Getting started with nmap

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Recently I had to demonstrate a security tool for my network security course and I decided to use nmap.

I am not going to write everything but I will mostly link you to many articles that I considered. Actually in present scenario there is a wealth of knowledge available related to nmap but if you do a google search to learn it then you will get lost in that ocean.
I have compiled a well organised collection of articles which I followed in a sequence to learn nmap and I have also explained some basics that you need to know to understand nmap and how it works.

What to expect from this article?
This article tells you everything that you need to know about nmap.

  • What is nmap?
  • How to get started with nmap?
  • Learning nmap
  • Some tips and tricks for nmap

What is nmap?

The description below has been taken from nmap book.
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

What can be nmap used for?

Nmap can be used for many things but here’s a list of things for which nmap is commonly used.
– For Scanning large/small networks.
– For identifying processes running on a host.
– For identifying OS running on a host.
– For identifying vulnerabilities in a host.
– Pentesting
– Inventory management

Getting Started with nmap. 

sudo apt-get install nmap # Ubuntu

For windows, Use this link to download the executable:

Port Scanning

What is a port? 
Port is nothing but an abstraction which helps us to establish communication between applications on different hosts. Just like IP address is used to determine the machine on a network, port is used to identify specific applications in use on a single machine. For example, your ssh server will listen on port 22 by default

Before you get started with nmap, you have to understand what is port scanning. Without knowing the meaning of port scanning you cannot comprehend the power of nmap. Port scanning in brief is  (Taken from Port Scanning – SANS Instititute. I recommend you to read the whole pdf.):

All systems that are connected to a LAN or the Internet via a modem run services that listen to well-known and not so well-known ports. By port scanning, the attacker can find the following information about the targeted systems: what services are running, what users own those services, whether anonymous logins are supported, and whether certain network services require authentication. Port scanning is accomplished by sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can be probed for further weaknesses. Port scanners are important to network security technicians because they can reveal possible security vulnerabilities on the targeted system. 

Performing Host Discovery with nmap

Host discovery is a term used to describe a certain phase of a penetration test, where one attempts to determine the accessible hosts on a network.

The first thing you would do with nmap is to do host discovery. Refer to this link :
This answer explains the easiest way to do host discovery with nmap and the common problems that you might face while doing it along with possible solutions.

If you want deep understanding of host discovery and some tricks and techniques related to Host Discovery then you must refer to this file:

Once you are comfortable with what nmap is then you can see the advanced usage of nmap. Here are some awesome links that I came across which use nmap for amazing things.
This links gives some good examples on network scanning can be performed using nmap.
This link also covers many examples which are more than enough to understand the nmap usage.

Believe it or not, that’s all that is to nmap, but the thing is the kind of information that is revealed by nmap is overwhelming and can help security organisations a lot.

Making sense of the nmap output

Let’s consider the output given below (This example has been taken from official nmap book). So let’s see what kind of information does this leak and what are the implications?

(The 65530 ports scanned but not shown below are in state: filtered)
22/tcp    open    ssh OpenSSH 3.7.1p2 (protocol 1.99)
53/tcp    open    domain  ISC BIND 9.2.1
110/tcp   open    pop3  Courier pop3d
113/tcp   closed  auth
143/tcp   open    imap  Courier Imap 1.6.X- 1.7.X
3128/tcp  open    http-proxy Squid webproxy 2.2.STABLE5

Running: Linux 2.4.XI2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 3.134 days

We can see there are a few open ports available here. Some ports are closed and many are filtered. We also get the info about the operating system used and versions of different softwares running on different ports. So what?

The first port is Secure Shell (OpenSSH). We can see that the version of OpenSSH is 3.7.1p2. We can find a list of exploits available for OpenSSH here. These exploits can be launched using metasploit or manually. So you can see what were the implications of this option being leaked.

Port is 53. It is running ISC BIND, which has a long history of remotely exploitable security holes[ref][/ref].

Port 3128 which is also open is a Squid proxy. Generally organisations use proxy servers to allow internet access for people and it is intended to be used only for people inside organisations but in this case it’s open so that means we can also use the proxy server to connect to Internet. Apart from access websites, proxy servers might also help you communicate with systems inside the organisation. Adriano Lamo broke into the New York Times internal network in 2002[ref][/ref] using a proxy server.

Please remember that open ports are invitation for an attack. But we should also understand that we have to open port for communication. This is somewhat analogous to a door in a house, you have to open the door for people to come in to your house but you have to have prevention mechanisms to prevent any malicious person from entering too. Nmap can help you find the open doors in your house and also the weaknesses.

I hope this article explains nmap well enough. You can refer to the following resources if you want to understand nmap in more detail:

  1. Nmap Docs
  2. Nmap Book
  3. Nmap | Github