/ OSCP

Network scanning with Nmap

Let's talk network scanning, which is a vital part of offensive security.

Nmap

The undisputed leader for network scanning is Nmap (Network mapper), which is a free and open source utility for network discovery and security auditing. It's not only used by security professionals, but also by system and network administrators for monitoring and managing purposes. Nmap is extremely powerful as its functions range from determining winch hosts are available, which services these hosts are running, identifying running operation system (OS fingerprinting) , open ports, .. etc. Nmap is capable of scanning large networks very fast but is perfectly able to perform a deep scan against a single host.

Nmap is pre-installed in most penetration testing operating systems. I assume you are working from Kali linux so I won't go into detail on how to install Nmap. If needed, find instructions here. There is a GUI version available (zenmap), but as I'm a geek, this blog post will focus on the command line version for now.

Identify hosts on the network

Let's start with finding alive hosts on my internal network by running a pingsweep with the following command:

nmap -sn 192.168.0.100-200

Let's breakdown the above command:

  • nmap (obviously)
  • -sn (specifies you want to do a ping scan by trying to send a packet to port 80 and 443 on the host)
  • 192.168.0.100-200 (specifies the range of hosts to be scanned. I choose this range because I knew a few of my home devices have an ip assigned in this range)

We receive the following results:

We found three hosts up, including our own host (192.168.0.115). We even found out that 192.168.0.136 is a Raspberry Pi (It's my OSMC media center)

Sweep for specific ports

You can also use Nmap to scan for specific ports. Let's try to see if port 80 and 8080 are open on our hosts. To get more information on which Nmap scan to run, check out the Nmap guide.

nmap -p80,8080 192.168.0.100-200 -oG sn-sweep.txt

Let's breakdown the above command:

  • nmap
  • -p80,8080 (specifies you want to do a scan for specific ports 80 and 8080)
  • 192.168.0.100-200 (specifies the range of hosts to be scanned. I choose this range because I knew a few of my home devices have an ip assigned in this range)
  • -oG sn-sweep.txt (specifies that we also want to output the results to a file sn-sweep.txt. This is useful for later grepping purposes)

We receive the following result:

We see that the ports are either open, closed or filtered. Filtered means that probably a firewall is blocking them.

Sweep for top x ports

You can also sweep for the top number of ports of your choice.

nmap -sT -A --top-ports=20 192.168.0.100-200

Let's breakdown the above command:

  • nmap
  • -sT (specifies you want to do a TCP port scan. You can also try using -sS scan, which is more stealthier by performing a full TCP handshake. More info )
  • -A (Enable OS detection, version detection, script scanning, and traceroute)
  • --top-ports=20 (checks for the top 20 ports, feel free to change)
  • 192.168.0.100-200 (specifies the range of hosts to be scanned. I choose this range because I knew a few of my home devices have an ip assigned in this range)
  • -oG sn-sweep.txt (specifies that we also want to output the results to a file sn-sweep.txt. This is useful for later grepping purposes)

We receive the following result:

Identify running services

An often critical piece of information for an attack is to identify the running services on a specific host. Let's say I want to know which services are running on my OSMC media center by example.

nmap -sV 192.168.0.136

Let's breakdown the above command:

  • nmap (obviously)
  • -sV (specifies you want to run a Version Detection scan, giving information about the specific service running on an open port, including the product name and version number)
  • 192.168.0.136 (obviously, this is our target. The IP of my OSMC media center as discovered during our ping sweep before).

We see in the results that some services are running, e.g. SSH, rpsbind, UPNP, .. Next step would be finding a working exploit for one of these services.

Nmap scripts

Another cool feature of Nmap is the Nmap Scripting Engine (NSE) that enables you to extend it's features with your own or pre-made scripts, making it incredible powerful. For instance, you could use Nmap to scan for hosts vulnerable for a certain exploits. Make sure to update the scripts database regularly with following command:

nmap --script-updatedb

The scripts included in Nmap can either be run individually, per category or all of them at once. The scripts are divided in the following categories:

Command Category
All Run all pre-installed NSE scripts
Auth Run only scripts related to Authentication
Default Run the basic default scripts
Discovery Run scripts to retrieve more in-depth information on the targets
External Run scripts that retrieve information from the web, such as geographical location, organization name, net range,..
Intrusive Run scripts which are considered intrusive by the target
Malware Run scripts to check for open backdoors and installed malware
Safe Run less-intrusive scripts, which causes less attention.
Vuln Run scripts to identify common vulnerabilities

Let's see what the running the Vuln category scripts finds when running at a Metasploitable 3 target, with IP 192.168.0.205

nmap --script vuln 192.168.0.205

As you can see in the screenshot below, we found two vulnerabilities, CVE-2015-1635 and CVE-2012-0152. Next step would be trying to find an working exploit for these vulnerabilities. For the first vulnerability, we found this exploit by example.

You can either run the exploit manually or automatically via the Metasploit framework, but I recommend doing it manually as much as you can to gain a better understanding of the mechanics of the exploit.

------------------ Extra ------------------

For people interested in scripting (which you will need for OSCP), I also scripted a small bash script to do a ping sweep without Nmap using bash only:

Result (note that the live IP addresses will vary from the other examples as I added this piece later). You can ignore the warning about the broadcasting address, as this is a warning when you're pinging your own machine:

Which is perfectly matching with my Fing (great iOS app):