Network Reconnaissance using Nmap [Cheat Cheet]


CompTIA PenTest PT0-002

What is Network Reconnaissance?

Network reconnaissance is a critical part of any network pentesting operation. Knowing more information about the target’s network will let us know about the target’s infrastructure and will let us know any potential attack vectors and exploits leading to vulnerabilities. Using passive and active reconnaissance tools and technique ,an attacker can hold large amounts of information with less probability of detection.

 

Using Network Mapper (Nmap)

One of the most famous open-source network security scanning tools known to pentesters is the Network Mapper (Nmap). Nmap is a command-line tool that utilizes various network protocols and advanced features for surveying hosts for open TCP and UDP ports, fingerprinting operating systems, extracting service banners, and much more. Enumeration is the process of establishing active connections to target systems in order to find potential attack vectors. This includes attempting to find hosts, services, domains, URLs, and valid users to attack.

 

Install Nmap

Nmap is pretty easy to use and is already available on most Linux/Unix distributions. If you notice that you do not have Nmap installed then you can install Nmap using the following commands

For Ubuntu/Debian

sudo apt-get install nmap

For Fedora/Centos

sudo dnf install nmap

Find out if nmap is properly installed or not 

nmap --version 
Installation of Nmap

Now that we have installed Nmap. We can get our hands dirty by performing some active and passive recon with Nmap.

 

1. Different Scanning Types

I will try to cover some of the basic scan types using nmap which you can decide to use based on the amount of NOISE you want to create on the target server while performing the scan:

Scan Type Command Flag Description
SYN Scan -sS It is also known as "half-open scanning". SYN scan, is a quick and stealthy option that doesn't complete TCP connections.
TCP Connect Scan -sT Connect scan, performs a full TCP handshake, detectable but reliable.
UDP Scan -sU UDP scan, for identifying open UDP ports which are slower to scan due to lack of connection.
FIN Scan -sF FIN scan, sends a TCP FIN packet to close a connection. Some systems respond differently to this packet, making it useful for evading certain firewalls.
ACK Scan -sA ACK scan, sends a TCP ACK packet. It's primarily used for mapping out firewall rulesets, distinguishing between filtered and unfiltered ports.

 

1.1 NCP SYN Scan (sS) - Half Open Scan

The following image illustrates how a SYN scan works by specifying -sS option against the target host. As you can see the client never sends ACK and directly responds with RST.

This process is also referred to as half-open scanning because it does not open a full TCP connection. If the response is a SYN/ACK, this would indicate that the port is actually in a listening state. If the response to the SYN packet is an RST (reset), this would indicate that the port is closed or is not in a listening state. If the SYN probe does not receive any response, Nmap marks it as filtered because it cannot determine if the port is open or closed.

Network Reconnaissance using Nmap [Cheat Cheet]

 

1.2 TCP Connect Scan (-sT)

The following image illustrates how a TCP connect scan works by specifying -sT option against the target host. A full TCP connect scan requires the scanner to send an additional packet per scan, which increases the amount of noise on the network and may trigger alarms that a half-open scan wouldn’t trigger. This is the default scan type that is used if no scan type is specified with the nmap command.

Network Reconnaissance using Nmap [Cheat Cheet]

 

1.3 UDP Scan (-sU)

The majority of the time, you will be scanning for TCP ports, as this is how you connect to most services running on target systems. However, you might encounter some instances in which you need to scan for UDP ports—for example, if you are trying to enumerate a DNS, SNMP, or DHCP server. These services all use UDP for communication between client and server. To scan UDP ports, Nmap sends a UDP packet to all ports specified in the command-line configuration. It waits to hear back from the target. If it receives an ICMP port unreachable message back from a target, that port is marked as closed. If it receives no response from the target UDP port, Nmap marks the port as open/filtered.

The following image illustrates how a UDP scan works by specifying -sU option against the target host

Network Reconnaissance using Nmap [Cheat Cheet]
# nmap -sU 10.10.1.11
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 13:19 EDT
Warning: 10.10.1.11 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.1.11
Host is up (0.00093s latency).
Not shown: 978 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
53/udp    open   domain
111/udp   open   rpcbind
137/udp   open   netbios-ns
162/udp   closed snmptrap
427/udp   closed svrloc
1019/udp  closed unknown
2049/udp  open   nfs
2160/udp  closed apc-2160
6001/udp  closed X11:1
...

 

1.4 TCP FIN Scan (-sF)

There are times when a SYN scan might be picked up by a network filter or firewall. In such case we can use TCP FIN scan towards target port. If the port is actually closed, the target system sends back an RST packet. If nothing is received from the target port, you can consider the port open because the normal behavior would be to ignore the FIN packet.

Network Reconnaissance using Nmap [Cheat Cheet]

Here is an output showing the results of an Nmap TCP FIN scan. The response from the target list open/filtered port.

