Introduction
This blog post is part one of five in my Nmap Scan All the Things series. I will try to extensively cover nmap and the potential this awesome network discovery tool has. In this particular post, I will try to provide a comprehensive overview of Nmap and its capabilities. I will cover what Nmap is and when it was developed. Additionally, I will go over Nmaps scan phases. Finally, I will also discuss the installation prerequisites and how to Nmap installation process. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch where you can watch the related video (https://youtu.be/-DmgUugaB6Q).
What is Nmap?
Nmap is also known as Network Mapper. It's a free and open-source network exploration and security auditing tool. It is designed to help network administrators and security professionals discover hosts and services on a computer network, and create a map of the network. It uses various scanning techniques to gather information about the target network, such as identifying live hosts, open ports, operating systems, and applications running on the hosts. It also has the capability to perform vulnerability scans, identify potential security weaknesses and detect potential threats to the network. Nmap can be run on various operating systems, including Linux, Windows, and macOS. Its versatility and effectiveness have made it one of the most popular network mapping and security tools available today.
The Nmap suite offers a range of tools that can be used in conjunction with the core Nmap scanning engine. These tools include:
Zenmap: an advanced GUI and results viewer that makes it easy to navigate and interpret Nmap results.
Ncat: a flexible tool for data transfer, redirection, and debugging that can be used to connect to network services or create custom connections.
Ndiff: a utility for comparing Nmap scan results to detect changes in the network over time or compare scans from different sources.
Nping: a packet generation and response analysis tool that allows for more advanced testing of network hosts and services.
Together, these tools provide network administrators and security professionals with a comprehensive set of capabilities for network mapping, scanning, and analysis. Whether you are performing routine network audits or investigating potential security threats, the Nmap suite can help you identify vulnerabilities and keep your network secure.
This blog post aims to provide a good understanding of Nmap, its capabilities, and how to effectively use its most commonly used commands. By learning how to use Nmap effectively, administrators can better understand and secure their networks against potential threats.
How Nmap Came to Be
Nmap was first developed in 1997 by Gordon Lyon, who goes by the pseudonym Fyodor. At the time, Fyodor was a student at Gordon College in Wenham, Massachusetts. He initially created Nmap as a basic port scanner to aid in his own security research and exploration.
Over time, Nmap gained popularity among security professionals and researchers due to its powerful features and capabilities. As Nmap popularity grew, Fyodor continued to work on the project and release regular updates, adding new features and improving the tool's performance.
Nmap Prequisites
Before using Nmap, there are some prerequisites that can help you better understand and effectively use the tool. These prerequisites include:
TCP/IP knowledge: While it is not mandatory to have an in-depth understanding of TCP/IP, it is highly recommended to have a basic understanding of the protocol. This will provide a solid foundation for interpreting the output generated by Nmap during and post scan.
Command-line interface proficiency: Nmap is primarily a command-line tool, so having proficiency with command-line interfaces can greatly enhance your ability to use Nmap effectively. Being able to navigate the command-line, execute commands, and understand command syntax will be highly beneficial.
Nmap.org has a good TCP/IP reference page that goes into some basics. I highly recommend you review that.
Nmap Scan Phases
Nmap is a powerful tool that is used for network exploration and security auditing. The tool follows a series of phases when it is executed. Lets look at the various phases of an Nmap scan and what happens in each phase.
1. Script Pre-Scanning: First NMAP performs a script pre-scanning, during which the Nmap Scripting Engine (NSE) uses a collection of scripts. The Nmap Scripting Engine (NSE) is a powerful tool that enables users to gather more detailed information about remote hosts. NSE achieves this by using a collection of specialized scripts. This phase is only executed if you request it with options like --script or -sC. However, during the pre-scanning phase, Nmap runs only the scripts that require it, such as dhcp-discover and broadcast-dns-service-discovery. These scripts are executed once per Nmap execution, rather than separately against individual targets. They use broadcast queries to gather information about common network services.
2. Target Enumeration: Then NMAP performs target enumeration. During this phase, Nmap examines the host identifiers provided by the user, which may include a combination of IP, host DNS names, CIDR network notations, etc. You can even have NMAP randomly choose targets for you by using the -iR option. A scan list of IPv4 or IPv6 addresses will be generated by Nmap based on the identifiers. This step is necessary in order for NMAP to perform further scanning. This process can be simplified if you provide the specific IP addresses which then eliminates the need for forward resolution.
3. Host Discovery: Host discovery, also known as ping scanning, is the initial phase of network scanning. Its primary purpose is to identify the targets on the network that are active and may require further investigation. Nmap offers various techniques for host discovery, ranging from quick ARP requests to complex combinations of TCP, ICMP, and other probes. This phase is executed by default, and Nmap runs host discovery automatically at the beginning of each scan. However, you can skip this phase and assume that all target IPs are online by using the -Pn option, which disables ping scanning. If you want to quit after host discovery, you can use the -sn -n options.
4. Reverse DNS Resolution: After determining which hosts to scan, Nmap performs reverse-DNS resolution to look up the DNS names associated with the IP addresses discovered during the host discovery phase. This step is useful because host names can often provide insights into the function or purpose of a given host, and can make reports more readable than simply displaying IP addresses.
5. Port Scanning: During this phase, Nmap sends probes to remote hosts and analyzes the responses (or lack thereof) to classify remote ports into states such as open, closed, or filtered. Port scanning is run by default, but if you prefer to not run a port scan you can skip it by using the -sn flag. However, you will still be able to perform some of the later phases of Nmap, such as traceroute and partial Nmap Scripting Engine scans. Simply specify the command-line options such as, --traceroute and --script.
