Nmap

Nmap is an extremely powerful tool which has many different functions. It is a great port scanning tool which can also be used to scan for vulnerabilities. I was mind-blown by this tool when I used it for the first time. It serves every aspect which is required during a port scanning phase. I used this tool especially while I was solving machines in HackTheBox. There are different flags to choose from according to the required scenario. Some of the common flags are

-o = to detect Operating System used by the system

-v = to increase verbosity

-a = to enable aggressive mode

-p- = to scan all ports

— script = to activate a script from the nmap scripting library

There are 3 main basic port scan types which are,

1. TCP connect Scan (-sT)

When a TCP Connect Scan is chosen, It performs a full TCP connection completing the three way handshake on every port to determine if the port is open or closed. If the target sends SYN/ACK in response to SYN then the port is open whereas if it sends RST then the port is closed. If the target does not send anything then the port might be filtered or protected by a firewall.

2. SYN Scan ( -sS)

When a SYN Scan is chosen, it does not complete a full TCP connection but rather just sends an RST packet after receiving SYN/ACK from the target. If the target sends SYN/ACK in response to SYN then the port is open whereas if it sends RST then the port is closed. If the target does not send anything then the port might be filtered or protected by a firewall.

3. UDP Scan (-sU)

Since UDP connections are stateless, It simply sends packets to a target port hoping that it makes it to the destination. So to port scan in UDP, a packet is sent to the target and if there is no response then the port is open whereas if ICMP packet is received then the port is closed. In some rare cases, sometimes UDP response is detected which means that the port is open.

ICMP SCAN

We can also determine which IP addresses have active hosts by doing an ICMP network scan. The following is the command to do so,

nmap -sn 192.168.0.1/24

The following command sends an ICMP echo packet from 192.168.0.1 to 192.168.0.255 to determine active hosts.

NSE Scripts

This feature in Nmap can be used to scan for vulnerabilities and automate exploits for them. There are different categories from which we can run scripts

SAFE: It won’t affect the target

INTRUSIVE: It is aggressive and might affect the target.

VULN: It is used to scan for vulnerabilities

EXPLOIT: It is used to exploit a vulnerability

AUTH: It is used for bypassing authentication mechanisms.

BRUTE: It is used for brute forcing credentials.

DISCOVERY: It is used to check for running services.

The command used to run the scripts is as follows,

— script=(category)

BYPASS FIREWALL

Some of the switches which are used to bypass firewall are as follows

-f = It is used to fragment the packet.

— scan-delay = It is used to add a time delay between packets sent.

— badsum = It is used to generate in invalid checksum for packets.

TIP: Some firewalls block ICMP packets so using a switch -Pn can be helpful since it ignores ICMP before sending. Since Nmap uses ICMP to determine if the host is active or not, this type of scan might take time.

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store