Table of Contents
Overview on Network Reconnaissance
Network reconnaissance is a critical part of any network pentesting operation. Knowing more information about the target’s network will let us know about the target’s infrastructure and will let us know any potential attack vectors and exploits leading to vulnerabilities. Using passive and active reconnaissance tools and technique ,an attacker can hold large amounts of information with less probability of detection.
Overview on Nmap
Nmap is a must-to-have tool for network reconnaissance. Nmap is basically a network scanner designed to find details about a network system and the protocols running on it. This can be done by using different scan types available in Nmap. We can launch scans against an IP address or CIDR and learn a significant amount of information about our target’s network.
Most useful Scan types of Nmap:
This is the most useful type of Nmap scan because it does its work silent. It sends an SYN packet via TCP to all the required ports. If an acknowledgement packet or ACK is received back to the system, it is sure that a port is opened there. No response signifies that the port is either closed or not available. This scan is not shown in most of the scan logs and hence it is safe to use SYN scan to identify the ports.
This is similar to the SYN Scan in various ways but with a tiny little bit of difference. The difference is that the full scan is done by sending the ACK packets back. The network logging systems can easily find TCP scans but this is also more accurate. But , you must also be careful not to overload the systems with TCP packets.
This scan is mostly used for the windows systems to find if an UDP layer is open to vulnerability attacks or not. The responses are slower but it’s always better to be cautious to protect our UDP layer.
This scan can be basically called the Stealth scan. This scan uses a zombie between the attacker and the target , so that if a network firewall finds the attack incoming then the zombie is the one to be blamed but not the attacker. This scan is mostly focused on finding the zombie for us and using the zombie to make the scan for us.
It is very important in network reconnaissance to find out live hosts to narrow our search and this scan is where Nmap pings all the IP addresses to check which IP address responds to an ICMP request. The user can easily find the live hosts with this scan and it is also very fast and the results can be fetched in various formats easily.
Nmap is pretty easy to use and is already available on most Linux/Unix distributions. If you notice that you do not have Nmap installed then you can install Nmap using the following commands
sudo apt-get install nmap
sudo dnf install nmap
Find out if nmap is properly installed or not
Now that we have installed Nmap. We can get our hands dirty by performing some active and passive recon with Nmap.
Using Nmap for Network Reconnaissance
Basic Nmap Scan against a host
You can find ip address of your required target domain using nslookup
nmap -sP 192.168.64.0/24
I have done the ping sweep against my local network in the above screenshot and found 2 live hosts. You can also do a ping sweep against remote hosts just like this.
You can also exclude the live hosts you discovered in Nmap like below :
nmap -sP 192.168.64.0/24 --exclude 192.168.64.1
Scan specific ports
You can use
-p option to scan range of ports against a remote or local host by using the following command:
nmap -p 1-10000 cloudflare.com
You can also scan top 1000 ports for fast scanning using the following command :
nmap --top-ports 1000 18.104.22.168
TCP and UDP Scan
You can perform TCP Scan using Nmap with the following command:
nmap -sT 22.214.171.124
You can perform UDP Scan using Nmap with the following command:
OS & Services Detection
One of the best features of Nmap is OS detection.Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.
nmap -A -T3 cloudflare.com
You can see that in the above screenshot nmap uses the Aggressive mode to scan various ports and services used by cloudflare.com. You can also just use -O to scan only the OS information.
Standard Service Detection
You can also scan only the services using the command below
nmap -sV cloudflare.com
You can also increase the intensity of the scan by using the command below
nmap -sV --version-intensity 5 cloudflare.com
This increase in version intensity will generate more traffic which should never be the aim of a network reconnaissance. You should not use this to scan any external networks without prior permission or you can be dealt with legal laws depending upon the country and the state you live in.
Disabling DNS Name Resolution
Nmap performs DNS resolution on each host it finds which consumes little bit of scan time. You can disable the DNS resolution using the -n parameter. You can use the following command as an example:
nmap -Pn cloudflare.com
One of the nmap's best features every sysadmin and pentester love is Nmap Scripting Engine called NSE. This scripting engine allows users to use pre-defined scripts or write their own scripts using Lua programming language.
Nmap scripts can be used to automate vulnerability scans in an organisation's periodic vulnerability checks. For example if you want to run a full vulnerability scan against your target , use the following command :
nmap --script exploit cloudflare.com
Finding if a Host is Vulnerable to DOS
Nmap is an allrounder and can also be used to check whether a host is vulnerable to DOS attacks by using the following command:
nmap --script dos -Pn 126.96.36.199
Nmap also contains lot of brute-force modules like http-brute , snmp-brute , oracle-brute. We can use these modules to bruteforce credentials of a remote server.
nmap --script brute -Pn 188.8.131.52
In this article , we have learnt how we can use Nmap to perform network reconnaissance. Nmap is a very powerful network tool which can be used for good and bad purposes. It depends on what the attacker wants to do, so make sure to only scan the networks you are authorized to do so. If you are not into command line then you can perhaps look into Zenmap , the GUI based version of Nmap. Zenmap is also a very easy to use Network reconnaissance tool which many security professionals use . If you are just getting started in security , then please check out our other articles on Ethical Hacking. Please let us know if you encounter any issues on the commands above in the comments.