with the Kali Linux distro. Remember to replace the placeholder ip address with your target ip address. You can also test this out by scanning the url: scanme.nmap.org. Let's start off with a basic Nmap scan. We can scan using an ip address or a host name i.e. scanme.nmap.org:

nmap 192.168.1.1

We can also scan a list of network/host targets within a text file using the following commands where "ip_list.txt" is the path to the text file.

nmap -iL ip_list.txt 

When performing a penetration test on a network, we may want to perform a ping sweep scan, which pings all available hosts on a network by sending ICMP packets and returns the live hosts. Conducting a ping sweep is a crucial part of identifying active hosts on a network and lays the groundwork for a penetration test.

nmap -sn 192.168.0.0/24

Once we have the list of live hosts, we can then do port scans on the individual hosts. Note the "/24" addition to the ip address. This sets the ip address range. It will send an ICMP echo request to every ip address in the network from 192.168.0.1 to 192.168.0.255.

Nmap defaults to scanning the 1000 most commonly used ports. Port specification and scan order refer to the process of selecting which ports to scan during network reconnaissance. This is crucial for efficient scanning as it allows you to exclude irrelevant ports and prioritize the scan based on port usage frequency.

We can specify ports using the following command:

nmap -p 22,80,443 192.168.1.1

We can also scan for the operating system. This information helps pinpoint vulnerabilities specific to the operating system, enabling more effective attacks on the target system. We can use "-O" to enable OS detection.

nmap -O 192.168.1.1

What if we want to detect the services being run on open ports on the network? The service/version detection feature in Nmap provides valuable insights into the target system, enabling you to identify vulnerabilities and weaknesses on those ports. This option can be enabled by using "-sV".

nmap -sV 192.168.1.1

With the returned information, we can run a query using something like  searchsploit for possible exploits for these services.

One of the most popular scans used is the SYN scan. A SYN scan involves sending an SYN packet to the target host and monitoring for a response. If the target responds with an SYN/ACK packet, the port is open; if it responds with an RST packet, the port is closed. This half-open scan technique, which doesn't complete the full TCP three-way handshake, is fast and, most importantly, stealthy, ideal for mapping large networks.

nmap -sS 192.168.1.1

Being stealthy is an important part of penetration testing. Some firewalls and Intrusion Detection System (IDS) solutions may temporarily block ip addresses that exhibit unusual network activity, such as high traffic volumes or sending network packets to multiple hosts in a systematic manner. We can mitigate these risks by using certain commands that effect the scans order and timing.

We can add the "-T" option to effect the scans timing template. By default, Nmap uses the "-T2" timing template but we can slow the scan down by using the "-T1" or "-T0" timing templates. These will slow down the scan process but will minimize the impact on the network and prevent triggering any alerts.

nmap -T1 192.168.0.0/24

You can also slow down an Nmap scan using delay. Use the "--scan-delay" option and specify the desired delay time in seconds.

nmap --scan-delay 3s 192.168.0.0/24

Let's change the order of targets we scan. Nmap's --randomize-hosts option can help you randomize your scans, making them less predictable and harder to detect by security.

nmap --randomize-hosts 192.168.0.0/24

One of the most powerful features of Nmap is it's ability to run scripts. The Nmap Script Engine (NSE) are scripts written in the programming language, Lua.

For example, you can run the following command that runs the "http-headers" script which pulls the HTTP headers configured on the target webserver.

nmap --script http-headers scanme.nmap.org

As a penetration tester, you may want to run the "vulners" script which automatically lists the vulnerabilities on a target using a CVE database.

nmap --script vulners 192.168.1.1

There are hundreds of NSE scripts available which you can view here.

No comments:

Post a Comment