What is Network Reconnaissance?
Network reconnaissance is a critical part of any network pentesting operation. Knowing more information about the target’s network will let us know about the target’s infrastructure and will let us know any potential attack vectors and exploits leading to vulnerabilities. Using passive and active reconnaissance tools and technique ,an attacker can hold large amounts of information with less probability of detection.
Using Network Mapper (Nmap)
One of the most famous open-source network security scanning tools known to pentesters is the Network Mapper (Nmap). Nmap is a command-line tool that utilizes various network protocols and advanced features for surveying hosts for open TCP and UDP ports, fingerprinting operating systems, extracting service banners, and much more. Enumeration is the process of establishing active connections to target systems in order to find potential attack vectors. This includes attempting to find hosts, services, domains, URLs, and valid users to attack.
Install Nmap
Nmap is pretty easy to use and is already available on most Linux/Unix distributions. If you notice that you do not have Nmap installed then you can install Nmap using the following commands
For Ubuntu/Debian
sudo apt-get install nmap
For Fedora/Centos
sudo dnf install nmap
Find out if nmap is properly installed or not
nmap --version
Now that we have installed Nmap. We can get our hands dirty by performing some active and passive recon with Nmap.
1. Different Scanning Types
I will try to cover some of the basic scan types using nmap which you can decide to use based on the amount of NOISE you want to create on the target server while performing the scan:
Scan Type | Command Flag | Description |
---|---|---|
SYN Scan | -sS |
It is also known as "half-open scanning". SYN scan, is a quick and stealthy option that doesn't complete TCP connections. |
TCP Connect Scan | -sT |
Connect scan, performs a full TCP handshake, detectable but reliable. |
UDP Scan | -sU |
UDP scan, for identifying open UDP ports which are slower to scan due to lack of connection. |
FIN Scan | -sF |
FIN scan, sends a TCP FIN packet to close a connection. Some systems respond differently to this packet, making it useful for evading certain firewalls. |
ACK Scan | -sA |
ACK scan, sends a TCP ACK packet. It's primarily used for mapping out firewall rulesets, distinguishing between filtered and unfiltered ports. |
1.1 NCP SYN Scan (sS) - Half Open Scan
The following image illustrates how a SYN scan works by specifying -sS
option against the target host. As you can see the client never sends ACK and directly responds with RST.
This process is also referred to as half-open scanning because it does not open a full TCP connection. If the response is a SYN/ACK, this would indicate that the port is actually in a listening state. If the response to the SYN packet is an RST (reset), this would indicate that the port is closed or is not in a listening state. If the SYN probe does not receive any response, Nmap marks it as filtered because it cannot determine if the port is open or closed.
1.2 TCP Connect Scan (-sT)
The following image illustrates how a TCP connect scan works by specifying -sT
option against the target host. A full TCP connect scan requires the scanner to send an additional packet per scan, which increases the amount of noise on the network and may trigger alarms that a half-open scan wouldn’t trigger. This is the default scan type that is used if no scan type is specified with the nmap command.
1.3 UDP Scan (-sU)
The majority of the time, you will be scanning for TCP ports, as this is how you connect to most services running on target systems. However, you might encounter some instances in which you need to scan for UDP ports—for example, if you are trying to enumerate a DNS, SNMP, or DHCP server. These services all use UDP for communication between client and server. To scan UDP ports, Nmap sends a UDP packet to all ports specified in the command-line configuration. It waits to hear back from the target. If it receives an ICMP port unreachable message back from a target, that port is marked as closed. If it receives no response from the target UDP port, Nmap marks the port as open/filtered.
The following image illustrates how a UDP scan works by specifying -sU
option against the target host
# nmap -sU 10.10.1.11 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 13:19 EDT Warning: 10.10.1.11 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.1.11 Host is up (0.00093s latency). Not shown: 978 open|filtered udp ports (no-response) PORT STATE SERVICE 53/udp open domain 111/udp open rpcbind 137/udp open netbios-ns 162/udp closed snmptrap 427/udp closed svrloc 1019/udp closed unknown 2049/udp open nfs 2160/udp closed apc-2160 6001/udp closed X11:1 ...
1.4 TCP FIN Scan (-sF)
There are times when a SYN scan might be picked up by a network filter or firewall. In such case we can use TCP FIN scan towards target port. If the port is actually closed, the target system sends back an RST packet. If nothing is received from the target port, you can consider the port open because the normal behavior would be to ignore the FIN packet.
Here is an output showing the results of an Nmap TCP FIN scan. The response from the target list open/filtered port.
2. Performing Host Discovery (Ping Sweep)
A host discovery scan is one of the most common types of scans used to enumerate hosts on a network because it can use different types of ICMP messages to determine whether a host is online and responding on a network.
