scanning with nmap - overview
hack toolsNmap is a powerful network scanner, and is usually the first tool out of the box for ethical hackers when performing the initial enumeration of a website. There are many ways to launch an nmap scan, with many switches to toggle depending on how deep or wide one wants to look. This article presumes you’re using a robust Linux distro (like Kali) that has this already installed.
Simply open a terminal instance, type “nmap”, and hit enter. Common switches to note:
- -p to specify TCP port ranges. Don’t use it and nmap will scan the top 1000 ports. Bracket it with dashes -p- and all ports will be scanned
- -sV to specify service versions. This is extremely important for enumerating to find potential exploits
- -sC will run the default set of scripts. They’re selected to provide useful information while allowing the scanner to operate like a ninja.
- -O enable OS detection. This is also helpful on initial enumeration.
- -v increase verbosity. How much do you want to know? -vv will return more data than -v.
In my adventures with HackTheBox, I’ve run scans with different combinations of switches. This can be time consuming, and of course the more you hit your target with a scanner the chances increase that your presence will be known. Heath Adams, @thecybermentor from TCP Security Academy, demonstrated a useful “done-in-one” approach that I have used with much success.
nmap -T4 -A -p- <IP address>
- -T sets the timing template. Slow to fast is 0-5. Setting this to 4 is good, considering the next two switches
- -A handles multiple switches for OS detection, version detection, script scanning (default) and traceroute
- -p- scanning all 65535 TCP ports
- IP address instead of this, the actual IP address would be typed.
The reasoning for setting the timing to 4 is because running the default script scans (-A) on all 65535 TCP ports (-p) can take a while. I usually launch this first and let it run while I do perform other preliminary enumeration steps. To expedite launching this, I created a simple script called nmapLaunch using the -T4, -A, and -p- switches. I run it at the command line with the IP address and let it cook.
creating the script
──(kali㉿dobrohaxxor)-[~] └─$ echo sudo nmap -T4 -A -p- $IP > nmapLaunch
running the script
┌──(kali㉿dobrohaxxor)-[~] └─$ ./nmapLaunch 10.129.218.220 [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 14:25 EDT
Happy nmapping!
Add a comment (262 views)