NMAP Cheat Sheet: How to Perform Network Reconnaissance

Understanding the networking landscape of a target system is a critical first step for attackers seeking to develop effective attack strategies. This process involves gaining insights into the system’s structure, available services, and potential vulnerabilities. To accomplish this, NMAP can be used in three steps: Target Discovery, Target Classification, and lastly Service/Version Detection.

Target Discovery: In this step, Nmap identifies hosts (computers, servers, devices) that are active and accessible on a network. It does this by sending packets to different IP addresses and analyzing the responses. The purpose is to determine which hosts are live and can be further investigated.

Target Classification: Once Nmap discovers active hosts, we can attempt to classify them based on the operating system they are running. This process is called OS fingerprinting, and Nmap does it by analyzing network responses to determine the specific OS or OS family (Windows, Linux, macOS) running on the target systems.

Service/Version Detection: The last step in Nmap’s reconnaissance process involves port scanning to identify open ports on active hosts and then attempting to detect specific services and their versions running on those ports. Nmap sends targeted probes to known ports associated with common services, such as HTTP on port 80 or SSH on port 22, and carefully analyzes the responses received to accurately identify the service and version number.

Port scanning is a technique used to create a “map” of the target, revealing which ports are open and accessible. Ports are entry points for network connections, and each computer typically has 1024 well-known ports for various services and protocols. Additionally, the computer utilizes other ports at random to send and receive information.

Diligent attackers rely on comprehensive scanning rather than relying on chance, as knowing which ports are open provides critical information about the potential attack surface. For this purpose, one of the industry-standard port scanning tools is NMAP. NMAP stands out due to its speed, reliability, and a powerful scripting engine that enables it to perform various tasks beyond just port scanning.

Once the port scan is completed and the information about open ports is obtained, NMAP allows attackers to delve deeper by identifying the services running on these open ports. Understanding the services running can provide valuable insights into potential vulnerabilities, misconfigurations, or outdated software that could be exploited.

Finding Hosts with Ping Sweep

A network ping sweep/ping scan, also known as an ICMP sweep, is commonly used as the first step in network reconnaissance to identify active hosts within a target network. Scanning every single port on all potential IP addresses within a network can be a slow and inefficient process. To streamline this, a ping sweep is performed to reduce the number of possible active hosts. NMAP allows host discovery to be tailored to specific use cases by customizing the method through various options and configurations. The standard scan involves sending ICMP echo requests (ping) to a range of IP addresses and analyzing the responses to determine which hosts are reachable and responsive. This helps in mapping the live hosts on the network.

To perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap we would use the following command.

nmap -sn 172.16.0.0/16

The -sn option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. If you are running a VM and your ping sweep is showing all hosts as active, you may need to change your network setting from NAT to bridged. Here is a ping sweep of my local network.

Once the active hosts are identified through the ping sweep, the next step involves OS fingerprinting then a port scan.

Identify Target Operating System

For network attackers, discovering the target operating system is crucial for executing effective and tailored attacks. Knowing the OS allows them to exploit specific vulnerabilities and weaknesses unique to that system.

The Nmap “-O” flag is used for OS detection, which enables Nmap to attempt to identify the operating system running on the target device by analyzing its responses to various network probes. Here we can see that NMAP was not able to identify the OS of the host running on 192.168.0.1, but we can try another scan to try to get some more information about this host.

Let’s try a version detection scan (-sV).

We received a response from port 5000 with the term “x86_64” which suggests that the system is running on a 64-bit x86 processor architecture, and “Linux GNU” indicates it is a Linux-based operating system using the GNU software. Now we have an idea of the host OS, let’s take a look into the main port scanning types.

-sS TCP SYN (Stealth) Scan

TCP SYN (Stealth) Scan (-sS) is the default and most popular port scanning option. It is unobtrusive and fast as it does not complete the TCP connection. It offers clear, reliable differentiation between open, closed and filtered ports.

When Nmap sends a SYN packet to a target’s port, an open port responds with a SYN/ACK packet. Nmap intentionally terminates this connection by responding with an RST packet instead of the standard ACK packet, leaving the handshake incomplete. This is why the SYN scan is sometimes referred to as the “Half Open” scan.

For closed ports, when Nmap sends a SYN packet, the server responds with its RST packet, indicating the port’s closure and its refusal to accept connections. If Nmap receives a certain error message or no response at all to its SYN request, it considers the port as filtered, signifying the presence of firewalls or other filtering mechanisms.

-sT TCP Connect Scan

TCP Connect Scan establishes full connections with open ports instead of using the half-open reset method like SYN scan. It is suitable when users lack proper privileges or when scanning IPv6 networks, but it demands more time and resources. Connect scan simulates the same system web browsers use, granting Nmap less control over this high-level call.

As a consequence, this method takes longer and requires more packets to gather information, increasing the likelihood of target machines logging the connection attempts. The behavior against an open port depends on the platform, here is a diagram taken from the NMAP.org website of a typical connection to an open port.

-sU UDP Scan

Nmap sends UDP packets to the target ports, and the response determines the port status. If the port is open, the target may reply with a UDP packet, confirming its openness. However, many UDP services don’t respond to Nmap’s probe, resulting in the scan reporting the port as “open/filtered.” Determining the true status of these ports requires additional follow-up scans or manual investigation. Due to the lack of an acknowledgment mechanism in UDP, scanning can be slower and less reliable than TCP scans.

NULL, FIN and Xmas TCP Port Scans

The NULL, FIN, and Xmas scans employ a subtle approach by omitting the usual SYN flag in their packets, allowing them to slip past firewalls that block SYN packets to unauthorized ports. Many modern Intrusion Detection Systems (IDS) have caught up with these tricks, making it tougher to stay completely undercover. NULL, FIN, and Xmas scans, have similar outcomes to UDP scans when probing open ports, as they all expect no response to the malformed packet. Consequently, these scans can only identify ports as open/filtered, closed, or filtered. However, determining an open or closed port can be unreliable due to firewalls, with some systems responding with RST packets to malformed TCP packets regardless of port status.

Custom Scans and Exploits

The Nmap Scripting Engine (NSE) is a powerful automation tool within Nmap that enables the automation of diverse networking tasks. When combined with a port scan, NSE scripts are triggered based on the status of scanned ports. By utilizing the -sC flag, the NSE scripting engine is activated, facilitating the execution of built-in scripts bundled with Nmap. Additionally, the --script option empowers users to employ custom scripts tailored to their specific needs. With its ability to extend Nmap’s functionality through automation, the NSE significantly enhances the efficiency and versatility of network scanning and analysis.

The “/usr/share/nmap/scripts” directory has an extensive collection of Nmap scripts, extending the tool’s functionality significantly. These scripts automate tasks such as service identification, vulnerability scanning, and network exploration. To run a specific script, we would use the format:

--script=<script-name>.

You can run multiple scripts simultaneously by separating them with a comma, like this:

--script=smb-enum-users,smb-enum-shares.

The extensive scripting library is awesome, I recommend checking out the official docs for more information.

Conclusion

Here are the basics of NMAP! I hope you found this information helpful. In the future, I intend to explore NSE and delve into other aspects of Nmap in more detail through upcoming articles. Nmap is a powerful tool with numerous capabilities for network scanning and security assessments, and there’s so much more to discover.