The default for the -sn
scan option is to send an ICMP echo request packet to the target, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. If the target responds to the ICMP echo or the aforementioned packets, then it is considered alive. Such a scan for host discovery of an entire subnet is sometimes referred to as a ping sweep.
Here is a simple example used against a subnet:
└─# nmap -sn 10.10.1.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 13:28 EDT Nmap scan report for 10.10.1.1 Host is up (0.00031s latency). MAC Address: 0A:00:27:00:00:0B (Unknown) Nmap scan report for 10.10.1.2 Host is up (0.00027s latency). MAC Address: 08:00:27:A9:52:FD (Oracle VirtualBox virtual NIC) Nmap scan report for 10.10.1.11 Host is up (0.00061s latency). MAC Address: 08:00:27:13:85:15 (Oracle VirtualBox virtual NIC) Nmap scan report for 10.10.1.10 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds
In situations where ICMP packet is blocked you can choose for alternate options such as use -PS
to use TCP SYN ping along with the list of ports to be used to determine if host is UP. For example here we check if the target host is UP using port 22 or 80 or 443.
nmap -PS22,80,443 192.168.1.0/24
Similarly you can choose to send TCP ACK packet instead of SYN. For example here nmap sends ACK packet to port 80 to check if a host is UP in provided subnet.
nmap -PA80 192.168.1.0/24
This table contains the list of different options which can be used for host discovery. For more information you can refer official nmap documentation on Host Discovery.
Option/Argument | Description | Example |
---|---|---|
-sn |
Skips port scanning to quickly identify which hosts are up using a ping scan. | nmap -sn 192.168.1.0/24 |
-PS |
Initiates a TCP SYN ping on specified ports. Useful for discovering hosts that respond to TCP connections when ICMP may be blocked. | nmap -PS22,80,443 192.168.1.0/24 |
-PA |
Sends a TCP ACK packet to the specified port to determine if a host is up, capable of bypassing some firewalls. | nmap -PA80 192.168.1.0/24 |
-PU |
Sends a UDP packet to the specified port to check for host availability, beneficial when TCP ports are filtered. | nmap -PU53 192.168.1.0/24 |
-PE |
Sends an ICMP echo request to each IP address in the range, a straightforward method for host discovery. | nmap -PE 192.168.1.0/24 |
-PP |
Sends an ICMP timestamp request to each IP address, for discovering hosts that do not respond to standard pings. | nmap -PP 192.168.1.0/24 |
-PM |
Sends an ICMP address mask request, another ICMP-based method for discovering hosts. | nmap -PM 192.168.1.0/24 |
-PR |
Uses ARP to find active hosts on a local network segment, bypassing firewalls and router rules, effective for local subnet scanning. | nmap -PR 192.168.1.0/24 |
3. Service and Version Detection
In most cases, if a port is found to be open, Nmap will display a default service identifier if a banner was not attained through service version detection (-sV
flag). Nmap has over 2,200 known services listed in the nmap-services database, which is included with the installation of Nmap and periodically updated as new services can be fingerprinted.
nmap -sV 10.10.1.11
This command scans the target host 10.10.1.11
for open ports and attempts to identify the services running on those ports along with their version numbers. Nmap does this by sending a series of probes designed to trigger responses from known services. The responses are then compared against a database of signatures to determine the service type and version.
The --version-intensity
option controls the thoroughness of the service detection process. The level can range from 0 (lightest) to 9 (most aggressive). Higher levels use more probes for detection, which can increase the accuracy of the results but also the scan time and network traffic.
nmap -sV --version-intensity 9 10.10.1.11
4. Port Scanning Options
Nmap scans only the 1000 most common ports for each protocol. You can specify additional ports to scan by using the -p option. You can obtain additional information about the port specifications and scan order from Port Specification and Scan Order.
Here is a table with the most used options for port scanning:
Option/Argument | Description | Example |
---|---|---|
-p <ports> |
Specifies ports or ranges of ports to scan. | nmap -p 80,443 192.168.1.1 |
--top-ports <number> |
Scans the top N most common ports. | nmap --top-ports 10 192.168.1.1 |
-F |
Performs a fast scan, scanning fewer ports. | nmap -F 192.168.1.1 |
-p- |
Scans all 65535 ports on the target host. | nmap -p- 192.168.1.1 |
-p <range> |
Scans a specified range of ports. | nmap -p 1-1000 192.168.1.1 |
--exclude-ports <ports> |
Excludes the specified ports from scanning. | nmap --exclude-ports 445,3389 192.168.1.1 |
-r |
Scans ports consecutively without randomization. | nmap -r -p 1-100 192.168.1.1 |
5. OS Detection
OS Detection in Nmap is performed using the -O
option. This feature allows Nmap to guess the operating system of the target host(s) based on peculiarities in how their TCP/IP stacks behave. Nmap sends a series of TCP and UDP packets to the target and examines the responses to infer the operating system based on a database of known signatures.
