Nmap Network Exploration and Security Auditing Cookbook, Third Edition E-Book

Nmap Network Exploration and Security Auditing Cookbook

Third Edition

Network discovery and security scanning at your fingertips

Paulino Calderon

BIRMINGHAM—MUMBAI

Nmap Network Exploration and Security Auditing Cookbook

Third Edition

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson D'souza

Publishing Product Manager: Rahul Nair

Senior Editor: Arun Nadar

Content Development Editor: Mrudgandha Kulkarni

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Ajesh Devavaram

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Vijay Kamble

First published: November 2012

Second edition: May 2017

Third edition: August 2021

Production reference: 1200721

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83864-935-7

www.packt.com

Special thanks to Fyodor for mentoring me back in the first GSoC program and to all the dev team, from whom I have learned a lot and who I now have the pleasure of knowing personally. Omar and Yael, for always supporting me and not only being my hermanos but also my brothers. Martha, for helping me be the best version of myself.Nothing but love to all my friends. It is impossible to list all of you, but know that I appreciate all your love and support.

Contributors

About the author

Paulino Calderon (@calderpwn on Twitter) is a published author and international speaker with over 10 years of professional experience in network and application security. He cofounded Websec in 2011, a consulting firm securing applications, networks, and digital assets operating in North America. When he isn't traveling to security conferences or consulting for Fortune 500 companies with Websec, he spends peaceful days enjoying the beach in Cozumel, Mexico. His contributions have reached millions of users through Nmap, Metasploit, OWASP Mobile Security Testing Guide (MSTG), OWASP Juice Shop, and OWASP IoT Goat.

To my father, Dr. Paulino Calderon Medina, who taught me that our only limitations are the ones we set up in our minds, and my mother, Edith Pale Perez, who supported me unconditionally and always believed in me.

About the reviewer

Nikhil Kumar has more than 7 years of experience in cyber security with national and multinational companies. His core expertise and passions are information security, vulnerability assessment, penetration testing on network/infrastructure, and DAST/SAST/IAST on web and mobile applications.

He is an avid blogger and regular speaker on cyber-related topics at many colleges and private and government firms.

To reach his blogs or LinkedIn, visit the following sites:

https://www.linkedin.com/in/nikhil-kumar-bb7a0590

https://blogs4all2017.blogspot.com

https://iot4all2017.blogspot.com

He is a postgraduate in computer science and holds numerous cyber certifications, including Certified Ethical Hacker from the EC Council, ISO 27001 Lead Auditor from the IRCA, Certified 365 Security Administrator from Microsoft, Certified Azure Security Engineer Associate from Microsoft, Cyber Crime Intervention Officer from ISAC India, and Network Security Expert from FORTINET.

I would like to thank my family, who have always motivated me to grow in my life and career. I would like to thank my friends and employers, who have always stood by me. My friends, Aphin Alexander, Rajdeep Gogoi, Prafull Kurekar, and Kanchan Jhangiani, have always been there for me. I would also like to thank Anubhav Kumar Lal and Ravali Vangala for giving me a reason to continue learning and growing.

Table of Contents

Preface

Chapter 1: Nmap Fundamentals

Technical requirements

Building Nmap's source code

Getting ready

How to do it...

How it works...

There's more...

Finding online hosts

How to do it...

How it works...

There's more...

Listing open ports on a target

How to do it...

How it works...

There's more...

Fingerprinting OSes and services running on a target

How to do it...

How it works...

There's more...

Using NSE scripts against a target host

How to do it...

How it works...

There's more...

Scanning random targets on the internet

How to do it...

How it works...

There's more...

Collecting signatures of web servers

How to do it...

How it works...

There's more...

Scanning with Rainmap Lite

Getting ready

How to do it...

How it works...

There's more...

Chapter 2: Getting Familiar with Nmap's Family

Monitoring servers remotely with Nmap and Ndiff

Getting ready

How to do it...

How it works...

There's more...

Crafting ICMP echo replies with Nping

How to do it...

How it works...

There's more...

Managing multiple scanning profiles with Zenmap

How to do it...

How it works...

There's more...

Running Lua scripts against a network connection with Ncat

How to do it...

How it works...

There's more...

Discovering systems with weak passwords with Ncrack

Getting ready

How to do it...

How it works...

There's more...

Using Ncat to diagnose a network client

How to do it...

How it works...

There is more...

Defending against Nmap service detection scans

How to do it...

How it works...

There's more...

Chapter 3: Network Scanning

Discovering hosts with TCP SYN ping scans

How to do it...

How it works...

There's more...

Discovering hosts with TCP ACK ping scans

How to do it...

How it works...

There's more...

