NMAP for Port Scanning and Footprinting
Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Mainly, red hat teams (Ethical hackers) are using NMAP for port scanning and network footprinting.
In this blog, You’ll learn NMAP basics and how to use it for basic network scanning tasks.
What’s Information That NMAP Provide?
Nmap uses raw IP packets in novel ways to determine information about hosts in a network.
- Available hosts in a network.
- service (application name and version) those hosts are providing.
- what operating systems (and OS versions) they are running.
- what type of packet filters/firewalls are in use.
moreover, NMAP was designed to rapidly scan large networks, but works fine against single hosts. It runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.
In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI viewer Zenmap.
Installing NMAP
NMAP website contains detailed instructions to download it for all operating systems. You can find instructions here.
DNS Lookup
At the beginning of any test, we need to lookup for the domain that belongs to an IP, or IP that belongs to a domain.
halim@Halim-Ubuntu:~$ nslookup halim.website Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: halim.website Address: 54.217.168.214
nslookup is basically sending a DNS query to check the IP of a domain or vise Versa.
halim@Halim-Ubuntu:~$ nmap halim.website Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-08 22:32 EET Nmap scan report for halim.website (54.217.168.214) Host is up (0.11s latency). rDNS record for 54.217.168.214: ec2-54-217-168-214.eu-west-1.compute.amazonaws.com Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 18.22 seconds
The above command scans a website or a domain to check the open ports, but it only scans the 1st 1000 ports. Because they contain all standard ports.
Scan a Network – IP Range
You may need to scan a network to check up IPs and then scan every IP individually.
root@kali:~# nmap -oG - 10.0.2.0-255 -p 22 -vv > MyNetworkScanResult.txt
The above command basically scans a range of IPs to check if a specific port (22 for example) is open or not. Then, it records the result in a text file to process later.
Host: 10.0.2.253 () Status: Down Host: 10.0.2.254 () Status: Down Host: 10.0.2.255 () Status: Down Host: 10.0.2.1 () Status: Up Host: 10.0.2.1 () Ports: 22/closed/tcp//ssh/// Host: 10.0.2.2 () Status: Up Host: 10.0.2.2 () Ports: 22/open/tcp//ssh/// Host: 10.0.2.3 () Status: Up Host: 10.0.2.3 () Ports: 22/filtered/tcp//ssh/// Host: 10.0.2.4 () Status: Up Host: 10.0.2.4 () Ports: 22/open/tcp//ssh/// Host: 10.0.2.15 () Status: Up Host: 10.0.2.15 () Ports: 22/closed/tcp//ssh///
The above is a portion of the result in the text file.
- status of an IP means if it’s assigned to a machine or not. (Up is assigned to an opened machine)
- for port 22 open means you can send traffic to this machine over port 22
- if it’s filtered, then there is a sort of firewall filtration. It’s open but you cannot access it.
- If it’s closed, then the service/port is down.
root@kali:~# cat MyNetworkScanResult.txt | grep "Up" | awk -F " " '{print $2}' > Up_IPs.txt
Now, we need to open the file, then search for only up IPs. And finally, print them.
The above command consists of 4 parts.
- The 1st part opens the file.
- The 2nd part chooses lines that contain the word “Up”.
- The 3rd part divides the line into columns separated by space ” “.
- The 4th part is printing the output to a text file.
root@kali:~# cat Up_IPs.txt 10.0.2.1 10.0.2.2 10.0.2.3 10.0.2.4 10.0.2.15
The printed IPs in the text file.
root@kali:~# nmap -iL Up_IPs.txt > Scan_Results.txt
This command will scan only up IPs and scan results will be stored in a text file. And finally, below is the scan results.
root@kali:~# cat Scan_Results.txt Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 16:36 EET Stats: 0:00:15 elapsed; 0 hosts completed (4 up), 4 undergoing Host Discovery Parallel DNS resolution of 1 host. Timing: About 0.00% done Stats: 0:00:15 elapsed; 0 hosts completed (4 up), 4 undergoing Host Discovery Parallel DNS resolution of 1 host. Timing: About 0.00% done Nmap scan report for 10.0.2.1 Host is up (0.00011s latency). Not shown: 999 closed ports PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC) Nmap scan report for 10.0.2.2 Host is up (0.00044s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 631/tcp open ipp 3306/tcp open mysql 50006/tcp open unknown MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC) Nmap scan report for 10.0.2.3 Host is up (0.00036s latency). All 1000 scanned ports on 10.0.2.3 are filtered MAC Address: 08:00:27:DB:AA:DB (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.4 Host is up (0.00018s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 08:00:27:B8:87:F1 (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.15 Host is up (0.000010s latency). All 1000 scanned ports on 10.0.2.15 are closed Nmap done: 5 IP addresses (5 hosts up) scanned in 26.59 seconds
In the above tutorial, I’ve tried to demonstrate how NMAP is working in a simple way. But NMAP has much more if we dug deeper.
You can check NMAP cheat sheet. And also you can check my blogs related to ethical hacking from here.
Thank you for reading!