scanning with nmap - overview

Nmap is a powerful network scanner, and is usually the first tool out of the box for ethical hackers when performing the initial enumeration of a website. There are many ways to launch an nmap scan, with many switches to toggle depending on how deep or wide one wants to look. This article presumes you’re using a robust Linux distro (like Kali) that has this already installed.

Simply open a terminal instance, type “nmap”, and hit enter. Common switches to note:

  • -p to specify TCP port ranges. Don’t use it and nmap will scan the top 1000 ports. Bracket it with dashes -p- and all ports will be scanned
  • -sV to specify service versions. This is extremely important for enumerating to find potential exploits
  • -sC will run the default set of scripts. They’re selected to provide useful information while allowing the scanner to operate like a ninja.
  • -O enables OS detection. This is also helpful on initial enumeration.
  • -v increases verbosity. How much do you want to know? -vv will return more data than -v.

In my adventures with HackTheBox, I’ve run scans with different combinations of switches. This can be time consuming, and of course the more you hit your target with a scanner the chances increase that your presence will be known. Heath Adams, @thecybermentor from TCP Security Academy, demonstrated a useful “done-in-one” approach that I have used with some success.

nmap -T4 -A -p- <IP address>
  • -T sets the timing template. Slow to fast is 0-5. Setting this to 4 is good, considering the next two switches
  • -A handles multiple switches for OS detection, version detection, script scanning (default) and traceroute
  • -p- scanning all 65535 TCP ports
  • IP address instead of this, the actual IP address would be typed.

The reasoning for setting the timing to 4 is because running the default script scans (-A) on all 65535 TCP ports (-p) can take a while. I usually launch this first and let it run while I do perform other preliminary enumeration steps. To expedite launching this, I created a simple script called nmapLaunch using the -T4, -A, and -p- switches. I run it at the command line with the IP address and let it cook.

creating the script

└─$ echo sudo nmap -T4 -A -p- $IP > nmapLaunch

running the script

└─$ ./nmapLaunch
[sudo] password for kali: 
Starting Nmap 7.91 ( ) at 2021-09-18 14:25 EDT

Another manual tactic is to run a basic scan of all ports, then when the discovered ports are returned a second scan can be run to focus on the discovered ports with the -sC,-sV, -O switches. Sometimes the basic “first run” needs to be run with the -Pn switch, which disables pings.

Nmap can save results via output files in three formats: a text-based .nmap, xml, .gnmap, a greppable format, and xml, a personal favorite since it can be converted to .html. I use xsltproc for quick conversion from xml to html. It’s quite convenient to leave the scan up on a browser tab for easy reference.

Happy nmapping!

Saturday, September 18, 2021 by dobrohaxxor
Add a comment (1279 views)