Discovering hosts with UDP ping scans

How to do it...

How it works...

There's more...

Selecting ports in UDP ping scans

Discovering hosts with ICMP ping scans

How to do it...

How it works...

There's more...

Discovering hosts with SCTP INIT ping scans

How to do it...

How it works...

There's more...

Discovering hosts with IP protocol ping scans

How to do it...

How it works...

There's more...

Discovering hosts with ARP ping scans

How to do it...

How it works...

There's more...

Performing advanced ping scans

How to do it...

How it works...

There's more...

Discovering hosts with broadcast ping scans

How to do it...

How it works...

There's more...

Scanning IPv6 addresses

How to do it...

How it works...

There's more...

Spoofing the origin IP of a scan

Getting ready

How to do it...

How it works…

There's more...

Using port scanning for host discovery

How to do it...

How it works...

There's more...

Chapter 4: Reconnaissance Tasks

Performing IP address geolocation

Getting ready

How to do it...

How it works...

There's more...

Getting information from WHOIS records

How to do it...

How it works...

There's more...

Obtaining traceroute geolocation information

How to do it...

How it works...

There's more...

Querying Shodan to obtain target information

Getting ready

How to do it...

How it works...

There's more...

Collecting valid email accounts and IP addresses from web servers

How to do it...

How it works...

There's more...

Discovering hostnames pointing to the same IP address

How to do it...

How it works...

There's more...

Discovering hostnames by brute-forcing DNS records

How to do it...

How it works...

There's more...

Matching services with public vulnerability advisories and picking the low-hanging fruit

How to do it...

How it works...

There's more...

Chapter 5: Scanning Web Servers

Listing supported HTTP methods

How to do it...

How it works...

There's more...

Discovering interesting files and folders on web servers

How to do it...

How it works...

There's more...

Brute forcing HTTP authentication

How to do it...

How it works...

There's more...

Brute forcing web applications

How to do it...

How it works...

There's more...

Detecting web application firewalls

How to do it...

How it works...

There's more...

Detecting possible XST vulnerabilities

How to do it...

How it works...

There's more...

Detecting XSS vulnerabilities

How to do it...

How it works...

There's more...

Finding SQL injection vulnerabilities

How to do it...

How it works...

There's more…

Finding web applications with default credentials

How to do it...

How it works...

There's more...

Detecting insecure cross-domain policies

How to do it...

How it works...

There's more...

Detecting exposed source code control systems

How to do it...

How it works...

There's more...

Auditing the strength of cipher suites in SSL servers

How to do it...

How it works...

There's more...

Chapter 6: Scanning Databases

Listing MySQL databases

How to do it…

How it works...

There's more...

Listing MySQL users

How to do it...

How it works…

There's more...

Listing MySQL variables

How to do it...

How it works...

There's more...

Brute-forcing MySQL passwords

How to do it...

How it works...

There's more...

Finding root accounts with an empty password in MySQL servers

How to do it...

How it works...

There's more...

Detecting insecure configurations in MySQL servers

How to do it...

How it works...

There's more...

Brute forcing Oracle passwords

How to do it...

How it works...

There's more...

Brute forcing Oracle SID names

How to do it...

How it works...

There's more...

Retrieving information from MS SQL servers

How to do it...

How it works...

There's more...

Brute forcing MS SQL passwords

How to do it...

How it works...

There's more...

Dumping password hashes of MS SQL servers

How to do it...

How it works...

There's more...

Running commands through xp_cmdshell in MS SQL servers

How to do it...

How it works...

There's more...

Finding system administrator accounts with empty passwords in MS SQL servers

How to do it...

How it works...

There's more...

Obtaining information from MS SQL servers with NTLM enabled

How to do it...

How it works...

There's more...

Retrieving MongoDB server information

How to do it...

How it works...

There's more...

Detecting MongoDB instances with no authentication enabled

How to do it...

How it works...

There's more...

Listing MongoDB databases

How to do it...

How it works...

There's more...

Listing CouchDB databases

How to do it...

How it works...

There's more...

Retrieving CouchDB database statistics

How to do it...

How it works...

There's more...

Detecting Cassandra databases with no authentication enabled

How to do it...

How it works...

There's more...

Brute forcing Redis passwords

How to do it...

How it works...

There's more...

Chapter 7: Scanning Mail Servers

Detecting SMTP open relays

How to do it...

How it works...

There's more...

Brute-forcing SMTP passwords

How to do it...

How it works...

There's more...

Detecting suspicious SMTP servers

How to do it...

How it works...

There's more...

Enumerating SMTP usernames

How to do it...

How it works...

There's more...

Brute-forcing IMAP passwords

How to do it...

How it works...

There's more...

