Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands

Nmap Port Scan Vulnerability Scan Commands

Nmap (Network Mapper) is a free and open-source network scanner  created by Gordon Lyon . Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
 
Nmap provides a number of features for probing computer networks, including host discovery and service and OS detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including Latency and Congestion during a scan. Wikipedia
 

1.Basic/Default Scan

 
This is a default scan where you are just passing the hostname/ip-address to the to nmap. In this type of the nmap scanning the nmap scans the top 1000 ports.Top thousands doesn’t mean 1-1000. It means the well known top 1000 ports. 
If this scan is run by a PRIVILEGED user then this is RAW SYN STEALTH SCAN and if its run by NON-PRIVILEGED user then its a TCP CONNECT SCAN.
 

Lets perform a simple nmap scan on metasploitable2 machine.

 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
So as you can see from the image nmap listed out the port which are open on metasploitabl2.
 
Here you can see the state of ports its open. So the nmap scan and find that these ports are open on target host.
There are four different state of ports
 
  • OPEN: Having this as label to the state of the port, means the port is open.
  • CLOSED: Having this as label to the state of the port, means the port is closed and not ready to make the connection.
  • FILTERED: Having this as label to the state of the port, means that nmap packet were unable to reach the port to check its status either blocked by firewall or by some sort of router access control rule.
  •  
  • UNFILTERED: Having this as label to the state of the port, means that nmap packet were able to reach the port to check its status but it was not able to determine the state of the port.
 
 
There are two other states 
 
OPEN | FILTERED  and CLOSED | FILTERED and its is clear by the name what states its represent.
 
Nmap cannot determine if the target port is open or filtered.
Nmap cannot determine if the target port is close or filtered.
 
 
 
There are different option available with nmap we can use.
 
  • -sn : Tells nmap no to do port scan after discovering the hosts. Its just to check if the hosts are up or not.
 
[email protected]# nmap 192.168.0.1/24 -sn
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
What Nmap do, first it check whether the host is up or not and then it performs port scans. But sometimes icmp echo response is disabled onto the target and nmap unable to detect whether the host is alive or not.
 
So there is another solution where the nmap will scan the host irrespective or its state alive or dead.
 
How we do that ?
 
[email protected]# nmap 192.168.0.105-110 -Pn
 
This -Pn option allow to do the required thing.
 
Let’s Try on the Local Network.
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
In the host discovery section there is another option which can be used to perform a specific scan with specified ports.
 
  • PS: Perform TCP SYN scan.
  • PA: Perform TCP ACK scan.
  • PU: Perfrom UDP scan.
  • PY: Perform SCTP scan.
  • PE: Perform ICMP echo scan.
  • PP: Perform timestamp scan.
  • PM: Perform netmask scan.
 
[email protected]# nmap host -PS22,53,443
 
There is no space after PS.
 
 
 

Different Scan Techniques

 
sS/sT/sA/sW/sM : TCP SYN, TCP connect(), TCP ACK, Window, Maimon Scans
 
  • sU : This performs the UDP scan. It sends the UDP packets to check the status of the ports.
 
UDP scans are slower and time taking. 
 
Sometimes in nmap scans happens a host responds slow and nmap remain busy in checking the status of that host. TO overcome this problem we can use host timeout.
 
[email protected]# nmap 192.168.54.1/24 -sU –host-timeout 2m
 
 
 
  • sN: TCP NULL. In this there is no flag is set into the packet. The flag is set to zero.
  • sF: FIN Scan. In this type only the TCP FIN bit is set.
  • sX: Xmas Scan. In this scann three flags are set FIN, PSH and URG.
 
 
These scans use the different set of flags. You can customize your flags by –scanflags.
 
  • sO: IP protocol scan. This scan helps to determine which protocol(ICMP, UDP, TCP etc) is supported by the host and at which port.
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
  • p:  This option is used to specify the range of the port, or specific ports
 
 
 
If you want to scan some specific ports of host(s) on UDP and TCP.
 
[email protected]#nmap 192.168.54.2 U:53,111,137,T:22,80,8080 -sU -sS
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
Sometimes a situation happens when service are changed or shifted to another ports. So to check on what port particular services are running.
 
[email protected]# nmap host -p http,https,ftp
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
Scan port excluding few port
 
[email protected]#  nmap host -v –exclude-port 80,21,443,22-50
 
 
 
Check Which service are running on port and what version it have with nmap.
 
[email protected]# nmap 192.168.54.2 -v -sV
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
 
Within this command nmap 192.168.54.2 -v -sV  we can add –version-intensity 1-9. By default its value is 7.
 
another extension are :
 
  • –version-light (Intensity 2)
  • –version-all (Intensity 9)
 

Operating System Detection

 Operating system of the target host can be found with nmap -O extension.
 
[email protected]# nmap 192.168.52.2 -O -v
 
The operating system is visible in the result of above command.
 
Nmap: Port Scan, Vulnerability Scan, Aggressive Scan Commands
 
To save the time and stop the nmap to stop wasting time on non-promising hosts we can specify   –osscan-limit. Non promising hosts are those hosts which do not have any port open or closed. 
 
[email protected]#nmap hosts -O -v –osscan-limit
 
 
To make the above command more robust add -Pn. Which means scan every host irrespective its alive or dead and have atleast one port open or closed.
 
[email protected]# nmap 192.168.54.2 -O -v -Pn –osscan-limit.
 
 
 
When nmap unable to detect a operating system we can use another technique where nmap guess the operating system.
 
[email protected]# nmap host -O –version-all -v -Pn –osscan-guess -max-retries 1
Here max retries is set to 1 because its by default 5 which is time consuming. For  better luck change its value to higher value.
 
Instead of –osscan-guess there is another option –fuzzy can be also used.
 
So that’s was all for today.
 
Thank you.

Leave a Comment