Enumeration

Introduction to Nmap

Nmap (Network Mapper) is a versatile open-source tool used for network discovery, security auditing, and enumeration, making it a key utility in both offensive and defensive cybersecurity tasks. Enumeration, which involves gathering detailed information from a target system, is crucial in penetration testing and network assessments, and Nmap plays a central role in this process by identifying live hosts, open ports, services, and operating systems. This data helps security professionals uncover potential vulnerabilities and misconfigurations that could be exploited. Nmap supports various scan types and advanced features, including OS detection and service versioning, while its scripting capabilities (NSE) allow for automated vulnerability assessments and configuration checks. By mastering Nmap, users can conduct comprehensive security audits, ensuring networks are better protected against threats.

Video Credit: NetworkChuck - Educational video on Nmap.

Installing Nmap

To install Nmap on your system, use the following command:

sudo apt-get install nmap

After installing, you can verify the version with:

nmap --version

Basic Scanning Commands

The simplest use of Nmap is to perform a basic network scan. The following command scans a specific IP address or hostname to discover open ports and services:

nmap 192.168.1.1

Example output:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-10-12 18:00
Nmap scan report for 192.168.1.1
Host is up (0.00021s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

Scanning an Entire Network

To scan an entire network range, use the CIDR notation to specify a subnet:

nmap 192.168.1.0/24

This command will scan all hosts within the specified subnet (256 IP addresses).

Stealth Scan (-sS)

A stealth scan, also known as a SYN scan, is used to determine which ports are open without fully establishing a TCP connection. This scan is commonly used to bypass firewall rules and avoid detection:

nmap -sS 192.168.1.0/24

Example output:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-10-12 18:30
Nmap scan report for 192.168.1.10
Host is up (0.00015s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http

Nmap done: 256 IP addresses (10 hosts up) scanned in 5.03 seconds

Operating System Detection (-O)

Nmap can also be used to detect the operating system of a target host. This feature works by analyzing the response from specific network packets:

nmap -O 192.168.1.10

Example output:

Nmap scan report for 192.168.1.10
Host is up (0.00011s latency).
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4
OS details: Linux 4.8 - 4.15
Network Distance: 1 hop

Service Version Detection (-sV)

To identify the version of the services running on open ports, use the service version detection command. This is useful for determining vulnerabilities in services running outdated versions:

nmap -sV 192.168.1.10

Example output:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.29 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.29

Aggressive Scan (-A)

An aggressive scan combines several Nmap features, including operating system detection, version detection, script scanning, and traceroute. This type of scan provides comprehensive details about the target, making it useful for in-depth security analysis:

nmap -A 192.168.1.10

Scan Specific Ports (-p)

To scan specific ports, use the -p option followed by the port numbers:

nmap -p 22,80,443 192.168.1.10

To scan a range of ports, use:

nmap -p 1-1000 192.168.1.10

Scanning specific ports allows you to focus on the most common or potentially vulnerable services.

Scan for UDP Ports (-sU)

To scan for UDP ports, use the following command. UDP scanning is generally slower than TCP due to its connectionless nature:

nmap -sU 192.168.1.10

Example output:

PORT    STATE         SERVICE
53/udp  open          domain
161/udp open|filtered snmp

Saving Scan Results to a File

Nmap allows you to save your scan results in various formats for further analysis or documentation:

nmap -oN output.txt 192.168.1.0/24  # Normal output
nmap -oX output.xml 192.168.1.0/24  # XML format
nmap -oG output.gnmap 192.168.1.0/24  # Grepable output

Saving results in different formats can be useful for automation or for integrating with other tools.

Nmap Scripting Engine (NSE)

Nmap comes with a powerful scripting engine (NSE) that allows you to perform advanced scans. Scripts can be used for tasks like detecting vulnerabilities, brute force login attempts, or enumerating additional information:

nmap --script=http-enum 192.168.1.10

You can also run multiple scripts or use categories of scripts:

nmap --script "default,safe,vuln" 192.168.1.10

To list available scripts, run:

ls /usr/share/nmap/scripts/

The Nmap scripting engine greatly extends the capability of Nmap, allowing you to customize and automate scanning tasks.

Combining Multiple Options

Nmap allows you to combine multiple options to achieve a more customized and efficient scan. For example, to perform a SYN scan while specifying the output format and adjusting the timing template, you can use:

nmap -sS -O -T4 -oN output.txt 192.168.1.1

Explanation:

Combining options like this allows for more effective scanning, especially in situations where detailed information is required quickly.

Timing and Performance Options

Nmap provides several timing templates, ranging from -T0 (Paranoid) to -T5 (Insane), which control how aggressively Nmap performs scans:

Adjusting the timing is crucial for optimizing your scans based on the target environment and the need for stealth. For example, -T4 is suitable for most environments where speed is more important than stealth, whereas -T0 is used when evading detection is critical.

Host Discovery

Nmap can be used for host discovery to identify which devices are up in a network. The default scan uses ICMP echo requests (ping) and other methods:

nmap -sn 192.168.1.0/24

This command will perform a ping scan to identify which hosts are up, without scanning their ports.

Detecting Firewalls and IDS

Nmap can be used to detect whether a host is behind a firewall or Intrusion Detection System (IDS). One way to do this is to analyze the response times and packet filtering behavior:

nmap -sA 192.168.1.10

The -sA (ACK scan) is used to determine whether ports are filtered. If no response or an unfiltered response is received, it may indicate the presence of a firewall.

Spoofing and Decoys

To evade detection, Nmap supports IP address spoofing and the use of decoys. Decoys help mask the real IP address of the scanning host by making it appear as if multiple sources are scanning simultaneously. This can be very effective in confusing IDS (Intrusion Detection Systems) and making it harder for defenders to determine the true origin of the scan.

nmap -sS -O -sV -T4 -D RND:10,192.168.1.5,192.168.1.6,192.168.1.7 192.168.1.10

The above command uses multiple options for an in-depth scan:

This combination of options provides a comprehensive scan while making it difficult for intrusion detection systems to accurately identify the true source of the scan. Using decoys helps in confusing defenders and making detection more challenging.

For example, using -D RND:10 generates 10 random IP addresses as decoys. You can also specify individual IP addresses for more control over the decoys being used, as shown above. This method is useful when testing networks with high-security monitoring and logging systems.

It is important to note that using decoys or spoofing can have legal and ethical implications. Ensure you have explicit permission before performing scans of this nature on any network.