Retrieving the capabilities of an IMAP server

How to do it...

How it works...

There's more...

Brute-forcing POP3 passwords

How to do it...

How it works...

There's more...

Retrieving the capabilities of a POP3 server

How to do it...

How it works...

There's more...

Retrieving information from SMTP servers with NTLM authentication

How to do it...

How it works...

There's more...

Chapter 8: Scanning Windows Systems

Obtaining system information from SMB

How to do it...

How it works...

There's more...

Detecting Windows clients with SMB signing disabled

How to do it...

How it works...

There's more...

Detecting IIS web servers that disclose Windows 8.3 names

How to do it...

How it works...

There's more...

Detecting Windows hosts vulnerable to MS08-067 and MS17-010

How to do it...

How it works...

There's more...

Retrieving the NetBIOS name and MAC address of a host

How to do it...

How it works...

There's more...

Enumerating user accounts of Windows targets

How to do it...

How it works...

There's more...

Enumerating shared folders

How to do it...

How it works...

There's more...

Enumerating SMB sessions

How to do it...

How it works...

There's more...

Finding domain controllers

How to do it...

How it works...

There's more…

Detecting the Shadow Brokers' DOUBLEPULSAR SMB implants

How to do it...

How it works...

There's more...

Listing supported SMB protocols

How to do it...

How it works...

There's more...

Detecting vulnerabilities using the SMB2/3 boot-time field

How to do it...

How it works...

There's more...

Detecting whether encryption is enforced in SMB servers

How to do it...

How it works...

There's more...

Chapter 9: Scanning ICS/SCADA Systems

Finding common ports used in ICS/SCADA systems

How to do it...

How it works...

There's more...

Finding HMI systems

How to do it...

How it works...

There's more...

Enumerating Siemens SIMATIC S7 PLCs

How to do it...

How it works...

There's more...

Enumerating Modbus devices

How to do it...

How it works...

There's more...

Enumerating BACnet devices

How to do it...

How it works...

There's more...

Enumerating Ethernet/IP devices

How to do it...

How it works...

There's more...

Enumerating Niagara Fox devices

How to do it...

How it works...

There's more...

Enumerating ProConOS devices

How to do it...

How it works...

There's more...

Enumerating Omrom PLC devices

How to do it...

How it works...

There's more...

Enumerating PCWorx devices

How to do it...

How it works...

Chapter 10: Scanning Mainframes

Listing CICS transaction IDs in IBM mainframes

How to do it...

How it works...

There's more...

Enumerating CICS user IDs for the CESL/CESN login screen

How to do it...

How it works...

There's more...

Brute-forcing z/OS JES NJE node names

How to do it...

How it works...

There's more...

Enumerating z/OS TSO user IDs

How to do it...

How it works...

There's more...

Brute-forcing z/OS TSO accounts

How to do it...

How it works...

There's more...

Listing VTAM application screens

How to do it...

How it works...

There's more...

Chapter 11: Optimizing Scans

Skipping phases to speed up scans

How to do it...

How it works...

There's more...

Selecting the correct timing template

How to do it...

How it works...

There's more...

Adjusting timing parameters

How to do it...

There's more...

Adjusting performance parameters

How to do it...

How it works...

There's more...

Adjusting scan groups

How to do it...

There's more...

Distributing a scan among several clients using dnmap

Getting ready

How to do it...

How it works...

There's more...

Chapter 12: Generating Scan Reports

Saving scan results in a normal format

How to do it...

How it works...

There's more...

Saving scan results in an XML format

How to do it...

How it works...

There's more...

Saving scan results to a SQLite database

Getting ready

How to do it...

How it works...

There's more...

Saving scan results in a grepable format

How to do it...

How it works...

There's more...

Generating a network topology graph with Zenmap

How to do it...

How it works...

There's more...

Generating HTML scan reports

Getting ready

How to do it...

How it works...

There's more...

Reporting vulnerability checks

How to do it...

How it works...

There's more...

Generating PDF reports with fop

Getting ready

How to do it...

How it works...

There's more...

Saving NSE reports in Elasticsearch

Getting ready

How to do it...

How it works...

There's more...

Visualizing Nmap scan results with IVRE

Getting ready

How to do it...

How it works...

There's more...

Chapter 13: Writing Your Own NSE Scripts

Making HTTP requests to identify vulnerable Supermicro IPMI/BMC controllers

How to do it...

How it works...

There's more...

Sending UDP payloads using NSE sockets

How to do it...

How it works...

There's more...

Generating vulnerability reports in NSE scripts

How to do it...

How it works...

There's more...

Exploiting an SMB vulnerability

How to do it...

How it works...

There's more...

Writing brute-force password auditing scripts

How to do it...

