From the course: Penetration Testing Essential Training

Scanning networks with Nmap - Linux Tutorial

From the course: Penetration Testing Essential Training

Start my 1-month free trial Buy for my team

Scanning networks with Nmap

- [Instructor] Let's take a refresher on using Nmap for scanning networks to discover what hosts are present and what services are available on those hosts. I'll be using the Nmap tool, which comes preloaded in Kali. Nmap can scan using a number of techniques which, together, can help identify hosts and services which are open to the internet, those that are closed and those that are open, but behind a security filter of some sort. The first thing we'll do is to discover what hosts are running on our network. The most straightforward way to do this is using the -sn option across the subnet, nmap -sn 10.0.2.0/24. The -sn option touches each host in turn using the ICMP ping protocol to see whether it responds. Nmap reports only the hosts that do respond, providing their IP addresses. Here we find we have four hosts responding. Having identified which hosts are responding, we can probe the TCP and UDP ports to check what services are being presented. Let's check the target on 10.0.2.32, our Metasploitable server, and we'll check for TCP ports using the -PS option, nmap -PS 10.2.0.32. Nmap is now checking the most common services to see if they're open on the host. It does this by starting to open a connection to the service and then closing it down before the connection is complete. This is called a TCP SYN ping, and it works by sending an empty TCP packet with the SYN flag set and waiting for the host to respond with a standard SYN-ACK response. While a normal connection would be completed by sending back an ACK, Nmap instead cancels the connection before it completes. Okay, we can see we have quite a few ports open. A useful option to be familiar with is -P0, which will skip the ping check of the host. This is particularly useful when we want to scan a live system, which doesn't respond to an ICMP ping. We're running a Windows Server on address 10.0.2.38, but Nmap didn't find it. Let's scan it using -P0, nmap -PS -P0 10.0.2.38. Okay, we now find that the host is in fact up and we have some services available. Let's now check for UDP ports. We can do this using the -sU option, and this will check the most common 1,000 UDP ports. This requires root privileges, so we'll run with sudo, sudo nmap -sU 10.0.2.32, and we'll scan our Metasploitable server. This will take a while, so we'll come back when it's finished. We finished the UDP scan now, and we see a number of these ports open. Let's use Nmap to drill down into an individual service to get more details about what it's running. By using the -sV option, Nmap will try to identify the version of software being used for a service. I can limit the testing to just one service with the -p option. Let's test the second service shown on the TCP scan of Metasploitable, the Secure Shell service on port 22, nmap -p22 -sV 10.0.2.32. Nmap comes back within a few seconds and tells us that the service on port 22 is running the OpenSSH version 4.7p1 software. We can combine these and check multiple port ranges for both TCP and UDP, again, running with sudo, sudo nmap -sSUV -p, U for UDP, and we'll check ports 53, 111, and 137, T for TCP:, and we'll check ports 21 to 25, 80, 139, and 8080, on 10.0.2.32 again. Okay, let's check next what operating system is running on the target, and we can do this using the -O switch. Again privileged, so sudo nmap -O 10.0.2.32. The scanner's now finished, and Nmap has fingerprinted the computer operating system correctly as a Linux system, as well as listing the TCP ports that it's detected. Nmap has a comprehensive library of scripts. If we change directory to /usr/share/nmap/scripts, and list them, these provide many advanced capabilities. Let's run one. We'll use the rexec brute force test to extract credentials via port 512. We can do this by using the --script argument, nmap 10.0.2.32, and we're only focused on port 512, and we're going to use the script of the rexec service brute force attack. And here we see a list of valid credentials for the Metasploitable server. Nmap is an important tool in the pentester's inventory. It's worth spending time to become very familiar with it.

Contents