Network Reconnaissance using Nmap [Cheat Cheet]

 

2. Performing Host Discovery (Ping Sweep)

A host discovery scan is one of the most common types of scans used to enumerate hosts on a network because it can use different types of ICMP messages to determine whether a host is online and responding on a network.

The default for the -sn scan option is to send an ICMP echo request packet to the target, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. If the target responds to the ICMP echo or the aforementioned packets, then it is considered alive. Such a scan for host discovery of an entire subnet is sometimes referred to as a ping sweep.

Here is a simple example used against a subnet:

└─# nmap -sn 10.10.1.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 13:28 EDT
Nmap scan report for 10.10.1.1
Host is up (0.00031s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 10.10.1.2
Host is up (0.00027s latency).
MAC Address: 08:00:27:A9:52:FD (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.1.11
Host is up (0.00061s latency).
MAC Address: 08:00:27:13:85:15 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.1.10
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds

In situations where ICMP packet is blocked you can choose for alternate options such as use -PS to use TCP SYN ping along with the list of ports to be used to determine if host is UP. For example here we check if the target host is UP using port 22 or 80 or 443.

nmap -PS22,80,443 192.168.1.0/24

Similarly you can choose to send TCP ACK packet instead of SYN. For example here nmap sends ACK packet to port 80 to check if a host is UP in provided subnet.

nmap -PA80 192.168.1.0/24

This table contains the list of different options which can be used for host discovery. For more information you can refer official nmap documentation on Host Discovery.

Option/Argument Description Example
-sn Skips port scanning to quickly identify which hosts are up using a ping scan. nmap -sn 192.168.1.0/24
-PS Initiates a TCP SYN ping on specified ports. Useful for discovering hosts that respond to TCP connections when ICMP may be blocked. nmap -PS22,80,443 192.168.1.0/24
-PA Sends a TCP ACK packet to the specified port to determine if a host is up, capable of bypassing some firewalls. nmap -PA80 192.168.1.0/24
-PU Sends a UDP packet to the specified port to check for host availability, beneficial when TCP ports are filtered. nmap -PU53 192.168.1.0/24
-PE Sends an ICMP echo request to each IP address in the range, a straightforward method for host discovery. nmap -PE 192.168.1.0/24
-PP Sends an ICMP timestamp request to each IP address, for discovering hosts that do not respond to standard pings. nmap -PP 192.168.1.0/24
-PM Sends an ICMP address mask request, another ICMP-based method for discovering hosts. nmap -PM 192.168.1.0/24
-PR Uses ARP to find active hosts on a local network segment, bypassing firewalls and router rules, effective for local subnet scanning. nmap -PR 192.168.1.0/24

 

3. Service and Version Detection

In most cases, if a port is found to be open, Nmap will display a default service identifier if a banner was not attained through service version detection (-sV flag). Nmap has over 2,200 known services listed in the nmap-services database, which is included with the installation of Nmap and periodically updated as new services can be fingerprinted.

nmap -sV 10.10.1.11

This command scans the target host 10.10.1.11 for open ports and attempts to identify the services running on those ports along with their version numbers. Nmap does this by sending a series of probes designed to trigger responses from known services. The responses are then compared against a database of signatures to determine the service type and version.

Network Reconnaissance using Nmap [Cheat Cheet]

The --version-intensity option controls the thoroughness of the service detection process. The level can range from 0 (lightest) to 9 (most aggressive). Higher levels use more probes for detection, which can increase the accuracy of the results but also the scan time and network traffic.

nmap -sV --version-intensity 9 10.10.1.11

 

4. Port Scanning Options

Nmap scans only the 1000 most common ports for each protocol. You can specify additional ports to scan by using the -p option. You can obtain additional information about the port specifications and scan order from Port Specification and Scan Order.

Here is a table with the most used options for port scanning:

Option/Argument Description Example
-p <ports> Specifies ports or ranges of ports to scan. nmap -p 80,443 192.168.1.1
--top-ports <number> Scans the top N most common ports. nmap --top-ports 10 192.168.1.1
-F Performs a fast scan, scanning fewer ports. nmap -F 192.168.1.1
-p- Scans all 65535 ports on the target host. nmap -p- 192.168.1.1
-p <range> Scans a specified range of ports. nmap -p 1-1000 192.168.1.1
--exclude-ports <ports> Excludes the specified ports from scanning. nmap --exclude-ports 445,3389 192.168.1.1
-r Scans ports consecutively without randomization. nmap -r -p 1-100 192.168.1.1

 

5. OS Detection

OS Detection in Nmap is performed using the -O option. This feature allows Nmap to guess the operating system of the target host(s) based on peculiarities in how their TCP/IP stacks behave. Nmap sends a series of TCP and UDP packets to the target and examines the responses to infer the operating system based on a database of known signatures.