How it works...

There's more...

Crawling web servers to detect vulnerabilities

How to do it...

How it works...

There's more...

Working with NSE threads, condition variables, and mutexes in NSE

How to do it...

How it works...

There's more...

Writing a new NSE library in Lua

How to do it...

How it works...

There's more...

Writing a new NSE library in C/C++

How to do it...

How it works...

There's more...

Getting your scripts ready for submission

How to do it...

How it works...

There's more...

Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine

Generating vulnerability reports in NSE scripts

How to do it...

How it works...

There's more...

Writing brute-force password auditing scripts

How to do it...

How it works...

There's more...

Crawling web servers to detect vulnerabilities

How to do it...

How it works...

There's more...

Exploiting SMB vulnerabilities

How to do it...

How it works...

There's more...

Appendix A

– HTTP, HTTP Pipelining, and Web Crawling Configuration Options

HTTP user agent

HTTP pipelining

Configuring the NSE httpspider library

Appendix Β

– Brute-Force Password Auditing Options

Brute modes

Appendix C

– NSE Debugging

Debugging NSE scripts

Exception handling

Appendix D

– Additional Output Options

Saving output in all formats

Appending Nmap output logs

Including debugging information in output logs

Including the reason for a port or host state

OS detection in verbose mode

Appendix Ε

– Introduction to Lua

Flow control structures

Conditional statements – if, then, elseif

Loops – while

Loops – repeat

Loops – for

Data types

String handling

Character classes

Magic characters

Patterns

Captures

Repetition operators

Concatenation

Finding substrings

String repetition

String length

Formatting strings

Splitting and joining strings

Common data structures

Tables

Arrays

Linked lists

Sets

Queues

Custom data structures

I/O operations

Modes

Opening a file

Reading a file

Writing a file

Closing a file

Coroutines

Creating a coroutine

Executing a coroutine

Determining the current coroutine

Getting the status of a coroutine

Yielding a coroutine

Metatables

Arithmetic metamethods

Relational metamethods

Things to remember when working with Lua

Comments

Dummy assignments

Indexes

Semantics

Coercion

Safe language

Booleans

Appendix F

– References and Additional Reading

Other Books You May Enjoy

Chapter 1: Nmap Fundamentals

Network Mapper (Nmap) was originally released by Gordon Lyon, known on the internet as Fyodor, in the infamous Phrack magazine Vol. 7 Issue 51 (https://nmap.org/p51-11.html). It is still acclaimed today as one of the best tools for network reconnaissance and security auditing in cybersecurity. The first public version was introduced as an advanced port scanner along with a paper describing research on novel techniques for port discovery, but since then, it has gone down a long road and become so much more. The Nmap project itself evolved into a family of advanced networking tools that includes amazing projects such as Ncrack, Ncat, Nping, Zenmap, and, built into Nmap itself, the Nmap Scripting Engine (NSE). Fyodor's own description on the official website is as follows:

"Nmap (Network Mapper) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X."

Nmap's community is very active, so I encourage you to always keep up with the latest stable releases and patches. Announcements and discussions take place on the development mailing list, so if you would like to contribute to the project, I recommend you subscribe to the mailing list at https://nmap.org/mailman/listinfo/dev. These days, you will also find a GitHub repository serving as the official mirror from the Subversion code repository. For issues and pull requests, it is recommended to create them on GitHub and send a friendly reminder to the mailing list so they are easier to track and to avoid them getting lost in all the noise.

This first chapter is for newcomers to Nmap and its projects. It aims to give you a general overview of the main capabilities of the Nmap project. Starting with building Nmap projects from source code, you will become familiar with all the tools of the Nmap project. In just the initial recipes, you will learn how flexible and powerful the Nmap tools are, but as we move through the chapters, you will go deep into the internals to learn how to not only use the tools for a wide range of tasks useful in the cybersecurity field but also extend them and create new functionality by writing your own modules in Lua or C. The practical tasks chosen for this chapter will get you started with Nmap and the most common options and features to start scanning targets and customizing scans.

In this chapter, we will cover the following recipes:

Technical requirements

The following tools are officially part of the Nmap project and were created to accomplish common tasks for network diagnostics and security scanning:

Building Nmap's source code

Throughout this book, you will use all the tools from the Nmap project, so it is a good idea to start by installing the latest versions now. We will not work with pre-built binaries as mere mortals but build them from the latest source code available in the official repository. This recipe will show how to download the latest copy of the source code from the development repositories and compile and install Nmap and related tools in your Unix-based system.

We always prefer working with the very latest snapshot of the repository because precompiled packages take time to prepare and we will often miss important patches or new NSE scripts. The following recipe will show the process of downloading the source code and configuring, building, installing, and maintaining an up-to-date copy of the Nmap project in your arsenal.

