Introduction to information gathering with Nmap
The most important part of the penetration testing is the information gathering phase. It is vital to learn about the target system using various tools. You can use various tools to investigate the target. In this tutorial, I will show how to investigate a system using Nmap.
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. As a penetration tester, you can use the Nmap tool for OS fingerprinting, port enumeration, and service discovery. Nmap Scripting Engine can be used to extend Nmap to tasks such as IP location finding, check if a host is conducting malicious activities, brute forcing DNS records and collecting valid e-mail accounts using Google.
In this tutorial, I use Parrot Operating System to demonstrate how to use Nmap. Nmap is available on almost all platforms. Nmap is a very noisy scanner. It means that most Firewalls and IDS can easily detect Nmap scanning activities.
In Kali Linux and Parrot OS, you can launch Nmap using the Application menu. Nmap is located in the Information Gathering section. You will need to provide root password when it is launched that way.
You can launch Nmap using Terminal. Enter the privileged or administrative mode using "su" command and type your password. Now you can launch Nmap using Nmap command.
It is vital to have permission to scan a website or network. You can learn more about legal issues from this URL. For this tutorial, I use scanme.nmap.org website. You don't require additional permission to scan this website.
When you launch the Nmap you will present help menu. You can read through to understand how it works.
The basic syntax for Nmap is "nmap ScanType target". Let's say you want to scan a target to see what operating system it is running on. You can use the following command.
nmap -O silvertrinity.com
Nmap tries to collect more data on the target. As a penetration tester, it is your responsibility to collect most important information that is vital in the next stages.
You can scan more than one host at a time using Nmap. Following example shows how to scan multiple hosts.
nmap -O silvertrinity.com jobs.silvertrinity.com
You can use "-A" option to enable OS detection, version detection, script scanning, and traceroute.
If you don't give any options, Nmap will scan for open ports. By default, it will scan for over thousand well-known ports. The following example scans for open ports.
nmap silvertrinity.com
Here you can see that 998 ports are filtered. It means that Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.
Nmap recognizes six states: open, closed, filtered, unfiltered, open|filtered, and closed|filtered.
Open means An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack.
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening to it. They can be helpful in showing that a host is up and running and use for IP address discovery (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up.
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
open|filtered means that Nmap tool unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered.
closed|filtered means that Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
Two ports are open. They are HTTP (80) and HTTPS (443). If you like to get more information, you can use the following command. If you use the following command it will show more information, you can use single "-v" for less information.
nmap -vv silvertrinity.com
It is vital to know what services run on the target host. You can use the following command to scan services.
nmap -sV silvertrinity.com
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. As a penetration tester, you can use the Nmap tool for OS fingerprinting, port enumeration, and service discovery. Nmap Scripting Engine can be used to extend Nmap to tasks such as IP location finding, check if a host is conducting malicious activities, brute forcing DNS records and collecting valid e-mail accounts using Google.
In this tutorial, I use Parrot Operating System to demonstrate how to use Nmap. Nmap is available on almost all platforms. Nmap is a very noisy scanner. It means that most Firewalls and IDS can easily detect Nmap scanning activities.
In Kali Linux and Parrot OS, you can launch Nmap using the Application menu. Nmap is located in the Information Gathering section. You will need to provide root password when it is launched that way.
You can launch Nmap using Terminal. Enter the privileged or administrative mode using "su" command and type your password. Now you can launch Nmap using Nmap command.
It is vital to have permission to scan a website or network. You can learn more about legal issues from this URL. For this tutorial, I use scanme.nmap.org website. You don't require additional permission to scan this website.
When you launch the Nmap you will present help menu. You can read through to understand how it works.
The basic syntax for Nmap is "nmap ScanType target". Let's say you want to scan a target to see what operating system it is running on. You can use the following command.
nmap -O silvertrinity.com
You can scan more than one host at a time using Nmap. Following example shows how to scan multiple hosts.
nmap -O silvertrinity.com jobs.silvertrinity.com
You can use "-A" option to enable OS detection, version detection, script scanning, and traceroute.
If you don't give any options, Nmap will scan for open ports. By default, it will scan for over thousand well-known ports. The following example scans for open ports.
nmap silvertrinity.com
Here you can see that 998 ports are filtered. It means that Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.
Nmap recognizes six states: open, closed, filtered, unfiltered, open|filtered, and closed|filtered.
Open means An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack.
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening to it. They can be helpful in showing that a host is up and running and use for IP address discovery (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up.
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
open|filtered means that Nmap tool unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered.
closed|filtered means that Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
Two ports are open. They are HTTP (80) and HTTPS (443). If you like to get more information, you can use the following command. If you use the following command it will show more information, you can use single "-v" for less information.
nmap -vv silvertrinity.com
It is vital to know what services run on the target host. You can use the following command to scan services.
nmap -sV silvertrinity.com
As a penetration tester, if you need to save scanned data for later use you can do that with Nmap. ">" is used to send the output to a separate file.
Following example shows how to save the result in a separate file. It uses "-oG" option. It means that Nmap takes an extra argument of an output filename. This could be an actual file or a hyphen (-) which is the standard output (the console). The file is saved in the Desktop. It scans for IP range from 0 to 255.
nmap -oG - 192.168.1.0-255 > /home/sec/Desktop/ScanResults.txt
The output file contains more details such as scan duration and time.
You can scan for specific port using "-p" option. Following example shows how to scan for port 80.
You can run a fast port scan using "-F" option. It scans for frequently targeted ports.
If you have any questions regarding this tutorial, please post it in the comment section.
Following example shows how to save the result in a separate file. It uses "-oG" option. It means that Nmap takes an extra argument of an output filename. This could be an actual file or a hyphen (-) which is the standard output (the console). The file is saved in the Desktop. It scans for IP range from 0 to 255.
nmap -oG - 192.168.1.0-255 > /home/sec/Desktop/ScanResults.txt
The output file contains more details such as scan duration and time.
You can scan for specific port using "-p" option. Following example shows how to scan for port 80.
You can run a fast port scan using "-F" option. It scans for frequently targeted ports.
If you have any questions regarding this tutorial, please post it in the comment section.
Comments
Post a Comment