The process involves sending up to 16 probes to the target and analyzing the responses. The probes vary in terms of TCP options, TCP flags, UDP payloads, and other characteristics that different operating systems handle in slightly different ways.

nmap -O 10.10.1.11
Network Reconnaissance using Nmap [Cheat Cheet]

 

6. Timing and Performance

The Nmap scanner provides six timing templates that can be specified with the -T option and the template number (0 through 5) or name. Nmap timing templates enable you to dictate how aggressive a scan will be, while leaving Nmap to pick the exact timing values. These are the timing options:

  • -T0 (Paranoid): Very slow, used for IDS evasion
  • -T1 (Sneaky): Quite slow, used for IDS evasion
  • -T2 (Polite): Slows down to consume less bandwidth, runs about 10 times slower than the default
  • -T3 (Normal): Default, a dynamic timing model based on target responsiveness
  • -T4 (Aggressive): Assumes a fast and reliable network and may overwhelm targets
  • -T5 (Insane): Very aggressive; will likely overwhelm targets or miss open ports

Here you can see sample output of performing a network scan T4 which was completed in around 5 seconds:

Network Reconnaissance using Nmap [Cheat Cheet]

But the same scan took around 23 seconds with T2 so you can see the slow scan behavior for the same set of scan data:

Network Reconnaissance using Nmap [Cheat Cheet]

 

7. Script Scanning

Nmap supports extended capabilities through the NSE. These scripts (.nse extensions) come natively with the installation of Nmap and provide support for additional network service and vulnerability detection.

NSE scripts are written in Lua and can be used for various purposes, such as gathering additional information about the network, exploiting vulnerabilities, or even detecting and evading IDS/IPS systems. Scripts are categorized into several categories, including safe, intrusive, malware, exploit, and vuln, among others.

NOTE:
You can search for installed NSE scripts in Kali Linux by simply using the locate *.nse command. The site https://nmap.org/book/man-nse.html includes detailed explanation of the NSE and how to create new scripts using the Lua programming language.

1. Detecting Vulnerabilities: This command uses the vuln category scripts to check target.com for common vulnerabilities.

nmap --script=vuln  www.example.com
Network Reconnaissance using Nmap [Cheat Cheet]

2. SMB Enumeration: Enumerates SMB protocol information from the target hosts, including the operating system, workgroup, and server details.

nmap --script=smb-os-discovery 192.168.1.0/24
Network Reconnaissance using Nmap [Cheat Cheet]

3. SSL/TLS Certificate Information: Retrieves a target's SSL certificate to provide information like issuer, subject, and validity dates.

nmap --script=ssl-cert -p 443 www.example.com
Network Reconnaissance using Nmap [Cheat Cheet]

4. Database Enumeration: Enumerates MySQL databases (requires credentials) to gather information about database names, versions, and more.

nmap --script=mysql-enum -p 3306 192.168.1.100

5. Brute-forcing FTP Login: Attempts to brute-force FTP login credentials to determine valid username/password combinations.

nmap --script ftp-brute -p 21 192.168.1.100
Network Reconnaissance using Nmap [Cheat Cheet]

6. Identifying Hostnames with Reverse DNS: Identifies hostnames by using various techniques to perform reverse DNS lookups.

nmap --script=hostmap-bfk.nse 192.168.1.0/24

7. WordPress Scan: Enumerates a WordPress site's plugins, themes, and users, which can be useful for vulnerability scanning.

nmap --script=http-wordpress-enum --script-args search-limit=50 -p443 www.examplewp.com
Network Reconnaissance using Nmap [Cheat Cheet]

8. Scanning for IP and Domain Reputation: Gathers geolocation information and WHOIS data for IP addresses, and checks if they are blacklisted, aiding in assessing the security reputation of a network.

nmap --script=ip-geolocation-maxmind,whois-ip --script-args apikey=<YourAPIKey> 192.168.1.100

9. Detecting DOS Vulnerability: Check whether a host is vulnerable to DOS attacks

nmap --script dos -Pn <domain>

 

8. Saving nmap output in different format

Argument Description Example
-oN <file> Saves the scan results in a normal, human-readable format. nmap -oN scan_results.txt 192.168.1.1
-oX <file> Outputs the scan results in XML format, useful for parsing by other programs. nmap -oX scan_results.xml 192.168.1.1
-oG <file> Generates output in a grepable format, making it easier to parse the results with tools like grep. nmap -oG scan_results.txt 192.168.1.1
-oA <basename> Outputs the scan results in the three major formats at once (normal, XML, and grepable), using the provided basename. nmap -oA scan_results 192.168.1.1

 

Conclusion

In this article , we have learnt how we can use Nmap to perform network reconnaissance. Nmap is a very powerful network tool which can be used for good and bad purposes. It depends on what the attacker wants to do, so make sure to only scan the networks you are authorized to do so. If you are not into command line then you can perhaps look into Zenmap , the GUI based version of Nmap. Zenmap is also a very easy to use Network reconnaissance tool which many security professionals use . If you are just getting started in security , then please check out our other articles on Ethical Hacking. Please let us know if you encounter any issues on the commands above in the comments.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment