NMAP Basic Summary Guide
In this short article, I will be discussing the basics of the NMAP (“Network Mapping”) tool. Lets get started!
What is NMAP?
The “Network Mapper” tool, or it’s more commonly referred to abbreviation NMAP, is an efficient port scanning tool. NMAP has developed over the years to perform more tasks but is’s core functionality is still based on being a port scanner.
NMAP Command Syntax
The syntax for an NMAP scan is as follows:
nmap [ <Scan Type> ] [ <Options> ] { <target specification> }
- Scan Type: NMAP can perform different types of scans, e.g. TCP scan, UDP scan, SYN scan, etc.
- Options: NMAP scans can use additional options, e.g. OS Detection.
- Target Specification: the targets to be scanned by NMAP.
NMAP Switches Cheat Sheet
Switches refer to the different scan options that can be set when using NMAP to scan a target machine. This cheat sheet shows the ones I personally use the most often and summarize their purpose.
--- MOST IMPORTANT SWITCH!!! ---
nmap -h # Access NMAP Tool Manual--- Scan Types ---nmap -sS 192.168.176.133 # TCP SYN port scan
nmap -sT 192.168.176.133 # TCP connect port scan
nmap -sU 192.168.176.133 # UDP port scan
nmap -sA 192.168.176.133 # TCP ACK port scan--- Host Discovery ---nmap -Pn 192.168.176.133 # Disable Host Discovery (no ping)--- Port Specification ---nmap 192.168.176.133 # Scan 1000 most common ports
nmap -p 80 192.168.176.133 # Scan port number specified
nmap -p- 192.168.176.133 # Scan all ports (65536)
nmap -F 192.168.176.133 # Fast port scan--- Service & OS Detection ---nmap -sV 192.168.176.133 # Service version detection
nmap -O 192.168.176.133 # OS version detection
nmap -A 192.168.176.133 # Aggressive scan (OS detection,
Service detection, script scanning,
and traceroute) --- Timing ---nmap -T0 192.168.176.133 # Paranoid IDS evasion
nmap -T1 192.168.176.133 # Sneaky IDS evasion
nmap -T2 192.168.176.133 # Polite IDS evasion
nmap -T3 192.168.176.133 # Normal IDS evasion
nmap -T4 192.168.176.133 # Aggressive speed scan
nmap -T5 192.168.176.133 # Insane speed scan--- NSE Scripts --- nmap -sC 192.168.176.133 # Default most common scripts scan
nmap --script vuln 192.168.176.133 # Uses scripts from "vuln"
category--- NMAP Output Formats ---nmap -oN report 192.168.176.133 # Normal output
nmap -oG report 192.168.176.133 # Grepable output
nmap -oA report 192.168.176.133 # Output to all formats--- Verbosity ---nmap -v 192.168.176.133 # verbosity (Print Scan Progress)
A combination of these switches can be used to meet any requirements. The most common NMAP scan I perform for target machines is provided below as an example of combining multiple switches.
nmap -sV -sC -Pn -v -oN nmap_report 192.168.176.133
The NMAP command above can be broken down as follows:
- Scans the target machine for the 1000 most common ports.
- -Pn: Disables host discovery.
- -Sv: Performs version detection for the services.
- -sC: Performs a script scan using default scripts available in NMAP.
- -v: Provides verbose details about the NMAP scan.
- -oN: Outputs scan results to a file.
An example of what an NMAP scan output could look like can be seen below:
Based on the scan output above, NMAP has identified the following:
- Port Number/Protocol: 21/tcp
- Port State: open
- Port Service: ftp
- Service Version: vsftpd 3.0.3
NMAP Port States
An NMAP scan returns the state of a port based on how NMAP sees it. These states are not intrinsic properties of the port itself. The port states can be categorized as seen below.
- open: application listening for connection on the port.
- closed: NMAP probes received but no application listening on the port.
- filtered: NMAP probes not received. Can indicate presence of firewall.
- unfiltered: NMAP unable to determine if port is open or closed.
- open | filtered: NMAP Unable to determine if a port is open or filtered.
- closed | filtered: NMAP Unable to determine if a port is closed or filtered.
Generally, the primary goal of an NMAP scan is to identify open ports, since they can provide an avenue for attack.
NMAP Scripting Engine (NSE)
I want to finish this article with the NSE NMAP feature, since it can be quite powerful. The NSE was mentioned earlier with the “-sC” and “ — — script” switches. The NSE scripts are categorized as follows:
- auth: scripts deal with authentication credentials (or bypassing them), e.g. ftp anonymous login.
- broadcast: discovery of hosts not listed on the command line by broadcasting on the local network.
- brute: scripts use brute force attacks to guess authentication credentials, e.g. “snmp-brute” script.
- default: default scripts used with “-sC” or “-A” switch.
- discover: actively discover more about the network by querying public registries, SNMP-enabled devices, directory services, etc.
- dos: scripts cause a denial of service (DoS).
- exploit: scripts exploit some vulnerability, e.g. http-shellshock.
- external: scripts send data to a third-party database or other network resource, e.g. whois-ip lookup.
- fuzzer: scripts send server software unexpected or randomized fields in each packet, e.g. dns-fuzz script.
- intrusive: these scripts are considered very risky as they could crash the target system, e.g. snmp-brute script.
- malware: scripts test if target platform is infected by malware or backdoors.
- safe: scripts not designed to crash or damage systems.
- version: scripts only used when “-sV” switch is used to detect service versions.
- vuln: scripts detect known vulnerabilities and generally only report their findings.
Taking advantage of these scripts can provide some very useful information when scanning a target. An example is shown below where an anonymous FTP Login has been discovered by using the “-sC” switch when performing an NMAP scan.
Closing Remarks
This guide is just a brief summary of the NMAP tool and some of it’s capabilities. I strongly recommend anyone looking to use this tool to read the manual and become familiar with its features and capabilities.
“ Give me six hours to chop down a tree and I will spend the first four sharpening the ax. ” — Abraham Lincoln
The quote above can be used as a metaphor related to having a good understanding of your main tools, which will mean more accurate and efficient scans, with less time wasted. I hope you enjoyed this summary of the NMAP tool and found it useful. Feel free to follow me on Twitter (@TheTMC113) and happy scanning 😃!