6. Version Detection: If Nmap discovers open ports during the port scanning phase, it can often determine what type of server software is running on the remote host using version detection. To do this, Nmap sends a series of probes to the open ports and analyzes the responses it receives. By comparing these responses against a database of over 6,500 known service signatures, Nmap can often identify the specific software and version number running on the target host. This technique can be very useful for identifying potential vulnerabilities and determining the appropriate exploits or attack techniques to use. Nmap provides a wide range of configuration options and scan types to support version detection, including the ability to specify which ports to scan, which probes to use, and how aggressively to probe the target host.
7. OS Detection: OS detection is an important phase of network scanning as it allows for identifying the operating system running on a remote host. This can provide valuable information for further analysis and can aid in exploiting vulnerabilities that are specific to certain operating systems. When requested with the -O option, Nmap sends a series of probes to the target and compares the responses to a database of over a thousand known operating system fingerprints. These fingerprints include network stack behavior, TCP/IP implementation, and responses to specific probes. By analyzing these characteristics, Nmap can make an educated guess about the operating system running on the target host.
8. Traceroute: Traceroute is a valuable feature of Nmap that allows you to determine the network routes to many hosts in parallel. By using the --traceroute option, you can enable Nmap's optimized traceroute implementation. This implementation employs the best available probe packets as determined by Nmap's previous discovery phases, which helps to ensure that traceroute results are as accurate as possible. The process often involves another round of reverse-DNS resolution for the intermediate hosts, but this information can be incredibly helpful in troubleshooting network issues and understanding the topology of your network.
9. Script Scanning: Script scanning is one of the most powerful features of Nmap. During this phase, most of the Nmap Scripting Engine (NSE) scripts are executed, which is powered by the Lua programming language and a standard library designed for network information gathering. These scripts are executed for each target host and port number that they interact with and perform various tasks, such as detecting service vulnerabilities, malware discovery, collecting more information from databases and other network services, and advanced version detection. The script scanning phase is not executed by default, and you need to request it using options such as --script or -sC. NSE scripts are highly configurable and can be customized to suit your specific scanning needs.
10. Output: After completing the various phases of scanning, Nmap compiles all the information gathered and presents it to the user in a readable format. The output options available in Nmap are versatile and offer several choices to the user, ranging from a default human-readable format to machine-readable output like XML, JSON, or even Grepable format. By default, Nmap outputs its results to the command-line interface or terminal. However, it can be redirected to a file using the ">" symbol followed by the file path.
How Do I Install Nmap?
This process will be different depending on the OS platform used and in the case of Linux dependent on the distribution as well.
Linux
Best option is to use a distribution such as, Kali or Parrot OS. They are penetration testing distribution that already have NMAP installed. In most cases, you would just need to perform an "apt update" from the command-line to make sure everything is updated.
If for some reason NMAP is not installed, you can run the "apt-get install nmap". Command may differ depending on the distribution, it may be dnf, yum, zypper, etc...
May have to compile the binary from source, if the Linux distribution you are using does not contain Nmap in its repository.
For distributions that don't have NMAP in its repository you can download the binary directly from nmap.org. Follow the steps below.
Step 1:
Step 2:
Step 3:
Another way is by compiling Nmap binary from source prior to install. This may be needed if your Linux distribution repository does not contain the compiled binary.
Follow these steps:
1. Download the latest version of Nmap from https://nmap.org/download.html in “.tar.bz2” (bzip2 compression) or “.tgz” (gzip compression) format.
2. Decompress the downloaded file by running the following command:
For .tar.bz2: bzip2 -cd nmap-<VERSION>.tar.bz2 | tar xvf -
For .tgz: gzip -cd nmap-<VERSION>.tgz | tar xvf -
You can use the simpler command tar xvjf nmap-<VERSION>.tar.bz2, if you have GNU tar installed.
3. Create an Nmap directory and change into the newly created directory: cd nmap-<VERSION>
4. Configure the Nmap build by running: ./configure
5. Build Nmap by running: make
6. Install Nmap as either root user or sudo root for system-wide installation.
7. Install Nmap, support files, documentation, etc. by running: make install
Nmap is now installed as /usr/local/bin/nmap. You can run it with no arguments for a quick help screen.
Windows
Step 1: For Windows, it is a lot easier due to the install wizard. You can follow the same steps as 1) and 2) for Linux.
Step 2: Click "Downloads"
Step 3: Click on "Windows"
Step 4: Click on the windows installer (image below).
Conclusion
Thank you for reading part one of Nmap: Scan All the Things! I hope you found this informative and useful in building a foundation of knowledge about this powerful tool. In the near future, I plan to write more detailed posts in the Nmap series about Nmap's scan phases, flags, and various scanning techniques that can be used to explore a network.
If you are interested in cybersecurity and cybersecurity news and trends, be sure to visit Cyb3r-S3c frequently and check out my YouTube channel, Cyb3r-0verwatch. All of the information presented in my post is based on my own research and my 22 years of IT/Cybersecurity experience, so please use it in a way that is most helpful to you. If you have any questions, please feel free to reach out to me using the Cyb3r-S3c Contact Form. Thank you again for visiting Cyb3r-S3c, keep learning - the only way to improve is to keep acquiring knowledge!
/Signing Off
Pragmat1c_0n3
Comments