Intro to NMAP

My journey into cybersecurity has been anything but easy.  This field offers a wide range of technologies, tools, and techniques for security professionals to utilize in their professional lives.  All of this stuff can certainly be overwhelming for newcomers to the field, so I wanted to share one tool I believe is worth learning.  Nmap, a free tool used for network discovery, is capable of identifying devices on a network, their availability, and potential vulnerabilities.  This tool is truly invaluable to offensive and defensive security teams.

What is Nmap?
Now you might be thinking, “This sounds like a power security tool! Can you tell me more about it?” Worry not! I will guide you through the basics of Nmap. Nmap is an open-source tool designed for network discovery and security auditing. A scanning tool created by Gordon “Fyodor” Lyon in 1997, it excels in gathering information about devices on a network and what services are exposed.  This information provides valuable insight for security analysis.

Core Features
Nmap's core features include port scanning, operating system identification, and service enumeration. These features work in unison to provide organizations with a detailed understanding of the network's attack surface. In turn, this allows security professionals and enthusiasts to identify weaknesses, prioritize threats, and fortify defenses against would-be threat actors.

The Importance of Network Scanning
We’ve all heard the phrase “out of sight, out of mind.” This holds especially true for networks.  Without a proper inventory of what systems and services are available on your network, it would be nearly impossible to adequately protect against attackers. Regular network scanning allows for the early detection of vulnerabilities, unauthorized devices, and potential points of entry for attackers, laying the groundwork for robust network security.

Installation Basics
This sounds great, right? So now you might be wondering how you can acquire this powerful tool for yourself.  Nmap is available for various platforms, including Windows, Linux, and macOS. Simply visit https://nmap.org/download to get the details on how you can begin your Nmap journey.

Initial Scan
The command nmap [target] serves as your basic key to unlock Nmap's capabilities. Here, ‘[target]’ can be an IP address, a domain name, or a range of IP addresses. Here is an example Nmap command.

The above command will direct Nmap to scan ‘scanme.nmap.org’ for the default 1,000 most commonly used ports. These include well-known ports like 80 (HTTP), 443 (HTTPS), 21 (FTP), and many others that are frequently targeted by attackers. Identifying which of these ports are open on your target device reveals what services are potentially accessible and, therefore, what vulnerabilities might be exploitable.

While this is a start, most of the time you are going to want more information. Additional information such as the service version or what operating system is being used can help determine potential issues more accurately. There are many ways to do this but for the sake of this blog I will use the -A flag, which can be executed as follows.

In Nmap, the -A is a simple option that uses common scan settings and types, which tends to set off alerts in most intrusion detection systems and not something I would recommend using for most scans.  For example, it runs the operating system detection, script scanning, and service version detection.

Interpreting Results
Understanding Nmap scan results can sometimes be like piecing together a jigsaw puzzle. However, once you’ve developed a decent understanding of Nmap results, even simple scans can help you see the larger picture. Once you can see the full image you can set out a plan for network security. When looking at Nmap results here are some key findings to understand:

Port States

• Open: A service is actively listening for connections. Essential to ensure these are expected and secured.
• Closed: No service is listening, but the port is accessible. Useful for identifying potential service configurations.
• Filtered: Firewall or filtering rules are preventing Nmap from determining the state of a port, indicating security measures or potential barriers to network transparency.

Service and Version
Identifying the service and its version on an open port is crucial for pinpointing security vulnerabilities and ensuring compliance with policy standards. This data directs targeted security measures, like patching known vulnerabilities.

Practical Interpretation
What would attackers be able to do with this information? For example, Apache 2.4.7 has been identified as running on Port 80 for the target host.  A pentester would then actively seek any CVE's, or known vulnerabilities, associated with this version of apache. Using more targeted attacks will increase the probability of finding exploitable flaws on the target.

Scan Types and Techniques
As I mentioned before, some scanning techniques are more intrusive than others. In many cases the amount of traffic, or noise, generated during scans will not make a difference. However, organizations will occasionally request that we test the efficiency of their intrusion detection systems.  Other times we are tasked with stimulating activities of a real-world attacker, in which case we would attempt to remain undetected for as long as possible. In these cases, we need to take a stealthier approach to avoid setting off alarm bells and potentially getting ourselves blocked by detection tools.  One thing of note is that certain types of scans require root access due to the need to send and receive raw packets.

SYN Scan:
The SYN scan (flag ‘-sS’) is commonly known as a stealth scan, which is showcased in the following table.

It is favored for its ability to quickly and quietly map out the network environment. By sending a SYN packet and analyzing the response without completing the TCP handshake, this scan type reduces the chances of being logged by intrusion detection systems. It is important to note that in order to run this type of scan you need to have root privileges on the system.

UDP Scan:
The UDP scan (flag ‘-sU’) is essential for a comprehensive security assessment, as it reveals open UDP ports that may otherwise go unnoticed. To execute a basic UDP scan you can use the following command.

Given the connectionless nature of UDP, this scan can be slower and more challenging to interpret, but it's invaluable for identifying services like DNS, SNMP, or DHCP that could be exploited if left unsecured.

-Pn Flag:
The -Pn flag in Nmap is used to skip the host discovery phase of a scan, essentially telling Nmap to treat every specified target as if it were online and proceed directly to port scanning or whatever other tasks have been specified for the scan. This flag is usually paired with other scan type flags, here is an example of it being used with a -sS scan.

Alternatively, here is an example of it being used with an Aggressive scan.

This flag is particularly useful in various scenarios where host discovery could either slow down the scan or lead to inaccurate results due to network filtering or configurations that block ping requests, which are commonly used by Nmap for host discovery.

Detecting Services and Versions:
The -sV option enhances Nmap's scanning capabilities by enabling the detection of service versions. To execute this type of scan you can use the following scan.

Or you can run this as part of anything scan, such as a stealth scan.

This precision tool sends a variety of probes to each open port, looking for specific responses that indicate the application name and version. This detailed information is crucial for pinpointing exact vulnerabilities associated with certain software versions. However, Nmap can not identify every single service you may run into. If you’re interested in learning how to set up your own custom probes for fingerprinting with Nmap, we have a blog exploring this in depth that can be found here.

Vulnerability Scanning:
Last, but certainly not least, Nmap has even more functionality beyond standard port scan capabilities. No dive into Nmap would be complete without at least mentioning the Nmap Scripting Engine (NSE). The NSE is a powerful feature that extends Nmap's capabilities by allowing the execution of scripts for a wide range of networking tasks, including vulnerability detection. For many organizations, vulnerability scanning is a critical component of their security, with the goal of identifying, classifying, and prioritizing vulnerabilities within their infrastructure.

In short, Nmap may not be a dedicated vulnerability scanner, but through the use of these scripts it can certainly achieve great things!

The --script vuln option tells Nmap to run scripts categorized under "vuln" from its script database. These scripts are designed to detect known vulnerabilities in various network services and applications. When you run a scan with this option, Nmap executes all scripts that are intended to discover known security issues, allowing you to identify potential weaknesses in your network's devices. Exercise caution when executing these scripts though, as they may attempt various exploits or perform brute forcing attacks.

This example command scans the target IP address ‘192.168.1.1’ for vulnerabilities on ports 80 (HTTP) and 443 (HTTPS) using the vulnerability scripts available in NSE. The -p option specifies which ports to scan, and --script vuln instructs Nmap to use its vulnerability detection scripts.

Conclusion:
Nmap is essentially the Swiss Army knife for anyone serious about cybersecurity. It's packed with features for sniffing out what's happening on your network, identifying open ports, and even pinpointing potential vulnerabilities with its awesome Scripting Engine. It's like having a cyber detective at your disposal, offering insights that are crucial for keeping things locked down. While it's fantastic for a quick security check-up, remember it's just part of the bigger security picture. So, make sure you've got the proper permissions before you dive into scanning, and pair Nmap with other tools and manual checks to shore up your defenses.