Getting ready

Before continuing, you need to have installed the Subversion client. Unix-based platforms come with a command-line client named Subversion (svn). To check whether it's already installed on your system, just open a terminal and type the following command:

$ svn

If the command was not found, install svn using your favorite package manager or build it from source code. The instructions to build svn from source code are out of the scope of this book, but they are widely documented online. Use your favorite search engine to find specific instructions for your system.

When building Nmap, we will also need additional libraries such as the development definitions from OpenSSL or the make command. In Debian-based systems, try the following command to install the missing dependencies:

#apt-get install libssl-dev autoconf make g++ subversion

Note that OpenSSL is optional, and Nmap can be built without it; however, without it, Nmap will be crippled as it uses it for functions related to integers, hashing, and encoding/decoding SSL requests for service detection and NSE.

How to do it...

$svn co https://svn.nmap.org/nmap

$./configure

Configured with: ndiff zenmap nping openssl zlib libssh2 lua ncat

Configured without: localdirs nmap-update

Type make (or gmake on some *BSD machines) to compile.

$make

#make install

After installing the application, you should see the NMAP SUCCESSFULLY INSTALLED message and now you can run Nmap from any path on the system. Test your Nmap installation and learn about the supported scanning techniques and options with the help command:

$nmap -h

How it works...

The svn repository, hosted at https://svn.nmap.org/nmap, contains the latest development version of Nmap and has world read access that allows anyone to grab a copy of the source code. We built the project from scratch to get the latest patches and features. The installation process described in this recipe also installed Ncat, Zenmap, Ndiff, and Nping.

There's more...

The process of compiling Nmap is similar to compiling other Unix-based applications, but there are several compile-time variables that can be adjusted to configure the installation. Precompiled binaries are recommended for users who can't compile Nmap from source code. Unix-based systems are recommended because of some Windows limitations that affect performance, described at https://nmap.org/book/inst-windows.html.

Experimental branches

If you want to try the latest creations of the development team, there is a folder named nmap-exp that contains several experimental branches of the project. The code stored in this folder is not guaranteed to work all the time as it is used as a sandbox by developers, although some hidden gems can be found there from time to time. These branches are located at https://svn.nmap.org/nmap-exp/.

Updating your local working copy

The Nmap project is quite active, especially during summer because of Google Summer of Code, so do not forget to update your installed copy regularly. If you keep a working copy of the svn repository, https://svn.nmap.org/nmap, you could update it with the following commands inside your svn working directory:

$svn up

$make -j4

#make install

Customizing the building process

If you do not need the other Nmap utilities, such as Nping, Ncat, Ndiff, or Zenmap, you may use different configure directives to omit their installation during the configuration step:

./configure --without-ndiff

./configure –without-ncat

./configure --without-zenmap

./configure --without-nping

For a complete list of configuration directives, use the --help command argument:

$./configure --help

Precompiled packages

Precompiled Nmap packages can be found for all major platforms at https://nmap.org/download.html for those who do not feel like setting up the build environment. When working with precompiled packages, just make sure that you grab the latest version to avoid missing important fixes or enhancements. This is especially important with Windows and the Npcap driver, which has gone through some serious improvements.

Finding online hosts

Finding online hosts in networks or on the internet is a common task among penetration testers and system administrators. Nmap offers better host detection as it sends more probes than the ICMP echo request sent by the traditional ping utility.

This recipe describes how to determine whether a host is online with Nmap.

How to do it...

Launch a ping scan against a target to determine whether it is online using the following command:

#nmap -sn <target>

The results will include all hosts that responded to any of the packets sent by Nmap during the ping scan, that is, the active machines on the target network segment or the internet. Nmap takes as a target any option not recognized and it supports IPv4/IPv6 addresses, hostnames, and network ranges that can be defined using wildcards and Classless Inter-Domain Routing (CIDR) notation. For example, to scan the local network, 192.168.0.1/24, you can run the following command:

#nmap -sn 192.168.0.1/24

Nmap scan report for 192.168.0.1 Host is up (0.0025s latency).

MAC Address: F4:B7:E2:0A:DA:18 (Hon Hai Precision Ind.) Nmap scan report for 192.168.0.2

Host is up (0.0065s latency).

MAC Address: 00:18:F5:0F:AD:01 (Shenzhen Streaming Video Technology Company Limited)

Nmap scan report for 192.168.0.3 Host is up (0.00015s latency).

MAC Address: 9C:2A:70:10:84:BF (Hon Hai Precision Ind.) Nmap scan report for 192.168.0.8

Host is up (0.029s latency).

