Published on

What is Nmap? | How to Use Nmap? | Nmap Flags And Nmap Port States

Nmap

What is Nmap?

Nmap is a network mapping tool. It is used to discover and map the network topology, and to identify the security vulnerabilities in the network. Gordon Lyon (also known by his pseudonym Fyodor Vaskovich)) created it in September, 1997 to help map an entire network easily and find its open ports services.

In other words, you can use Nmap to scan IP addresses, search for security loopholse, and scan for open ports on your computer network by sending packets and anaylyzing the responses.

For example, if you're a network administrator, an IT manager, or just a security professional in your organization. One of the critical challanges you will face is battle of getting to know what is running,'scanning' on your network and the kind of security issues/challanges they pose.

With this Nmap tool, you can:

  • Perform entire network scans You can get information on your network as a whole, including a list of live hosts and ports and the OS of every connected devices. Due to this, Nmap does a great job at monitoring your ongoing system and helping perform pen-test scans.

  • identify server vulnerabilities You can use the tool to scan your web server for any security gaps to protect personal and business websites. Nmap helps simulate the process a malicious agent would typically use to attack your websites.

  • Develop visual mappings Nmap has a graphical user interface user interface known as Zenmap. You can use it to create visual mappings of your network to facilitate better usability and reporting.

  • Automate system and vulnerabilities scans Nmap has an incredible feature known as "Nmap Scripting Engine" (NSE). It's a scripting engine that lets you use a predefined set of scripts and automate networking features. Alternatively, you can write your own NSE scripts using the Lua programming language to make conclusions about the target host/service.

How to Use Nmap?

Before we start, let's install Nmap.

The installation process is easy, but it is based on your different operating system. Below, we'll show you how to install Nmap on Windoes, MacOS, and Linux versions.

  • Windows : Download the Nmap installer from here. and run the installer you get with Nmap nmap<version>-setup.exe. This will automatically configure Nmap on your Microsoft Windows machine.

  • MacOS : Download the Nmap installer from here. and run the installer you get with Nmap nmap<version>-setup.dmg. This will automatically configure Nmap on your MacOS machine.

  • Linux : Run the following command to install Nmap on your Linux machine:

    sudo apt-get install nmap
    

    OR

    sudo yum install nmap
    

Now Nmap is installed on your machine.

Nmap Command Syntax

nmap [Scan Type(s)] [Options] {target specification}

let's take a look at an example Nmap command and then break down into basic components. Here's an example Nmap command:

nmap -sT -sV -Pn -p 1-65435 -T2 -oA testscan hkrhasan.com

That is quite a command. Each of the hyphenated parameters are our Nmap flags and each one has its own special purpose. Below is an explanation of each of the flags:

  • -sT : Scan Type. This flag tells Nmap to perform a TCP scan.
  • -sV : This flag tries to find out which services are running on the target.
  • -Pn : use this flag to disable ping command to speed up the scan and only scan the ports.
  • -p : run a port scan from port 1 to 65435.
  • -T2 : This flag tells Nmap to use polite Intrusion Detection Software (IDS) evasion to get by unnoticed (hopefully).
  • -oA : This flag specifies all output file types, and testscan is the name of the output file.

The scan generate 3 different files called:

  • testscan.nmap : This is the raw Nmap output file.
  • testscan.gnmap : This is the Nmap Graphing Network Map file.
  • testscan.xml : This is the Nmap XML file.

At the very end of the command is our target that will be scanned.

5 Nmap Flag Variations: Scanning, Discovery, Pors, Services, Output

Part of the reason why Nmap is so popular is because it has a lot of different flags. Below is a list of all the flags and their usage.

Scanning Flags: What You Should Know

These flags are start with hyphen - , followed by a lowercase s, then another upper case letter.

What Do Nmap Scanning Flags Do?

These flags are used for scanning port related information about target hosts. If you know which ports are open then you have a potential opening to get into the system, so pentesters rely heavily on kind of Nmap scanning flags.

Why are Nmap Scanning Flags Important?

These are important because they not only reveal information about which port are open, but also about port states on a target host. The more information a pentester has about a target host, the more likely they are to be successful in their attacks.

When Would You Use Nmap Scanning Flags?

The flags would be used at any stage of a pentest as the results that they generate are vast. Learning about scanning flags is essential for any type of pentesting. Here are some examples of scanning flags:

-sS

The TCP SYN port scan allows you to determine the state of the port without connecting fully to the target system. This comes in handy when you are scanning a target for open ports. without revealing to yourself to your test subject.

-sT

The TCP Connect Port scan lets you detect open ports. This scan method allows for a more granular approach to detecting open ports. A pentester might want to start with a TCP scan, and then move onto a UDP scan afterward.

-sU

The UDP port scan sends a UDP packet to determine what state the UDP port is in. Much like a TCP scan, the UDP scan reveals open ports that are able to accept UDP requests. This could be a security risk if open UDP ports are present, but not known to the owner of the target host.

-sA

Using a TCP ack port scan determine if a port is stateful and / or filtered. What does that mean? Well, it relates to firewalls and can give a skilled attacker deeper insight into the security appliances that are protecting the target network.

Discovery Flags: What You Should Know

These Flag help specify more particular options whan scanning target hosts.

What Do Host Discovery Flags Do?

These flags reveal information about the target machine. A pentester can establish the machine state without using the ping command, quick scans of ports, and even ARP based scans that reveal hardware addresses.

Why are Host Discovery Flags Important?

These scans are important when trying to reveal information about the test environment. It is important to be able to check the state of a target without using the ping command for few reasons. The main reasons are that ICMP is sometimes disabled on a host machine, and sometimes mitigation is put in place to alert security teams about suspicious ping behavior.

