Dashboard
Courses
Logout

NAME

Course Overview

/

NMAP

NMAP

Nmap



Nmap is apowerful port scanning tool that can be used to discover hosts,identify open ports, and enumerate potential vulnerabilities.  As anindustry standard tool, it is important to understand how to usenmap.

Nmapemploys various scanning techniques to gather information about atarget network. It utilizes different network protocols, such as TCP(Transmission Control Protocol) and UDP (User Datagram Protocol), tocommunicate with target hosts and determine their status.

Aquick refresher on TCP and UDP and how nmap can identify open/closedports

TCP

  • TCP is a connection-oriented protocol that establishes a reliable and ordered data transfer between devices.
  • It follows a three-way handshake process for connection establishment: SYN, SYN-ACK, and ACK.
  • To terminate a TCP connection, a four-way handshake occurs: FIN, ACK-FIN, ACK, and FIN-ACK.
  • Nmap identifies an open port in TCP by receiving a SYN-ACK response to its SYN packet.
  • A closed port is determined when Nmap receives a TCP RST (reset) packet



UDP

  • UDP is a connectionless protocol that provides fast and lightweight data transmission.
  • Unlike TCP, UDP does not establish a connection or perform handshakes.
  • Nmap identifies an open UDP port by not receiving a response to its UDP probe packet.
  • To determine a closed UDP port Nmap relies on observing an ICMP Port Unreachable message or no response.



Nmap has multipledifferent scan “types” that it can use.  These dictate thepackets sent and information gathered during a scan.  The most commonscans to identify open ports are -sT, -sS, -sU,

  1. TCP Connect Scan (sT):
  4. Initiates a full TCP connection to each targeted port.
  7. SYN Scan (sS):
  10. Utilizes a SYN scan technique to determine open ports.
  13. UDP Scan (sU):
  16. Scans for open UDP ports and services.
  18. Can be time-consuming as UDP does not provide reliable delivery or acknowledgments.

When runningscans of a network or host, it is important to save the output sothat evidence can be gathered and further analysis can be conducted. When working with large environments, making sure to have scanresults saved is important and will lead to a more efficient approachto identifying hosts of interest.

Saving data isachieved by using -oN <filename>, -oX <filename>, -oG<filename>, or -oA <filename>

  1. -oN: This flag is used to save the scan results in normal or "normal" format. The results are displayed in the terminal during the scan and also saved to a text file for future reference. The command syntax would be: "-oN <filename>".
  3. -oX: The "-oX" flag is used to save the scan results in XML format. XML provides a structured and machine-readable output, suitable for automated processing or integration with other tools. The syntax is: "-oX <filename>".
  5. -oG: This flag saves the scan results in grepable format ("-oG <filename>"). The output is designed to be easily parsed by other tools or scripts using common text processing techniques like grep. It provides a convenient way to extract specific information from the scan results.
  7. -oA: The "-oA" flag allows you to save the scan results in multiple formats simultaneously. It creates three separate files with the same base name but different extensions. The files include the normal format ("-oN"), XML format ("-oX"), and grepable format ("-oG"). The syntax is: "-oA <basename>".





Analysing output

When looking atthe results of an nmap scan, it is important to be able to extractuseful information and insights about the environment.

This can be doneby focussing on the different types of Operating Systems, specificports of interest, or indicators of vulnerabilities.

There aremultiple tools that can be used to help extract useful informationone of the most valuable is grep:

Thegrep command is a powerful tool for pattern matching and searchingwithin files. It can be used to filter Nmap output based on specificcriteria, such as open ports, service names, or IP addresses. Forexample:

  • grep "open" nmap_output.txt: Displays only the lines containing "open" ports.
  • grep "80/tcp" nmap_output.txt: Filters out lines related to port 80 (HTTP).
  • Grep -e open -e report nmap_output.txt : filters out lines with either of these key words.  This can be helpful when you want to identify which specific hosts have an open port
  • Cat nmap_output.txt | grep open
  • Cat nmap_output.txt | grep -e open -e report