MAC Address: C8:02:10:39:54:D2 (LG Innotek) Nmap scan report for 192.168.0.10

Host is up (0.0072s latency).

MAC Address: 90:F6:52:EE:77:E9 (Tp-link Technologies) Nmap scan report for 192.168.0.11

Host is up (0.030s latency).

MAC Address: 80:D2:1D:2C:20:55 (AzureWave Technology) Nmap scan report for 192.168.0.18

Host is up (-0.054s latency).

MAC Address: 78:31:C1:C1:9C:0A (Apple)

Nmap scan report for 192.168.0.22 Host is up (0.030s latency).

MAC Address: F0:25:B7:EB:DD:21 (Samsung Electro Mechanics) Nmap scan report for 192.168.0.5

Host is up.

Nmap done: 256 IP addresses (9 hosts up) scanned in 27.86 seconds

Ping scans in Nmap may also identify MAC addresses and vendors based on the MAC address identifier if executed as a privileged user on local Ethernet networks.

How it works...

The Nmap -sn option disables port scanning, leaving only the host discovery phase enabled, which makes Nmap perform a ping scan or ping sweep. Depending on the privileges, Nmap by default uses different techniques: sending a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP echo and timestamp requests if executed as a privileged user. If the user running Nmap can't send raw packets, it sends a SYN packet to ports 80 and 443 via connect() syscall. ARP/Neighbor Discovery is also enabled when scanning local Ethernet networks as privileged users. MAC addresses and vendors are identified from the ARP requests sent during the ARP/Neighbor Discovery phase.

There's more...

Nmap supports several host and port discovery techniques, and probes can be customized to scan hosts effectively even in the most restricted environments. It is important that we grasp how these network scanning techniques work. Let's learn more about host discovery with Nmap.

Tracing routes

Ping scans allow including traceroute information of the targets. Use the Nmap --traceroute option to trace the route from the scanning machine to the target host:

$ nmap -sn --traceroute google.com microsoft.com

Nmap scan report for google.com (216.58.193.46) Host is up (0.16s latency).

Other addresses for google.com (not scanned): 2607:f8b0:4012:805::200e

rDNS record for 216.58.193.46: qro01s13-in-f14.1e100.net

TRACEROUTE (using port 443/tcp) HOP RTT     ADDRESS

1     1.28 ms  192.168.0.1

2     ...

3     158.85 ms 10.165.1.9

4     ... 5

6     165.50 ms 10.244.158.13

7     171.18 ms 10.162.0.254

8     175.33 ms 200.79.231.81.static.cableonline.com.mx

(200.79.231.81)

9     183.16 ms 10.19.132.97

10    218.60 ms 72.14.203.70

11    223.35 ms 209.85.240.177

12    242.60 ms 209.85.142.47

13    ...

14    234.79 ms 72.14.233.237

15    235.17 ms qro01s13-in-f14.1e100.net (216.58.193.46)

Nmap scan report for microsoft.com (23.96.52.53) Host is up (0.27s latency).

Other addresses for microsoft.com (not scanned): 23.100.122.175 104.40.211.35 104.43.195.251 191.239.213.197

TRACEROUTE (using port 443/tcp) HOP RTT    ADDRESS

-    Hops 1-9 are the same as for 216.58.193.46 10         183.27 ms 10.19.132.30

11   231.26 ms 206.41.108.25

12   236.77 ms ae5-0.atb-96cbe-1c.ntwk.msn.net (104.44.224.230)

13   226.22 ms be-3-0.ibr01.bn1.ntwk.msn.net (104.44.4.49)

14   226.89 ms be-1-0.ibr02.bn1.ntwk.msn.net (104.44.4.63)

15   213.92 ms be-3-0.ibr02.was05.ntwk.msn.net (104.44.4.26)

16   251.91 ms ae71-0.bl2-96c-1b.ntwk.msn.net (104.44.8.173)

17   ... 19

20   220.70 ms 23.96.52.53

Nmap done: 2 IP addresses (2 hosts up) scanned in 67.85 seconds

Running NSE during host discovery

NSE can be enabled during the host discovery phase to obtain additional information about a target. As with any other NSE script, its execution will depend on the hostrule specified. To execute an NSE script without port scanning our targets, we skip port scanning with -sn and use --script <file,folder,category> to select the desired script:

$ nmap -sn --script dns-brute websec.mx

Nmap scan report for websec.mx (54.210.49.18) Host is up.

rDNS record for 54.210.49.18: ec2-54-210-49-18.compute- 1.amazonaws.com

Host script results:

| dns-brute:

|     DNS Brute-force hostnames:

|     ipv6.websec.mx - 54.210.49.18

|     web.websec.mx - 198.58.116.134

|     www.websec.mx - 54.210.49.18

|_    beta.websec.mx - 54.210.49.18

An interesting NSE script to try when discovering online hosts in networks is the broadcast-ping script, which uses a broadcast ping request to attempt to discover online hosts:

$ nmap -sn --script broadcast-ping 192.168.0.1/24

Pre-scan script results:

| broadcast-ping:

|     IP: 192.168.0.11    MAC: 80:d2:1d:2c:20:55

|     IP: 192.168.0.18    MAC: 78:31:c1:c1:9c:0a

|_    Use --script-args=newtargets to add the results as targets

Exploring more host discovery scanning techniques

Nmap supports several host discovery scanning techniques using different protocols. By default, the host discovery phase (nmap -sn <target>) only scans as a privileged user internally executes Nmap with the -PS443 -PA80 -PE -PP options corresponding to TCP SYN to port 443, TCP ACK to port 80, and ICMP echo and timestamps requests.

In Chapter 3, Network Scanning, you will learn more about the following ping scanning techniques supported by Nmap:

Listing open ports on a target

This recipe describes how to use Nmap to determine the port states of a target, a process used to identify running services commonly referred to as port scanning. This is one of the tasks Nmap excels at, so it is important to learn about the essential Nmap options related to port scanning.

How to do it...

To launch a default scan, the bare minimum you need is a target. A target can be an IP address, a hostname, or a network range:

$ nmap scanme.nmap.org

The scan results will show all the host information obtained, such as the IPv4 (and IPv6 if available) address, reverse DNS name, and interesting ports with service names. All listed ports have a state. Ports marked as open or filtered are of special interest as they represent services running on the target host:

Nmap scan report for scanme.nmap.org (45.33.32.156)

Host is up (0.16s latency).

Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

Not shown: 995 closed ports PORT STATE SERVICE

22/tcp    open  ssh 25/tcp filtered smtp 80/tcp open http

9929/tcp  open nping-echo 31337/tcp open   Elite

Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds

How it works...

The default Nmap scan returns a list of ports. In addition, it returns a service name from a database distributed with Nmap and the port state for each of the listed ports.

Nmap categorizes ports into the following states:

Even for this simple port scan, Nmap does many things in the background that can be configured as well. Nmap begins by converting the hostname to an IPv4 address using DNS name resolution. If you wish to use a different DNS server, use --dns-servers<serv1[,serv2],...>, or use -n if you wish to skip this step, as follows:

$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org

Afterward, it performs the host discovery process to check whether the target is online (see the Finding online hosts recipe). To skip this step, use the no ping option, -Pn:

$ nmap -Pn scanme.nmap.org

Nmap then converts the IPv4 or IPv6 address back to a hostname using a reverse DNS query. Use -n to skip this step as well if you do not need that information:

$ nmap -n scanme.nmap.org

The previous command will launch either a SYN stealth scan or a TCP connect scan depending on the privileges of the user running Nmap.

There's more...

Port scanning is one of the most powerful features available, and it is important that we understand the different techniques and options that affect the scan behavior of Nmap.

Privileged versus unprivileged

Running the simplest port scan command, nmap <target>, as a privileged user by default launches a SYN stealth scan, whereas unprivileged users that cannot create raw packets use the TCP connect scan technique. The difference between these two techniques is that a TCP connect scan uses the high-level connect() system call to obtain the port state information, meaning that each TCP connection is fully completed and therefore slower. SYN stealth scans use raw packets to send specially crafted TCP packets to detect port states with a technique known as half-open.

Scanning specific port ranges

Setting port ranges correctly during your scans is a task you often need to do when running Nmap scans. You can also use this to filter machines that run a service on a specific port, for example, finding all the SMB servers open in port 445. Narrowing down the port list also optimizes performance, which is very important when scanning multiple targets.

There are several ways of using the Nmap -p option:

Selecting a network interface

Nmap attempts to automatically detect your active network interface; however, there are some situations where it will fail or perhaps you will need to select a different interface in order to test networking issues. To force Nmap to scan using a different network interface, use the -e argument:

#nmap -e <interface> <target>

#nmap -e eth2 scanme.nmap.org

This is only necessary if you have problems with broadcast scripts or see the WARNING: Unable to find appropriate interface for system route to message.

More port scanning techniques

In this recipe, we talked about the two default scanning methods used in Nmap: SYN stealth scan and TCP connect scan. However, Nmap supports several more advanced port scanning techniques. Use nmap -h or visit https://nmap.org/book/man-port-scanning-techniques.html to learn more about them as Fyodor has done a fantastic job describing how they work in depth.

Target specification

Nmap supports several target formats that allow users to work with IP address ranges. The most common type is when we specify the target's IP or host, but it also supports the reading of targets from files and ranges, and we can even generate a list of random targets as we will see later.

Any arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:

# nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24

There are several ways that we can handle IP ranges in Nmap:

To scan the 192.168.1.1, 192.168.1.2, and 192.168.1.3 IP addresses, the following command can be used:

$ nmap 192.168.1.1 192.168.1.2 192.168.1.3

We can also specify octet ranges using -. For example, to scan hosts 192.168.1.1, 192.168.1.2, and 192.168.1.3, we could use the expression 192.168.1.1-3, as shown in the following command:

$ nmap 192.168.1.1-3

Octet range notation also supports wildcards, so we could scan from 192.168.1.0 to 192.168.1.255 with the expression 192.168.1.*:

$ nmap 192.168.1.*

Excluding hosts from scans

In addition, you may exclude hosts from the ranges by specifying the --exclude option, as shown next:

$ nmap 192.168.1.1-255 --exclude 192.168.1.1

$ nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2

Otherwise, you can write your exclusion list in a file using the --exclude-file option:

$ cat dontscan.txt

192.168.1.1

192.168.1.254

$ nmap --exclude-file dontscan.txt 192.168.1.1-255

CIDR notation for targets

The CIDR notation (pronounced cider) is a compact method for specifying IP addresses and their routing suffixes. This notation gained popularity due to its granularity when compared with classful addressing because it allows subnet masks of variable length.

The CIDR notation is specified by an IP address and network suffix. The network or IP suffix represents the number of network bits. IPv4 addresses are 32-bit, so the network can be between 0 and 32. The most common suffixes are /8, /16, /24, and /32.

To visualize it, take a look at the following CIDR-to-netmask conversions:

For example, 192.168.1.0/24 represents the 256 IP addresses from 192.168.1.0 to 192.168.1.255. 50.116.1.121/8 represents all the IP addresses between 50.0-255.0-255.0-255. The /32 network suffix is also valid and represents a single IP address.

The CIDR notation can also be used when specifying targets. To scan the 256 hosts in 192.168.1.0-255 using the CIDR notation, you will need the /24 suffix:

$ nmap 192.168.1.0/24

Working with target lists

Many times, we will need to work with multiple targets, but having to type a list of targets in the command line is not very practical. Fortunately, Nmap supports the loading of targets from an external file. Enter the list of targets into a file, each separated by a new line, tab, or space(s):

$cat targets.txt

192.168.1.23

192.168.1.12

To load the targets from the targets.txt file, use the Nmap -iL <filename> option:

$ nmap -iL targets.txt

Important note

This feature can be combined with any scan option or method, except for exclusion rules set by --exclude or --exclude-file. The --exclude and --exclude-file options will be ignored when -iL is used.

You can also use different target formats in the same file. In the following file, we specify an IP address and an IP range inside the same file:

$ cat targets.txt

192.168.1.1

192.168.1.20-30

You can enter comments in your target list by starting the new line with the # character:

$ cat targets.txt

# FTP servers 192.168.10.3

192.168.10.7

192.168.10.11

Fingerprinting OSes and services running on a target

Version detection and OS detection are two of the most important features of Nmap. Nmap is known for having the most comprehensive OS and service fingerprint databases, contributed to over the years by millions of users. Knowing the OS and the exact software version of a service is highly valuable for people looking for security vulnerabilities or monitoring their networks for any unauthorized changes. Fingerprinting services may also reveal additional information about a target, such as available modules, last time of update, database version, and sometimes additional protocol information.

This recipe shows how to fingerprint the OS and running services of a remote host using Nmap.

How to do it...

$ nmap -sV <target>

$ nmap -sV scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (1.4s latency).

Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

Not shown: 994 closed ports

PORT     STATE      SERVICE  VERSION

22/tcp    open      ssh    OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3

(Ubuntu Linux; protocol 2.0) 25/tcp   filtered smtp

80/tcp    open  http  Apache httpd 2.4.7 ((Ubuntu)) 514/tcp   filtered shell

9929/tcp   open  nping-echo Nping echo 31337/tcp open  tcpwrapped

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 137.71 seconds

# nmap -O <target>

# nmap -O scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156)

Host is up (0.25s latency).

Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

Not shown: 994 closed ports

PORT      STATE   SERVICE

22/tcp   open     ssh

25/tcp   filtered smtp

80/tcp   open     http

514/tcp  filtered shell

9929/tcp open    nping-echo

31337/tcp open  Elite

Device type: WAP|general purpose|storage-misc

Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)

OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100 Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows

7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%),

BlueArc Titan 2100 NAS device (91%)

No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP