Nmap is an extremely powerful tool which has many different functions. It is a great port scanning tool which can also be used to scan for vulnerabilities. I was mind-blown by this tool when I used it for the first time. It serves every aspect which is required during a port scanning phase. I used this tool especially while I was solving machines in HackTheBox. There are different flags to choose from according to the required scenario. Some of the common flags are
-o = to detect Operating System used by the system
-v = to increase verbosity
-a = to enable aggressive mode
-p- = to scan all ports
— script = to activate a script from the nmap scripting library
There are 3 main basic port scan types which are,
1. TCP connect Scan (-sT)
When a TCP Connect Scan is chosen, It performs a full TCP connection completing the three way handshake on every port to determine if the port is open or closed. If the target sends SYN/ACK in response to SYN then the port is open whereas if it sends RST then the port is closed. If the target does not send anything then the port might be filtered or protected by a firewall.
2. SYN Scan ( -sS)
When a SYN Scan is chosen, it does not complete a full TCP connection but rather just sends an RST packet after receiving SYN/ACK from the target. If the target sends SYN/ACK in response to SYN then the port is open whereas if it sends RST then the port is closed. If the target does not send anything then the port might be filtered or protected by a firewall.
3. UDP Scan (-sU)
Since UDP connections are stateless, It simply sends packets to a target port hoping that it makes it to the destination. So to port scan in UDP, a packet is sent to the target and if there is no response then the port is open whereas if ICMP packet is received then the port is closed. In some rare cases, sometimes UDP response is detected which means that the port is open.
We can also determine which IP addresses have active hosts by doing an ICMP network scan. The following is the command to do so,
nmap -sn 192.168.0.1/24
The following command sends an ICMP echo packet from 192.168.0.1 to 192.168.0.255 to determine active hosts.
This feature in Nmap can be used to scan for vulnerabilities and automate exploits for them. There are different categories from which we can run scripts
SAFE: It won’t affect the target
INTRUSIVE: It is aggressive and might affect the target.
VULN: It is used to scan for vulnerabilities
EXPLOIT: It is used to exploit a vulnerability
AUTH: It is used for bypassing authentication mechanisms.
BRUTE: It is used for brute forcing credentials.
DISCOVERY: It is used to check for running services.
The command used to run the scripts is as follows,
Some of the switches which are used to bypass firewall are as follows
-f = It is used to fragment the packet.
— scan-delay = It is used to add a time delay between packets sent.
— badsum = It is used to generate in invalid checksum for packets.
TIP: Some firewalls block ICMP packets so using a switch -Pn can be helpful since it ignores ICMP before sending. Since Nmap uses ICMP to determine if the host is active or not, this type of scan might take time.