The process involves sending up to 16 probes to the target and analyzing the responses. The probes vary in terms of TCP options, TCP flags, UDP payloads, and other characteristics that different operating systems handle in slightly different ways.
nmap -O 10.10.1.11
6. Timing and Performance
The Nmap scanner provides six timing templates that can be specified with the -T option and the template number (0 through 5) or name. Nmap timing templates enable you to dictate how aggressive a scan will be, while leaving Nmap to pick the exact timing values. These are the timing options:
- -T0 (Paranoid): Very slow, used for IDS evasion
- -T1 (Sneaky): Quite slow, used for IDS evasion
- -T2 (Polite): Slows down to consume less bandwidth, runs about 10 times slower than the default
- -T3 (Normal): Default, a dynamic timing model based on target responsiveness
- -T4 (Aggressive): Assumes a fast and reliable network and may overwhelm targets
- -T5 (Insane): Very aggressive; will likely overwhelm targets or miss open ports
Here you can see sample output of performing a network scan T4 which was completed in around 5 seconds:
But the same scan took around 23 seconds with T2 so you can see the slow scan behavior for the same set of scan data:
7. Script Scanning
Nmap supports extended capabilities through the NSE. These scripts (.nse extensions
) come natively with the installation of Nmap and provide support for additional network service and vulnerability detection.
NSE scripts are written in Lua and can be used for various purposes, such as gathering additional information about the network, exploiting vulnerabilities, or even detecting and evading IDS/IPS systems. Scripts are categorized into several categories, including safe
, intrusive
, malware
, exploit
, and vuln
, among others.
locate *.nse
command. The site https://nmap.org/book/man-nse.html includes detailed explanation of the NSE and how to create new scripts using the Lua programming language.1. Detecting Vulnerabilities: This command uses the vuln
category scripts to check target.com
for common vulnerabilities.
nmap --script=vuln www.example.com
2. SMB Enumeration: Enumerates SMB protocol information from the target hosts, including the operating system, workgroup, and server details.
nmap --script=smb-os-discovery 192.168.1.0/24
3. SSL/TLS Certificate Information: Retrieves a target's SSL certificate to provide information like issuer, subject, and validity dates.
nmap --script=ssl-cert -p 443 www.example.com
4. Database Enumeration: Enumerates MySQL databases (requires credentials) to gather information about database names, versions, and more.
nmap --script=mysql-enum -p 3306 192.168.1.100
5. Brute-forcing FTP Login: Attempts to brute-force FTP login credentials to determine valid username/password combinations.
nmap --script ftp-brute -p 21 192.168.1.100
6. Identifying Hostnames with Reverse DNS: Identifies hostnames by using various techniques to perform reverse DNS lookups.
nmap --script=hostmap-bfk.nse 192.168.1.0/24
7. WordPress Scan: Enumerates a WordPress site's plugins, themes, and users, which can be useful for vulnerability scanning.
nmap --script=http-wordpress-enum --script-args search-limit=50 -p443 www.examplewp.com
8. Scanning for IP and Domain Reputation: Gathers geolocation information and WHOIS data for IP addresses, and checks if they are blacklisted, aiding in assessing the security reputation of a network.
nmap --script=ip-geolocation-maxmind,whois-ip --script-args apikey=<YourAPIKey> 192.168.1.100
9. Detecting DOS Vulnerability: Check whether a host is vulnerable to DOS attacks
nmap --script dos -Pn <domain>
8. Saving nmap output in different format
Argument | Description | Example |
---|---|---|
-oN <file> |
Saves the scan results in a normal, human-readable format. | nmap -oN scan_results.txt 192.168.1.1 |
-oX <file> |
Outputs the scan results in XML format, useful for parsing by other programs. | nmap -oX scan_results.xml 192.168.1.1 |
-oG <file> |
Generates output in a grepable format, making it easier to parse the results with tools like grep. | nmap -oG scan_results.txt 192.168.1.1 |
-oA <basename> |
Outputs the scan results in the three major formats at once (normal, XML, and grepable), using the provided basename. | nmap -oA scan_results 192.168.1.1 |
Conclusion
In this article , we have learnt how we can use Nmap to perform network reconnaissance. Nmap is a very powerful network tool which can be used for good and bad purposes. It depends on what the attacker wants to do, so make sure to only scan the networks you are authorized to do so. If you are not into command line then you can perhaps look into Zenmap , the GUI based version of Nmap. Zenmap is also a very easy to use Network reconnaissance tool which many security professionals use . If you are just getting started in security , then please check out our other articles on Ethical Hacking. Please let us know if you encounter any issues on the commands above in the comments.