NMAP Network Scanner
This course covers the basics of using Nmap, the network scanner. As a network scanner, Nmap is often used at the beginning of penetration testing to find out basic information about the target website or web app. Nmap, or Network Mapper, is used in security and auditing for checking host or service uptime. It can tell us what’s available on a given network, whether that’s the applications that are in use or whether the network is running firewalls. It can even scan what operating systems are in use on the network. Nmap works on all major operating systems and you can run it as command-line prompts or through the Nmap application called Zenmap. Nmap is incredibly popular with cybersecurity professionals because it is free, easy to use, well-supported and incredibly powerful and can allow you to scan huge computer networks, made up of thousands of machines.
In this video guide, we’ll be covering the basics of using Nmap, the network mapping tool used by penetration testers, and we’ll be showing you how to conduct a basic network scan. Nmap is used to find out where potential entry points to a website or web application may be, so that we can use other applications to potentially access and exploit those vulnerabilities using other software.
Here’s how you do it in 5 steps:
Step 1 – how to open Nmap Open the terminal in the toolbar to open Nmap. If you’ve not used Nmap before, it’s useful to know about the help menu which you access by typing Nmap, Hyphen-Hyphen Help. If we look from the top, we can see the full menu which can assist us with any issues or if we forget any commands. We can clear the help menu, or anything in the terminal, by typing clear, then selecting enter.
Step 2: Conducting a Ping Sweep In this example of Nmap, we’re going to use a ping sweep to see if the server we’re scanning is active. We do this by sending out an Internet Control Message Protocol request (or ICMP), and seeing if we get a reply back from the address. We’re going to look at a test environment with the IP Address 10.1.1.102. First, we’re going to see if the address is up and running by using a ping sweep. To start the ping sweep we type the command “Nmap hyphen sn”, then the IP address. We could also use the domain name as well. The server has replied and the Nmap scan report has told us that the IP Address is up and running. Now that we know the IP address is available, we can begin our full scan. So let’s clear the terminal again.
Step 3: Port Scanning: The main purpose of Nmap is to see which ports are open and available. To begin this we will first scan and probe to see if any of the common ports are open, such as ports 80, 22, or 21. This is done by using the minus capital F switch. After a little bit of time, Nmap will provide us a list of ports which are open on the server.
Step 4: Version Scanning We’ll want to find out a bit more information about what’s on these ports by using version scanning tools. For example, this will show us what versions of software or scripts the IP address is using. We can do that using Nmap’s default scripts. Here, we’re going to concentrate of the FTP service (port 21), the SSH service (port 22) and the HTTP service (port 80). To isolate them, I can enter –P, which stands for Ports, and then comma separate each of the port numbers associated to those services. So 21, 22 & 80. Because we’re on a fast network, we can speed this up using the -T4 scan speed. Then, we need to specify that we’re using default scripts, so we enter SC, and then V for version scanning.
Step 5: Understanding the Version Scan Now that we’ve specified a bit more on what we’d like to look for, Nmap has begun providing more information – for example, the Version scan has found the version of the application. If we look at the FTP, we can see that it is running FTPD version 1.31. Now that we know this, we can look up, using either a search engine or another piece of software, to see if that particular version of FTPD is vulnerable to any exploits. Nmap also runs an anonymous log in check and we can see that this is allowed. If files are available to us, Nmap tells us this, too. Here, we can see that a number of files are available for us to access as PDFs. Let’s look at the SSH version now. Again, we could use a search engine or scanning software to see if the SSH version is outdated and has any potential vulnerabilities. If we look at the web server, the HTTP port, we can see that it is an Apache server running PHP. This is useful to know as we could begin to investigate if it has any databases sitting on the back end. There’s plenty of information available for us to see here, like banner-grabbing information. You can find out more about banner grabbing in our Netcat guide. Using Nmap, we have now started to build up a better picture of what it is that we're actually scanning, and take that information to use in other penetration testing software.
In this video, we’ve covered what Nmap is, how to launch it, how to Ping Sweep, how to Port Scan, how to Version Scan and how to understand what we’ve scanned.