scanning with nmap - overview
hack toolsNmap is a powerful network scanner, and is usually the first tool out of the box for ethical hackers when performing the initial enumeration of a website. There are many ways to launch an nmap scan, with many switches to toggle depending on how deep or wide one wants to look. This article presumes you’re using a robust Linux distro (like Kali) that has this already installed.
Simply open a terminal instance, type “nmap”, and hit enter. Common switches to note:
- -p to specify TCP port ranges. Don’t use it and nmap will scan the top 1000 ports. Bracket it with dashes -p- and all ports will be scanned
- -sV to specify service versions. This is extremely important for enumerating to find potential exploits
- -sC will run the default set of scripts. They’re selected to provide useful information while allowing the scanner to operate like a ninja.
- -O enables OS detection. This is also helpful on initial enumeration.
- -v increases verbosity. How much do you want to know? -vv will return more data than -v.
In my adventures with HackTheBox, I’ve run scans with different combinations of switches. This can be time consuming, and of course the more you hit your target with a scanner the chances increase that your presence will be known. Heath Adams, @thecybermentor from TCP Security Academy, demonstrated a useful “done-in-one” approach that I have used with some success.
nmap -T4 -A -p- <IP address>
- -T sets the timing template. Slow to fast is 0-5. Setting this to 4 is good, considering the next two switches
- -A handles multiple switches for OS detection, version detection, script scanning (default) and traceroute
- -p- scanning all 65535 TCP ports
- IP address instead of this, the actual IP address would be typed.
The reasoning for setting the timing to 4 is because running the default script scans (-A) on all 65535 TCP ports (-p) can take a while. I usually launch this first and let it run while I do perform other preliminary enumeration steps. To expedite launching this, I created a simple script called nmapLaunch using the -T4, -A, and -p- switches. I run it at the command line with the IP address and let it cook.
creating the script
──(kali㉿dobrohaxxor)-[~] └─$ echo sudo nmap -T4 -A -p- $IP > nmapLaunch
running the script
┌──(kali㉿dobrohaxxor)-[~] └─$ ./nmapLaunch 10.129.218.220 [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 14:25 EDT
Another manual tactic is to run a basic scan of all ports, then when the discovered ports are returned a second scan can be run to focus on the discovered ports with the -sC,-sV, -O switches. Sometimes the basic “first run” needs to be run with the -Pn switch, which disables pings.
Nmap can save results via output files in three formats: a text-based .nmap, xml, .gnmap, a greppable format, and xml, a personal favorite since it can be converted to .html. I use xsltproc for quick conversion from xml to html. It’s quite convenient to leave the scan up on a browser tab for easy reference.
Happy nmapping!
Add a comment (2005 views)