The penetration test is a process that white hat hackers and/or penetration test specialists apply within the boundaries of a specific methodology. The owner of the target system must sign a few agreements such as Scope of Work, Rules of Engagement, Non-Disclosure Agreement, and more before the penetration test (pentest) process.
Knowledge is power
It is necessary to gather as much information about the target system as it’s possible. Having more information about the target system means more enumeration; which translates into more exploitation possibilities.
Nmap, one of the most important tools that are being used for gathering information, enables scanning a target IP range to get the data of open/closed ports, the operation systems, and the services running on them. Additionally, it is possible to map the target network by using Nmap.
Standard ports
All of the devices that are connected to the network have 65536 ports in total. Some of those ports are dedicated standard ports. For example, the standard port for HTTP protocol is 80. For HTTPS connections, it is 443. Windows NETBIOS’ dedicated port is 139, and for SMB, it is 445. System administrators can change the standard ports, but it is not common.
The working principle of the Nmap network mapping tool is pretty simple. It connects to every port and maps them as open, closed, or filtered.
The open ports found on the system mean that there is an application, service, or protocol running and using that port. After identifying the open ports, admins can get the details of the running services and their versions via the enumeration process.
An industry standard: Nmap
It is not impossible to manually check and identify all of the ports. However, it will take too much time on a large network; negatively affecting effort/cost balance. That’s why using the tools that automize such processes is crucial for quickness and reducing the margin of error.
So what makes Nmap special among all of those tools? The answer is pretty simple: Nmap is an acknowledged standard by the whole cybersecurity industry. On the other hand, Nmap can deliver better results more quickly compared to its alternatives. Nmap’s functionality is not limited to gathering information; it can also serve for vulnerability detection, thanks to its scripting support.
Like many other penetration test tools, Nmap can be installed and launched by using Linux Terminal. You can use the following command to install Nmap:
sudo apt install nmap
In order to run Nmap properly, you should use parameters with the nmap command. You can see the list of possible parameters by using the help parameter:
nmap -h
For port scanning, Nmap provides three basic scanning type options. Those are:
- TCP Connect scanning ( -sT )
- SYN Half-open scanning ( -sS )
- UDP scanning ( -sU )
Other than those three, there are also additional scanning types that will less likely be needed in penetration tests:
- TCP Null scanning ( -sN )
- TCP FIN scanning ( -sF )
- TCP Xmas scanning ( -sX )
Before talking about the scanning process with Nmap, let’s have a look at TCP and UDP connection structures.
TCP Connect Scanning
For TCP Connect scanning, it is essential to be familiar with the three-way handshake process. As its name reveals, three-way handshaking consists of three stages. In the first stage, the client sends the SYN package to the target. Then, the server sends back the SYN/ACK package to the client. Finally, the client ends the three-way handshaking process by sending back the ACK package.
Nmap sends an SYN flagged TCP packet to the target. If the target sends back an RST flagged package, the software will identify that the port is closed. If the target sends back an SYN/ACK flagged package, Nmap will identify that the port is open. If the target has a firewall the packages will be dropped and Nmap will show them as “filtered”.
SYN scanning
SYN scans ( -sS ) are often called “Half-open” or “Stealth” as well. As we mentioned before, TCP scans make a complete three-way handshaking protocol. In SYN scans, the procedure is a little different; it ends with the RST package, instead of an ACK package. As the client sends back the RST package, it terminates the connection.
Utilizing SYN scanning has advantages for performing penetration tests. This scanning type, which can be used for stealth scanning, is used for bypassing IDS and IPS systems. It delivers the results faster than TCP connect scans because it does not make a complete three-way handshaking protocol.
To make an SYN scan, users need to have administrator rights. That’s why it should be used with the sudo command in Linux operating systems. Otherwise, Nmap won’t work properly. In addition, SYN scan might break the systems in unstable network structures because of its ability to bypass security applications on the target.
Nmap behaves similar to TCP Connect scans during SYN scans. Once it gets back an RST package from the target system, it identifies the target port as closed. In the same way; if the TCP SYN package drops, it means there is firewall protection on the target.
UDP scanning
UDP connections are stateless, unlike TCP connections. The packages are sent directly to the target port without any handshake procedure in UDP connections. UDP connections are often preferred when connection speed really matters. For example, video streaming applications prefer UDP connections.
UDP connections generally are not preferred during penetration tests because of lacking proper connection steps, unlike TCP and SYN. Still, it is possible to use Nmap’s UDP scan ability during penetration tests by using the ( -sU ) parameter for analyzing the results.
If the target does not send back any packages during the UDP scan, it means the port is open. In this case, the port might be secured by a firewall solution as well. If the port is closed, the target sends back an ICMP package.
