Notes on nmap

by Posted on

The most common use of command line tool nmap is to enumerate which ports are open and which services are running on the targets. There are many other uses too. nmap is free, open-source, and available on Linux, Windows, and Mac OSX.

This is less of a blog and more of a lightly edited dump of my notes from self-teaching. Shoutout to my favorite notetaking app, Obsidian.md where these notes were originally recorded in Markdown format.

nmap help

nmap -h
man nmap

Common Switches

TCP Connect Scan -sT
Syn Scan -sS
UDP scan -sU

TCP Null scan (less common) -sN
TCP FIN scan (less common) -sF
TCP Xmas scan (less common) -sX

Detect target OS -O

Detect service versions -sV

Verbose -v
Verbosity level 2 -vv

Output
-oA (all 3 major formats)
-oN (normal format)
-oG (grepable format)

Aggressive mode (service detection, OS detection, traceroute, common script scanning) -A

Timing templates used to increase scan speed. Higher speeds noisier and error prone
-T1, -T2, -T3, -T4, T5

Scan a single port: -p 80
A range of ports: -p 1000-1500
All ports: -p-

Activate a script: --script

Activate all scripts of a category: --script=vuln (vuln is the category)

TCP Connect Scans

-sT
nmap is able to test whether a port is open or not with a TCP connect scan.

RFC 793 makes it so a server responds to SYN packets received at a closed port with a RST (Reset) flag. This is how nmap knows the port is closed.

If the port is open, the server responds with a SYN/ACK reply. nmap marks these ports as open and replies with an ACK TCP packet.

If the port is open but behind a firewall, the firewall will simply drop the packet and send nothing in return. This is called Filtered. Firewalls can also be configured to reply with RST packets, which makes an accurate reading difficult.

SYN Scans

-sS
Similar to a -sT scan but called “half-open” scan, or “stealth” scan.

-sT performs a full three-way handshake for TCP connection. -sS replies at the end with RST instead of ACK so the server doesn’t keep trying to connect

Variety of benefits to this:

  • Can bypass older IDS systems looking for a full three-way handshake.
  • Often not logged by applications logging connections; standard practice is to log a full established connection
  • Don’t have to complete and disconnect from a full connection, making it faster

Some disadvantages:

  • Requires sudo permissions to initiate in Linux
  • Unstable services can sometimes be brought down by SYN scans

SYN scans are the default scan run by nmap if run with sudo. Without sudo, TCP Connect scans are the default.

UDP Scans

-sU
UDP scans are stateless. Lack of acknowledgement makes UDP harder to scan.

Open ports are marked as open|filtered since there’s no acknowledgement – it’s impossible to say whether the port is open or filtered. In unusual circumstances, ports that issue a UDP response are marked open.

When UDP traffic is sent to a closed port, the target responds with an ICMP packet saying the port is unreachable.

UDP scans take much longer, so scanning only the top ports is a good idea.
nmap -sU --top-ports 20 <target>

NULL, FIN, and Xmas Scans

These scans are far less common. They’re stealthier than SYN scans.

These scans handle open ports the same, and similarly to UDP scans. As a result, they will only ever identify ports as open|filtered, closed, or filtered. Filtered means the target has responded with ICMP unreachable.

The reason to use these scans is firewall evasion. Many firewalls drop TCP packets to blocked ports if they have SYN flags. These scans don’t use SYN flags, bypassing the firewall. Most modern IDS solutions are smart to this now.

Windows may respond to each of these scans with RST for every port.

Null Scans

-sN
NULL scans send TCP requests with no flags set at all. The target responds with RST if the port is closed.

FIN Scans

-sF
FIN scans send TCP requests with FIN flags set, which are usually used to gracefully close a connection. nmap expects RST if the port is closed.

Xmas Scans

-sX
Xmas scans send malformed TCP requests and expect an RST response for closed ports. Called Xmas because it looks like a blinking Christmas tree in Wireshark. Uses flags PSH, URG, and FIN.

ICMP Network Scanning

-sn <IP range>
Also called a “ping sweep”. Uses ICMP packets to sweep a range of IP addresses with pings, marking which hosts reply.

-sn tells nmap not to scan any ports, forcing it to rely on ICMP echo packets (or ARP requests on a local network). Also sends a TCP SYN packet to port 443 and TCP ACK (or TCP SYN if not run as root) to port 80 on the target.

IP range can be separated by a hyphen or in CIDR notation.

nmap Scripting Engine (NSE)

Scripts are written in Lua.

Some useful categories:

  • safe – won’t affect target
  • intrusive – not safe, likely to affect target
  • vuln – scan for vulnerabilities
  • exploit – attempt to exploit a vulnerability
  • auth – attempt to bypass authentication for running services (for ex, anon FTP)
  • brute – attempt to bruteforce credentials for running services
  • discovery – attempt to query running services for further information about the network (e.g. query an SNMP server)

Script Syntax and Arguments

Syntax for running a script is --script=http-file-exploiter for instance
Multiple scripts can be separated by a comma

Some scripts require arguments provided with --script-args, such as credentials for authenticated vulns
For example:
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'
Multiple arguments are comma separated and connected to the corresponding scripts with a period (i.e. <script-name>.<argument>)

Script Help

Scripts come with built-in help menus accessed with nmap --script-help <script-name>
They have links to the official documentation at nmap.org for more details

Scripts are stored at /usr/share/nmap/scripts
cat /usr/share/nmap/scripts/script.db prints a list of installed scripts

Search the list either by grepping or lsing
grep "ftp" /usr/share/nmap/scripts/script.db
ls -l /usr/share/nmap/scripts/*ftp*

Installing New Scripts

Reinstall missing scripts: sudo apt update && sudo apt install nmap
Manually download a script: sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse && nmap --script-updatedb

Firewall Evasion

-Pn

Windows default firewall blocks all ICMP packets. nmap registers this host as dead and won’t bother scanning it. To circumvent, use -Pn to have nmap treat the host as alive. This takes much longer to run.

Packet Fragmenting

-f Splits packets into smaller pieces, decreasing chance of firewall or IDS detection
--mtu <number> Sets maximum transmission unit size. Must be multiple of 8

Delay

--scan-delay <time>ms Add a delay between packets. Evades time-based firewall/IDS triggers.

Force Firewall Response

-badsum Adds an invalid checksum to packets. TCP/IP stacks drop these. Some firewalls respond automatically without checking the checksum. Determines the presence of a firewall.