When would you use Host Discovery Flags?

Any time that you want to learn more about the target environment without arousing the the suspicions of the security teams that are looking after the system. As a pentester it is good to find as many ways around a system's mitigation measusres as possible so that the network can be made that much more secure afterwords. Some examples of host discovery flags are:

-Pn

As we saw in our first command example, -Pn disables ping and only scans for open ports. If the attacker / pentester suspects that there is some mitigation in place to alert when the target system is pinged, then the -Pn switch is a way to avoid detection while still gaining reconnaissance about the target system.

-sn

This flag performs host discovery but does not scan any ports. You would use this switch for a quick scan to see if a host is online without taking too much time looking at the state of the open ports on computer.

-PR

This flag performs ARP discoveries on local networks. ARP help to link a physical MAC address to an IPv4 address on a network. This is useful in cases where you would like to identify the vendor of the network card that is communicating, which can easily be referenced in the hardware MAC address.

-n

This flag specifies that it must not try to resolve DNS entries. This saves time if you only want to perform a quick check without waiting to resolve DNS entries in your scan.

Port Scanning Flags: What You Should Know

These flags refer to port specific parameters, which are useful when trying to see which ports are exposed to your scans.

What Do Port Scanning Flags Do?

These are generally quick scans that target a particular port or a series that are of interest to the pentester.

Why are Port specification Flags important?

Your time is valueable, and if you can accomplish the same quality of work without needing to wait for lengthy scans then more power to you.

When would you use port specification flags?

These scans would be used for checking a few individual ports, or target attack vectors that the pentester wants to quickly check without waiting for an entire port scan to finish.

-p

If you want to specify a port, or a range of ports then this is flag for you. You might have a specific port in mind, so targeting it specifically is more efficient and saves a lot of time.

-p-

If time is on your side, and you need to be thorough, then this flag scans all of the ports on a system. It may take a while depending on a few factors such as network speed and the total number of ports that are open on the system.

-F

This flag perform a fast port scan. It is much quicker than doing a full port scan.

Service Versions and Service Flags: What You Should Know

If you are aware of specifies vulnerabilities in certain versions of services or operating systems then these flags will help you to identify such systems so that you can determine which steps you need to take next.

What Do Service Version and Service Flags Do?

These help a pentester establish what versions of services and operating systems are running on a target host. Most cybersecurity experts have cultivated collections of tools during their time in the field. Knowing which ones to use against specific operating systems and service version is essential.

Why are Service Version and Service Flags Important?

These flags are important as they help a pentester get started with their investigation. In order to test vulnerabilities you need to know what you are testing against. Sometimes a blind test will reveal very little about an environment, so the tester has to learn as much as possible with the flags at their disposal.

When would you use Service Version and Service Flags?

These flags are generally used during the information gathering and reconnaissance stages of a penetration test.

-A

This flag is called 'Aggressive Detection Mode' and it runs several operations at once (which are additional flags, incidentally) These include:

-O

This flag tells you which operating system the target is running.

-sV

This flag determines what version of services are running on the target host. This is important information to know, especially if you have different tools for different versions of services that you discover are running on your target.

The whole idea of using the -A flag is that it saves you typing out these extra flags which is a handy shortcut.

Output Flags: What You Should Know

You will need to save your results when performing an investigation, so knowing how to output your findings is important. Here are some of the most common options for outputting data in Nmap.

What Do Output Flags Do?

One of the least spoken about aspects of penetration testing is the paperwork. If you are generating a report about your findings, then you will want to output the information that you have gathered in the most clear and objective manner possible. Output flags let you choose your document format and information layout. From there, further refinement can take place when generating the actual reports and executive summaries.

Why are Output Flags Important?

If you cannot present your findings in a professional way, then your findings are not going to have the impact that you want. Even worse, your findings might be ignored, and you might not get paid for all that hard work.

When would you use Output Flags?

You would use these flags when the output of an Nmap query needs to be captured for later analysis or reporting.

-oN

This command flag specifies normal output using the given filename. You should use this when you want to save your results in a normal output.

-oX

This command flag outputs data in XML. Some reporting tools are able to import the XML format so this option helps to fill that need.

-oG

This command flag outputs the data in a greppable format. If you use a Linux or Unix system (And now even WSL).

-oA

This command flag does all three data output types at once. You might want to cover all of your bases when generating data for a report, and this is a great way to do it.

Understanding port states

Nmap uses 6 different port states:

  • open — An open port is one that is actively accepting TCP, UDP or SCTP connections. Open ports are what interests us the most because they are the ones that are vulnerable to attacks. Open ports also show the available services on a network.

  • closed — A port that receives and responds to Nmap probe packets but there is no application listening on that port. Useful for identifying that the host exists and for OS detection.

  • filtered — Nmap can’t determine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering could come from firewalls or router rules. Often little information is given from filtered ports during scans as the filters can drop the probes without responding or respond with useless error messages e.g. destination unreachable.

  • unfiltered — Port is accessible but Nmap doesn’t know if its open or closed. Only used in ACK scan which is used to map firewall rulesets. Other scan types can be used to identify whether the port is open.

  • open|filtered — Nmap is unable to determine between open and filtered. This happens when an open port gives no response. No response could mean that the probe was dropped by a packet filter or any response is blocked.

  • closed|filtered — Nmap is unable to determine whether port is closed or filtered. Only used in the IP ID idle scan.

Final Thoughts

We can say with great confidence that the flags and port states that we have briefly looked at today are just scratching the surface of what Nmap is capable of. Becoming familiar with what Nmap can and can't do in different scenarios is very helpful for cybersecurity professionals, so play around with Nmap as much as you can.