Introduction to Nmap
Nmap (“Network Mapper”) is an open-source tool freely available for network discovery and vulnerability scanning.
Nmap tool helps network administrators identify the devices running on the systems and discover the accessible hosts and their services, such as finding open ports and detecting security risks.
Nmap utilizes IP packets to determine the available hosts on the network, the services they provide, the operating systems on which they are running, and other characteristics such as packet filters/firewalls.
Nmap sends the specially crafted packets to the target hosts and receives responses it analyzes.
The output from Nmap is a list of scanned targets, with additional information such as port number and protocol, service name, and state(open, filtered, closed, or unfiltered):
- Open state signifies that an application on the target machine is listening for connections on that port
- A filtered state implies that the firewall is blocking the port and restricting Nmap to check whether it is open or closed.
- Closed ports could open anytime, and no application could listen to them.
Features of Nmap
Host discovery
To identify hosts on a network. For example, listening to the hosts that acknowledge crafted TCP and/or ICMP requests or the specific port open
Port scanning
To identify open ports on target hosts.
Version detection:
To identify application name and version number by examining network services on remote devices
os detection:
To identify the operating system and hardware characteristics of network devices.
Scanning
- Scanning is an active mode of information gathering.
- It refers to procedures for identifying machines, open ports, and services running in the network.
- The purpose is to find exploitable communication channels by discovering live machines, IP addresses, open ports, and services.
- It also identifies operating systems, system architectures, and various vulnerabilities associated with it
- The NMAP tool performs the following steps of scanning:
- Step 1: Find live machines
- Step 2: Discover open ports
- Step 3: Scanning beyond IDS
- Step 4: Identify vulnerabilities
How to open Nmap
Open the Terminal in Kali Linux OS and type nmap
Download Nmap: Here
Step 1: Find Live Machines
Introduction: Ping Sweep/Scan (-sP) is used to find live machines from a range of IP addresses. It sends ICMP echo requests to multiple machines. In the case of a ping request, a single packet (56 bytes data + 08-byte header) is sent. It also determines round trip time.
Command: nmap –sP
For example: nmap –sP 172.16.4.1-254
Step 2: Discover Open Ports
Introduction: In computer networking, a port is a communication endpoint. For example, Server Message Block (SMB) is a network file-sharing protocol used by Windows machines for file and printer sharing. It operates on TCP port numbers 138 and 445.
Attackers can exploit the vulnerabilities associated with SMB protocol if these ports are open. Microsoft released a patch for SMB v1 vulnerability, but most of the users installed a pirated version of the operating system, which will never be updated.
Command: nmap –p
(-v is the verbose output to display extended information)
For example: nmap –p 1-65535 –v 172.16.4.51
TCP Connect Scan [-sT]
Introduction: TCP Connect scan detects open ports by three-way handshake. It is also referred as FULL OPEN Scan.
Command:nmap –sT
For example: nmap –sT 172.16.4.51
SYN Stealth Scan [-sS]
Introduction: It is based on a TCP handshake. It is also referred to as HALF OPEN Scan. In this type of scan, Nmap sends a SYN packet:
- If the port is open – it responds with ACK.
- If the port is closed – it responds with RST.
- If the port is filtered – it simply drops the SYN packet.
Command: map –sS –A –O
(where –A is Aggressive scan, -O is operating system)
For example: nmap –sS –A –O 172.16.4.51 –p 445
UDP Scan [-sU]
Introduction: This type of scan is used to scan UDP ports. Nmap sends the 0-byte UDP packets. If the source receives an ICMP Port Unreachable message, then the Port is closed.
Command: nmap –sU
For example: nmap –sU 172.16.4.51
Idle Scan [-sI]
Introduction: An idle scan contains three steps that are repeatedly followed for each of the port:
- Step 1: Probe the zombie’s IP ID and record it.
- Step 2: Forge a SYN packet from the zombie and send it to the desired port on the target. Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID to be incremented.
- Step 3: Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the previous recorded step.
Command: nmap -V -Pn –sI
(By default, port no. is 80)
For example: Nmap –v –Pn –sI 172.16.4.79:81 172.16.4.51
Step 3: Scanning Beyond Firewall
Introduction: Nmap provides a feature to control time options– [-T]. The timings are: Paranoid [-T0], Sneaky [-T1], Polite [-T2], Normal [-T3], Aggressive [-T4], and Insane [-T5]. Where –T0 implies 5 5-minute wait between each packet to send, which makes it almost impossible for the firewall to detect. Similarly,
–T1 implies 4 minutes wait between each packet to send.
–T2 implies 3 minutes wait between each packet to send.
–T3 implies a 2-minute wait between each packet to send.
–T4 implies a 1-minute wait between each packet to send.
–T5 implies no wait between each packet to send.
Command: nmap -T[0-5] [target]
For example:
nmap –T5 172.16.4.51
nmap –T4 172.16.4.51
nmap –T3 172.16.4.51
nmap –T2 172.16.4.51
nmap –T1 172.16.4.51
nmap –T0 172.16.4.51
Step 4: Identify Vulnerabilities
Introduction: After finding the open ports and services running on it, this step identifies the vulnerabilities associated with the open ports. For example, vulnerabilities associated with the open ports of Simple Network Management Protocol (SNMP) and Server Message Block (SMB) protocols.
Simple Network Management Protocol (SNMP) is built into virtually every network device. Network management programs (such as HP OpenView and LANDesk) use SNMP for remote network host management. Unfortunately, SNMP also presents security vulnerabilities.
If SNMP is compromised, an attacker can collect network information such as ARP tables, usernames, and TCP connections to perform various attacks. A hacker will try to hack the system if SNMP appears in port scans.
Command: nmap -p 445 –script=smb-vuln*
For example: nmap -p 445 –script=smb-vuln* 172.16.4.51
Command: nmap -sU -p 161 –script=snmp-interfaces
For example: nmap -sU -p 161 –script=snmp-interfaces 172.16.4.51
Countermeasures
The following countermeasures must be followed:
- Always disable SNMP and SMB on hosts if not using it for a particular period of time.
- Block the SNMP ports (UDP ports 161 and 162) and SMB ports (TCP ports 139 and 445) at the network perimeter.
- Change the default SNMP community read string from public and the default community write string from private to another long and complex value that’s virtually impossible to guess.
- Technically, a “U” is part of the solution: upgrade. Upgrading systems (at least the ones you can) to SNMP version 3 and SMB version 2 can resolve many of the well-known SNMP and SMB security weaknesses.
References
[1] O. S. Limited, “Nmap Package Description,” 2020. https://tools.kali.org/informationgathering/nmap (accessed Jan. 20, 2020).
[2] Lab 01. Network computer and sharing resources and scan network
[3] A Survey of Tools and Techniques for Web Attack Detection – CyberSecLabs