Port Scanning and Recon with nmap, Part 1

Welcome back, my aspiring cyber warriors!

Whether you are an aspiring master hacker, network engineer or security engineer, there is one tool that each of the roles need to be familiar with, nmap.

nmap began as a simple, modest, port-scanning tool utilizing the ability to send TCP, UDP or ICMP packets to a host and port to elicit a response to determine whether the port is open. Over the years, it has evolved to become a powerful scanning tool with even some exploitation capabilities. For instance, nmap can be used for; (1) OS detection, (2) service and version detection, (3) determine the OS uptime, (4) evade firewalls, (5) do DNS queries and subdomain search, (6) conduct a Denial of Service (DoS) attack, (7) scan for vulnerabilities and a whole host of other reconnaissance tasks using nmap scripts.

The Matrix fans here (who isn't a Matrix fan?) may remember in Matrix Reloaded that Trinity used nmap to find TCP port 22 open on the power plant's computer system (SCADA) and cracking the password to give Neo physical access.

Yes, that's our beloved nmap below in a scene from the Matrix Reloaded with Trinity at the keyboard.

Many infosec researchers have overlooked nmap in favor of more recent tools, but only at their peril. This tool has become a versatile reconnaissance tool with scripting capabilities.

In this series, I will walk you through the numerous capabilities of nmap and nmap scripts.

History of nmap

nmap was developed in 1997 and released by Gordon Lyon (aka Fyodor Vaskovich) as a free and open-source port and network scanner in Phrack Magazine. nmap has gone through numerous updates and upgrades with the current version 7.7 having been released about one year ago. Originally, developed for Linux, nmap has been ported to Windows, MacOS and BSD.

nmap is orginally a command line tool, but numerous GUI's have been developed for use by the command line challenged. This include;

(1) Zenmap;

(2) NmapFE;

(3) Xnmap

In this series, we will be working without a net. Everything will be from the command line nmap, but everything we be applicable to any of the nmap GUI's.

Step #1: Fire Up Kali and Open a Terminal

The first step is to fire up Kali and open a command prompt. Of course, you can use nmap in other versions of Linux and Windows, but our platform of choice is Kali Linux, where it is installed by default.

Step #2: Open nmap help

Next, let's look at the nmap help file for some clues on how to use nmap.

kali > nmap --help

The help screen runs for nearly 3 pages. I have captured only the first page as it has the essential information we need here now.

Notice the usage statement;

Usage: nmap {Scan type(s)] [Options] {target specification}

It's really pretty simple to run a nmap scan despite all the options that are available to us and we will address later in this series.

Step #3: Basic TCP Scan

Let's use Metasploitable as our target system. The first step is to find the IP address of our target. In this case, it is (yours will likely be different).

The simplest, fastest and most reliable nmap scan is the TCP scan. It sends TCP packets to attempt a TCP 3-way handshake (SYN-SYN/ACK- ACK) on each port it scans. If the target system completes the 3-way handshake, the port is considered open. The key nmap option to do is -sT or scan TCP.

We simply add it as an option after the nmap command and then followed by the IP address.

nmap -sT <IP>

Such as;

kali > nmap -sT

After a few seconds, nmap provides output to the computer screen (stdout) that includes each port that is has results for, the protocol, the port state (open, closed, filtered) and the default service running on this port (please note that nmap is NOT telling you what service is running on the port, it is simply telling you the default protocol for that port. Most services can run on any port). From this scan , we can see that numerous ports and services are likely running on this system (like any tool, nmap is NOT perfect. You can receive erroneous reports).

This is a great start to our reconnaissance of this system. We now know we have numerous services that may be vulnerable to our attacks.

What we do NOT know include;

(1) What UDP ports are running;

(2) What operating system is running;

(3) What actual services and versions are running on those ports.

Step #4: Basic UDP Scan

Now, let's see if we can find the open UDP ports. The nmap command to find UDP ports is nearly identical, except we replace the T in the command with U (UDP).

Now our UDP scan looks so;

kali > nmap -sU

Generally, UDP scans take much longer than TCP scans as the mechanism that UDP uses for signaling a closed port is slightly different than TCP and more ambiguous. In my case, the TCP scan took 2.97 seconds, while the UDP scan took 1081.63 seconds, a factor of nearly 400x times longer.

Be patient with UDP.

Step #5: Single Port Scan

In some cases, we may only want to know if a single port is open. For instance, we may considering using the EternalBlue exploit against this system and we know that it exploits SMB on port 445. Let's see whether this system has port 445 open by simply adding -p after the target IP address and the port number.

Such as;

kali > nmap -sT - p 445

This command will go out and try the 3-way TCP handshake on port 445 and if it successful, it will report the port open. As you can see, nmap found port 445 open and presumes there is SMB running on that port.

If we wanted to scan an entire subnet for port 445 and SMB, you could use CIDR notation for the subnet and leave everything else the same as the previous command.

kali > nmap -sT -p445

Now, nmap will scan every device on that subnet (255) for port 445 and report back to us. As you can see above, it found numerous hosts with port 445, some closed, some filtered and some open.

Step #6: Get the OS, the Services and their Versions

At this point, we only know what UDP and TCP ports are open and the default protocols that run on them. We still don't know;

1. Operating System

2. The actual services running on those ports

3. The version of the services (different versions have different vulnerabilities).

The -A switch in nmap can help us with those those questions.

Such as;

kali > nmap -sT -A 192.168.1 106

This scan also takes longer to complete as it has much more work to do than simply scan for open ports--a very deterministic process. Here, nmap will be probing into each open port with specially crafted packets and then by gauging the differences in the response, determine the service and its version. It uses a similar less-deterministic process for determining the operating system. As I outlined in the tutorial on p0f, each operating system TCP/IP stack places slightly different values in header fields. By reading those fields, we can make highly accurate estimate of the underlying target operating system.

As we can see above, nmap went to each of the open ports, sent packet probes and makes a highly reliable estimate of the service, the service version and other critical information regarding the service, such as commands and even vulnerabilities. Note the response for port 21 FTP above (running vsftpd 2.3.4) and port 25 SMTP (running Postfix smtpd).

As we scan down the results, we can see port 80 (running Apache httpd 2.2.8), port 3306 (running MySQL 5.0.51a)...

...and then all the way at near the bottom we can see nmap's estimate of the underlying operation system (Linux 2.6.x).

Wrap Up

With just a few nmap commands we were able to learn a great amount about the devices on our network including;

1. TCP ports

2. UDP ports

3. Whether port 445 is open on our entire network

4. The operating system of the target

5. Which services and their versions are running on those ports.

Pretty good for little work or knowledge!

In further articles in this series, we will learn to run scans where a firewall or IDS may be blocking our attempts and use nmap scripts to elicit more information from the target system.