NMAP for Port Scanning and Footprinting

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Mainly, red hat teams (Ethical hackers) are using NMAP for port scanning and network footprinting.

In this blog, You’ll learn NMAP basics and how to use it for basic network scanning tasks.

What’s Information That NMAP Provide?

Nmap uses raw IP packets in novel ways to determine information about hosts in a network.

  • Available hosts in a network.
  • service (application name and version) those hosts are providing.
  • what operating systems (and OS versions) they are running.
  • what type of packet filters/firewalls are in use.

moreover, NMAP was designed to rapidly scan large networks, but works fine against single hosts. It runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI viewer Zenmap.

Installing NMAP

NMAP website contains detailed instructions to download it for all operating systems. You can find instructions here.

DNS Lookup

At the beginning of any test, we need to lookup for the domain that belongs to an IP, or IP that belongs to a domain.

root@kali:~# nslookup halim.website
 Server:         10.0.2.1
 Address:        10.0.2.1#53

Non-authoritative answer:
Name:   halim.website
Address: 104.28.20.45

nslookup is basically sending a DNS query to check the IP of a domain or vise Versa.

root@kali:~# nmap halim.website
 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 15:08 EET
 Nmap scan report for halim.website (104.28.20.45)
 Host is up (0.026s latency).
 Other addresses for halim.website (not scanned): 2606:4700:30::681c:152d 2606:4700:30::681c:142d
 Not shown: 997 filtered ports
 PORT     STATE SERVICE
 80/tcp   open  http
 443/tcp  open  https
 8080/tcp open  http-proxy
 Nmap done: 1 IP address (1 host up) scanned in 9.15 seconds

The above command scans a website or a domain to check the open ports, but it only scans the 1st 1000 ports. Because they contain all standard ports.

Scan a Network – IP Range

You may need to scan a network to check up IPs and then scan every IP individually.

root@kali:~# nmap -oG - 10.0.2.0-255 -p 22 -vv > MyNetworkScanResult.txt

The above command basically scans a range of IPs to check if a specific port (22 for example) is open or not. Then, it records the result in a text file to process later.

 Host: 10.0.2.253 ()     Status: Down
 Host: 10.0.2.254 ()     Status: Down
 Host: 10.0.2.255 ()     Status: Down
 Host: 10.0.2.1 ()       Status: Up
 Host: 10.0.2.1 ()       Ports: 22/closed/tcp//ssh///
 Host: 10.0.2.2 ()       Status: Up
 Host: 10.0.2.2 ()       Ports: 22/open/tcp//ssh///
 Host: 10.0.2.3 ()       Status: Up
 Host: 10.0.2.3 ()       Ports: 22/filtered/tcp//ssh///
 Host: 10.0.2.4 ()       Status: Up
 Host: 10.0.2.4 ()       Ports: 22/open/tcp//ssh///
 Host: 10.0.2.15 ()      Status: Up
 Host: 10.0.2.15 ()      Ports: 22/closed/tcp//ssh///

The above is a portion of the result in the text file.

  • status of an IP means if it’s assigned to a machine or not. (Up is assigned to an opened machine)
  • for port 22 open means you can send traffic to this machine over port 22
  • if it’s filtered, then there is a sort of firewall filtration. It’s open but you cannot access it.
  • If it’s closed, then the service/port is down.
root@kali:~# cat MyNetworkScanResult.txt | grep "Up" | awk -F " " '{print $2}' > Up_IPs.txt

Now, we need to open the file, then search for only up IPs. And finally, print them.

The above command consists of 4 parts.

  • The 1st part opens the file.
  • The 2nd part chooses lines that contain the word “Up”.
  • The 3rd part divides the line into columns separated by space ” “.
  • The 4th part is printing the output to a text file.
 root@kali:~# cat Up_IPs.txt 
 10.0.2.1
 10.0.2.2
 10.0.2.3
 10.0.2.4
 10.0.2.15

The printed IPs in the text file.

 root@kali:~# nmap -iL Up_IPs.txt > Scan_Results.txt

This command will scan only up IPs and scan results will be stored in a text file. And finally, below is the scan results.

root@kali:~# cat Scan_Results.txt 
 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 16:36 EET
 Stats: 0:00:15 elapsed; 0 hosts completed (4 up), 4 undergoing Host Discovery
 Parallel DNS resolution of 1 host. Timing: About 0.00% done
 Stats: 0:00:15 elapsed; 0 hosts completed (4 up), 4 undergoing Host Discovery
 Parallel DNS resolution of 1 host. Timing: About 0.00% done
 Nmap scan report for 10.0.2.1
 Host is up (0.00011s latency).
 Not shown: 999 closed ports
 PORT   STATE SERVICE
 53/tcp open  domain
 MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
 Nmap scan report for 10.0.2.2
 Host is up (0.00044s latency).
 Not shown: 995 closed ports
 PORT      STATE SERVICE
 22/tcp    open  ssh
 80/tcp    open  http
 631/tcp   open  ipp
 3306/tcp  open  mysql
 50006/tcp open  unknown
 MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
 Nmap scan report for 10.0.2.3
 Host is up (0.00036s latency).
 All 1000 scanned ports on 10.0.2.3 are filtered
 MAC Address: 08:00:27:DB:AA:DB (Oracle VirtualBox virtual NIC)
 Nmap scan report for 10.0.2.4
 Host is up (0.00018s latency).
 Not shown: 977 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 23/tcp   open  telnet
 25/tcp   open  smtp
 53/tcp   open  domain
 80/tcp   open  http
 111/tcp  open  rpcbind
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 512/tcp  open  exec
 513/tcp  open  login
 514/tcp  open  shell
 1099/tcp open  rmiregistry
 1524/tcp open  ingreslock
 2049/tcp open  nfs
 2121/tcp open  ccproxy-ftp
 3306/tcp open  mysql
 5432/tcp open  postgresql
 5900/tcp open  vnc
 6000/tcp open  X11
 6667/tcp open  irc
 8009/tcp open  ajp13
 8180/tcp open  unknown
 MAC Address: 08:00:27:B8:87:F1 (Oracle VirtualBox virtual NIC)
 Nmap scan report for 10.0.2.15
 Host is up (0.000010s latency).
 All 1000 scanned ports on 10.0.2.15 are closed
 Nmap done: 5 IP addresses (5 hosts up) scanned in 26.59 seconds

In the above tutorial, I’ve tried to demonstrate how NMAP is working in a simple way. But NMAP has much more if we dug deeper.

You can check NMAP cheat sheet. And also you can check my blogs related to ethical hacking from here.

Thank you for reading!

Leave a Comment