In this chapter, we will cover the following recipes:
In this chapter, we will be going through various recipes that explain how to make use of Nmap to perform various port scanning techniques. Each recipe will contain practical insights into performing Nmap scans on a test virtual machine, allowing you to understand the functionalities of the various switches supported by Nmap.
The nmap command interprets any content appended without an associated switch as a target. The following is a basic syntax that specifies an IP address or a hostname to scan without any associated switches:
nmap 127.0.0.1
nmap localhost
The hostname is resolved with the configured DNS server and the IP address is obtained to perform the scan. If multiple IP address are associated with one hostname, the first IP address will be scanned and the result will be displayed. The following syntax allows nmap to perform scans on all the IP addresses resolved with the hostname provided in the command:
nmap xyz.com*
Nmap also supports scanning the whole subnet, provided that you append the mask at the end of an IP address or hostname. Then, Nmap will consider all the resolved IP addresses in the range of the mask mentioned. For example, 10.0.0.1/24 would scan the...
One of the basic techniques of identifying a running host is by sending an ICMP ping packet and analyzing the response to draw a conclusion. What if the host or the network is blocking ICMP packets at the network level or the host level? As per the ICMP technique, the host or the network will not pop up in the live host list. Host discovery is one of the core components of a network penetration test or vulnerability scan. A half-done host discovery can ignore hosts or networks from the scope and perform any further operation, thus leaving the network vulnerable.
Nmap provides various options and techniques to identify the live host by sending customized packets to satisfy specific network conditions. If no such options are provided, Nmap by default sends an ICMP echo to identify the live hosts. The provided probe options can be combined to increase...
The following are the six port states that are present in Nmap:
Nmap provides various options to specify ports to be scanned in a random or sequential order. All the Nmap scans, without any ports specified or any specific NSE script provided as an argument, by default scan only the top 1,000 ports:
While performing penetration tests, reconnaissance is really important for informing the next steps of testing. Even though Nmap provides the open ports and the version of the service running on the port, you will need to know the exact version or the name of the service that is running to prepare further exploits or to gain further knowledge of the system.
The Nmap-service-probes database contains specific packet construction techniques to probe specific services and analyze the responses received from them. Nmap provides information about the service protocol, the application name, the version number, the hostname, the device type, and the OS family. It also sometimes determines whether the service is open to connections or if any default logins are available for the service:
Nmap uses TCP/IP stack fingerprinting for OS detection.This is done by crafting custom TCP and UDP packets and analyzing their responses. After generating various such probes and comparing the results to the Nmap-os-db database of more than 2,600 known OS fingerprints and provides the OS version. The fingerprint provides details such as the vendor name, OS name, OS generation, device type, and also their Common Platform Enumeration (CPE) representation. Nmap also provides an option for the user to submit the fingerprint obtained if it is not present in the Nmap database of operating signatures:
The basic function of Nmap is to generate custom packets and analyze their response once they are sent to the remote hosts. This sometimes is not allowed by network protection systems such as firewalls and intrusion prevention and detection systems. In this recipe, we will discuss some of the methods that can be used to bypass these protections:
Zenmap is the graphical interface of Nmap. It is open source and comes in the same installation package as Nmap:
Sometimes, working with command-line tools can be tedious for administrators, thus Zenmap acts as an alternate GUI option.
Here are the steps:
The Ports/Hosts tab shows the various open ports along with the services...
© 2018 Packt Publishing Limited All Rights Reserved
