How to Preform Network Scanning and Forensics with Nmap

Posted by Srot Sinha
Srot Sinha

As a cybersecurity professional, knowledge of network and security tools is critically important. To help jumpstart this knowledge, we will focus on Nmap and introduce you to beginner's content. 

Nmap has always been the security engineer's tool of choice for a wide variety of tasks. You can use it to see which machines are up, if a machine has blocked pings, or if the firewall blocks ICMP packets. It also helps determine if a machine is switched on and connected to the network through performance scans. In the previous article: How to Use Netcat for Cybersecurity, we had covered netcat, also used for connectivity testing.

A word of CAUTION: be careful of what you are scanning and only do so if you have the approval within your organization. While it is unlikely you will bring services down by simply scanning, you will surely raise red flags. For learning purposes, let's assume you are doing this in your home's private network where you are the boss.

 

Nmap has a long manual page, and it is full of switches and options like the standard Linux command-line tool, but don't let that put you off as Nmap is straightforward to use. Although this article primarily focuses on Nmap, we will pepper it with some references to other tools in this ecosystem that sometimes do a better job than Nmap in certain simple tasks.

 

Usage Examples

Here are some useful CLI options and what they do:

# sS TCP SYN scan

# sT TCP connect scan

# sU UDP scans

# sY SCTP INIT scan

 

Typically Nmap is invoked as root. Almost all security scanning tools are invoked as root as we need elevated privileges to perform advanced techniques.

Let us begin with something simple to familiarize ourselves.

# nmap -sT <ip> 80

You can run this against google.com or another site to check if your firewall is currently allowing HTTP protocols and if the IP is indeed running a web server.

You can scan a range of ports to know if a host is running rsync, Samba, and NFS services and if a database server is running for remote network connectivity.

# nmap -p 1-1024 <host>

The above command scans for the ports 1 to 1024 on a machine to list the services it runs. Running this on a local network is legal and fast, but using Nmap on hosts on the Internet is a gray area that could bring severe legal trouble. The most common use is really for sysadmins with the authority to diagnose corporate network issues.

Nmap has built-in OS detection since different OS versions have some TCP quirks, and Nmap relies on those idiosyncrasies to guess the remote operating system. Not very accurate but works practically.

There is also the famous Xmas tree scan, which can alert IDS systems like Snort. Thus, it is better not to do this. If you scan for a long list of ports and cause a lot of network traffic, this can trigger suspicion activity responses.

Nmap is your friend, so use it in moderation and without arousing suspicion. Nmap can also send SCTP packets, use raw IP protocols, and so on. With most services running on the cloud, Nmap cannot do much, but within a specific network, Nmap can still serve a lot of purposes.

Other tools in the Linux security forensics ecosystem include Hping, Fping, and many others. Fping can quickly tell you the hosts that are up like this.

$ fping -g 192.168.1.0/24

This code uses the CIDR notation to figure out which hosts are up and which down.

Nmap is a very sophisticated tool, so using some of the simpler ones may be appropriate for most purposes. Such tools usually run a timer to scan with an interval to ensure we don't trigger suspicion.

 

Manpage Excerpts

For every Linux tool, the man page scripts out a manual. I have attached the most relevant portions to avoid information overload to add more depth:

Nmap 5.51 ( http://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254

  -iL <inputfilename>: Input from list of hosts/networks

  -iR <num hosts>: Choose random targets

  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

  -sL: List Scan - simply list targets to scan

  -sn: Ping Scan - disable port scan

  -Pn: Treat all hosts as online -- skip host discovery

  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  -PO[protocol list]: IP Protocol Ping

  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]

  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers

  --system-dns: Use OS's DNS resolver

  --traceroute: Trace hop path to each host

SCAN TECHNIQUES:

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  -sU: UDP Scan

  -sN/sF/sX: TCP Null, FIN, and Xmas scans

  --scanflags <flags>: Customize TCP scan flags

  -sI <zombie host[:probeport]>: Idle scan

  -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  -sO: IP protocol scan

  -b <FTP relay host>: FTP bounce scan

Conclusion

Hopefully, this article gives you a starting point for adding Nmap into your bash scripts. Nmap works wonders if you know networking well. Otherwise, you can start with learning TCP/IP stack.

Fun Fact: Nmap was used in Trinity (A Matrix movie) 

 

Did you enjoy this content? Follow our linkedin page!

 

Looking for similar content?

Srot Sinha

Written by Srot Sinha

Srot is a software architect at Query.ai. He has built solutions using AI, NLP and Data Science technologies for various multi-nationals.