A beginners guide to Nmap

Ethical Hackers, Bug Hunters, pentesters, etc frequently use Nmap (short for Network Mapper), a free and open-source network scanner, to find hosts and services on a computer network, identify open ports, and find security vulnerabilities.

Nmap employs novel techniques to analyze raw IP packets in order to:

  • identify the hosts that are present on a network,
  • the open ports in those hosts and the respective services (application name and version) running on those ports,
  • the operating systems (and OS versions) running on the hosts,
  • the kinds of packet filters and firewalls that are in place,
  • and numerous other details.

Nmap can be used to scan large networks or individual hosts, and it can be run on Windows, Linux, and Mac OS. It is command-line based, but there are also graphical user interface (GUI) versions available for those who prefer a more user-friendly interface.

One of the key features of Nmap is its ability to perform stealth scans, which can help to evade detection by firewalls and intrusion detection systems. This makes it an essential tool for penetration testers and other security professionals who need to assess the security of networks and hosts.

In addition to its core scanning capabilities, Nmap also includes a number of other features such as traceroute, whois, and ping. These can be used to gather additional information about the target network or hosts.

Below you can find a list with a few basic steps on how to use Nmap as a penetration tester:

  1. First, make sure you have the latest version of Nmap installed on your system.
  2. Next, decide on the target network that you want to scan. This could be a local network, a remote network, or a specific host.
  3. Use the nmap command to specify the target and any desired options.
    • Here are a few examples of Nmap commands that you might use as a penetration tester:
      • nmap 192.168.1.1-255: Scan a range of IP addresses on a local network.
      • nmap -sS 10.0.0.1: Perform a stealth SYN scan on a single host.
      • nmap -p 80,443 10.0.0.1-10: Scan ports 80 and 443 on a range of hosts.
      • nmap -O 192.168.1.1-255: Attempt to detect the operating system of all hosts on a local network.
      • nmap -sU -p 53 10.0.0.1: Scan port 53 using UDP packets on a single host.
  4. Nmap has many options that you can use to customize your scan. Some common options include:
    • -sS: Perform a stealth SYN scan
    • -sU: Scan using UDP packets
    • -p: Specify specific ports to scan
    • -O: Attempt to detect the operating system of the target host
    • -A: Enable OS detection, version detection, script scanning, and traceroute (The one I usually use, but takes longer because is doing multiple things)
  5. Once the scan is complete, Nmap will display a list of hosts that were found and the ports that are open on those hosts. You can then use this information to identify potential vulnerabilities that you can exploit.

Below you can find an example of the output of nmap for the box Explosion from HTB:

nmap command output for the HTB box Explotion

Has you can see, in the image above we have several open ports, namely: 135, 139, 445, 3389, etc. Knowing this we can now make some decisions on what could be the next steps to exploit this target.

# Conclusion

It is very important to learn and know the theory behind the tools we use as Ethical Hackers and Bug Hunters, however, nothing beats practice… In this blog I already used this tool extensively. You can find them here: https://mregraoncyber.com/?s=nmap

Overall, Nmap is an invaluable tool for anyone working has a ethical hacker, penetration tester, network security engineer, Bug Bounty Hunter, etc, and it is a must-have in any security professional’s toolkit.

Checkout a list of 10 Essentials tools for your ethical hacker’s toolkit.


Thank you very much for reading!

Cheers,

MRegra


Popular posts

Leave a Reply

Your email address will not be published. Required fields are marked *