NMAP for Port Scanning and Footprinting

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Mainly, red hat teams (Ethical hackers) are using NMAP for port scanning and network footprinting.

In this blog, You’ll learn NMAP basics and how to use it for basic network scanning tasks.

What’s Information That NMAP Provide?

Nmap uses raw IP packets in novel ways to determine information about hosts in a network.

  • Available hosts in a network.
  • service (application name and version) those hosts are providing.
  • what operating systems (and OS versions) they are running.
  • what type of packet filters/firewalls are in use.

moreover, NMAP was designed to rapidly scan large networks, but works fine against single hosts. It runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI viewer Zenmap.

Installing NMAP

NMAP website contains detailed instructions to download it for all operating systems. You can find instructions here.

DNS Lookup

At the beginning of any test, we need to lookup for the domain that belongs to an IP, or IP that belongs to a domain.

halim@Halim-Ubuntu:~$ nslookup halim.website
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: halim.website
Address: 54.217.168.214

nslookup is basically sending a DNS query to check the IP of a domain or vise Versa.

halim@Halim-Ubuntu:~$ nmap halim.website
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-08 22:32 EET
Nmap scan report for halim.website (54.217.168.214)
Host is up (0.11s latency).
rDNS record for 54.217.168.214: ec2-54-217-168-214.eu-west-1.compute.amazonaws.com
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 18.22 seconds

The above command scans a website or a domain to check the open ports, but it only scans the 1st 1000 ports. Because they contain all standard ports.

Scan a Network – IP Range

You may need to scan a network to check up IPs and then scan every IP individually.

root@kali:~# nmap -oG - 10.0.2.0-255 -p 22 -vv > MyNetworkScanResult.txt

The above command basically scans a range of IPs to check if a specific port (22 for example) is open or not. Then, it records the result in a text file to process later.

 Host: 10.0.2.253 ()     Status: Down Host: 10.0.2.254 ()     Status: Down Host: 10.0.2.255 ()     Status: Down Host: 10.0.2.1 ()       Status: Up Host: 10.0.2.1 ()       Ports: 22/closed/tcp//ssh/// Host: 10.0.2.2 ()       Status: Up Host: 10.0.2.2 ()       Ports: 22/open/tcp//ssh/// Host: 10.0.2.3 ()       Status: Up Host: 10.0.2.3 ()       Ports: 22/filtered/tcp//ssh/// Host: 10.0.2.4 ()       Status: Up Host: 10.0.2.4 ()       Ports: 22/open/tcp//ssh/// Host: 10.0.2.15 ()      Status: Up Host: 10.0.2.15 ()      Ports: 22/closed/tcp//ssh///

The above is a portion of the result in the text file.

  • status of an IP means if it’s assigned to a machine or not. (Up is assigned to an opened machine)
  • for port 22 open means you can send traffic to this machine over port 22
  • if it’s filtered, then there is a sort of firewall filtration. It’s open but you cannot access it.
  • If it’s closed, then the service/port is down.
root@kali:~# cat MyNetworkScanResult.txt | grep "Up" | awk -F " " '{print $2}' > Up_IPs.txt

Now, we need to open the file, then search for only up IPs. And finally, print them.

The above command consists of 4 parts.

  • The 1st part opens the file.
  • The 2nd part chooses lines that contain the word “Up”.
  • The 3rd part divides the line into columns separated by space ” “.
  • The 4th part is printing the output to a text file.
 root@kali:~# cat Up_IPs.txt  10.0.2.1 10.0.2.2 10.0.2.3 10.0.2.4 10.0.2.15

The printed IPs in the text file.

 root@kali:~# nmap -iL Up_IPs.txt > Scan_Results.txt

This command will scan only up IPs and scan results will be stored in a text file. And finally, below is the scan results.

root@kali:~# cat Scan_Results.txt  Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 16:36 EET Stats: 0:00:15 elapsed; 0 hosts completed (4 up), 4 undergoing Host Discovery Parallel DNS resolution of 1 host. Timing: About 0.00% done Stats: 0:00:15 elapsed; 0 hosts completed (4 up), 4 undergoing Host Discovery Parallel DNS resolution of 1 host. Timing: About 0.00% done Nmap scan report for 10.0.2.1 Host is up (0.00011s latency). Not shown: 999 closed ports PORT   STATE SERVICE 53/tcp open  domain MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC) Nmap scan report for 10.0.2.2 Host is up (0.00044s latency). Not shown: 995 closed ports PORT      STATE SERVICE 22/tcp    open  ssh 80/tcp    open  http 631/tcp   open  ipp 3306/tcp  open  mysql 50006/tcp open  unknown MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC) Nmap scan report for 10.0.2.3 Host is up (0.00036s latency). All 1000 scanned ports on 10.0.2.3 are filtered MAC Address: 08:00:27:DB:AA:DB (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.4 Host is up (0.00018s latency). Not shown: 977 closed ports PORT     STATE SERVICE 21/tcp   open  ftp 22/tcp   open  ssh 23/tcp   open  telnet 25/tcp   open  smtp 53/tcp   open  domain 80/tcp   open  http 111/tcp  open  rpcbind 139/tcp  open  netbios-ssn 445/tcp  open  microsoft-ds 512/tcp  open  exec 513/tcp  open  login 514/tcp  open  shell 1099/tcp open  rmiregistry 1524/tcp open  ingreslock 2049/tcp open  nfs 2121/tcp open  ccproxy-ftp 3306/tcp open  mysql 5432/tcp open  postgresql 5900/tcp open  vnc 6000/tcp open  X11 6667/tcp open  irc 8009/tcp open  ajp13 8180/tcp open  unknown MAC Address: 08:00:27:B8:87:F1 (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.15 Host is up (0.000010s latency). All 1000 scanned ports on 10.0.2.15 are closed Nmap done: 5 IP addresses (5 hosts up) scanned in 26.59 seconds

In the above tutorial, I’ve tried to demonstrate how NMAP is working in a simple way. But NMAP has much more if we dug deeper.

You can check NMAP cheat sheet. And also you can check my blogs related to ethical hacking from here.

Thank you for reading!

Leave a Comment