Nmap Cheat Sheet
Defining the target
Definition | Parameter | Example |
---|---|---|
Scanning a single IP | nmap 192.168.1.1 |
|
Scanning multiple IP’s | nmap 192.168.1.1 192.168.2.1 |
|
Scanning IP range | nmap 192.168.1.1-254 |
|
Scanning with CIDR notation | nmap 192.168.1.0/24 |
|
Scanning a domain | nmap scanme.nmap.org |
|
Scanning targets in a file | -iL |
nmap -iL targets.txt |
Scanning random 100 hosts | -iR |
nmap -iR 100 |
Scanning with excluding an IP | --exclude |
nmap --exclude 192.168.1.1 |
Scanning techniques
Definition | Parameter | Example |
---|---|---|
TCP SYN port scanning | -sS |
nmap 192.168.1.1 -sS |
TCP connection port scanning | -sT |
nmap 192.168.1.1 -sT |
UDP port scanning | -sU |
nmap 192.168.1.1 -sU |
TCP ACK port scanning | -sA |
nmap 192.168.1.1 -sA |
TCP Window port scanning | -sW |
nmap 192.168.1.1 -sW |
TCP Maimon port scanning | -sM |
nmap 192.168.1.1 -sM |
Target discovery
Definition | Parameter | Example |
---|---|---|
Lists the target without scanning | -sL |
nmap 192.168.1.1-3 -sL |
Disables port scanning. Only discovers the target | -sn |
nmap 192.168.1.1/24 -sn |
Disables host discovery. Only scans ports | -Pn |
nmap 192.168.1.1-5 -Pn |
Discovers TCP SYN on port X. Default port is 80 | -PS |
nmap 192.168.1.1-5 -PS22-25,80 |
Discovers TCP ACK on port X. Default port is 80 | -PA |
nmap 192.168.1.1-5 -PA22-25,80 |
Discovers UDP on port X. Default port is 40125 | -PU |
nmap 192.168.1.1-5 -PU53 |
ARP discovery on local network | -PR |
nmap 192.168.1.1-1/24 -PR |
No DNS resolution | -n |
nmap 192.168.1.1 -n |
Port Specification
Definition | Parameter | Example |
---|---|---|
Scans port X | -p |
nmap 192.168.1.1 -p 21 |
Scans port range | -p |
nmap 192.168.1.1 -p 21-100 |
Scans TCP and UDP ports | -p |
nmap 192.168.1.1 -p U:53,T:21-25,80 |
Scans all ports | -p |
nmap 192.168.1.1 -p- |
Scans ports by its service | -p |
nmap 192.168.1.1 -p http,https |
Quick port scanning (100 ports) | -F |
nmap 192.168.1.1 -F |
Scans X most important ports | --top-ports |
nmap 192.168.1.1 --top-ports 2000 |
Scans between port 1 and port X | -p-65536 |
nmap 192.168.1.1 -p-65535 |
OS detection with Nmap
Definition | Parameter | Example |
---|---|---|
Tries to detect OS on target | -O |
nmap 192.168.1.1 -O |
Does not try detecting OS if it can’t find at least 1 open or closed TCP port | -O --osscan-limit |
nmap 192.168.1.1 -O --osscan-limit |
Tries to guess OS more aggresively | -O --osscan-guess |
nmap 192.168.1.1 -O --osscan-guess |
Tries X times to detect OS of the target | -O --max-os-tries |
nmap 192.168.1.1 -O --max-os-tries 1 |
Performs OS, version, and script detections | -A |
nmap 192.168.1.1 -A |
Service and version detection with Nmap
Definition | Parameter | Example |
---|---|---|
Tries to detect running services’ versions on target | -sV |
nmap 192.168.1.1 -sV |
Sets intensity between 0 and 9 | -sV --version-intensity |
nmap 192.168.1.1 -sV --version-intensity 8 |
Activates the light mode | -sV --version-light |
nmap 192.168.1.1 -sV --version-light |
Sets intensity to 9 | -sV --version-all |
nmap 192.168.1.1 -sV --version-all |
Performs OS, version, and script detections | -A |
nmap 192.168.1.1 -A |
Time and performance settings
Definition | Parameter | Example |
---|---|---|
Paranoid IDS bypass | -T0 |
nmap 192.168.1.1 -T0 |
IDS bypass | -T1 |
nmap 192.168.1.1 -T1 |
Slow scanning | -T2 |
nmap 192.168.1.1 -T2 |
Normal scanning (default) | -T3 |
nmap 192.168.1.1 -T3 |
Aggresive scanning | -T4 |
nmap 192.168.1.1 -T4 |
Very aggresive scanning | -T5 |
nmap 192.168.1.1 -T5 |
File output settings
Definition | Parameter | Example |
---|---|---|
Normal output | -oN |
nmap 192.168.1.1 -oN normal.file |
XML output | -oX |
nmap 192.168.1.1 -oX xml.file |
Grep file output | -oG |
nmap 192.168.1.1 -oG grep.file |
All-at-once output | -oA |
nmap 192.168.1.1 -oA results |