Since Nmap is probably the most widely used port scanner for penetration testing, I figured I would provide a little more detail about some of the features that we use all the time, but maybe hadn’t considered how they work.
Whenever you kickoff a scan, Nmap will first send probing packets to the target to determine if it is “up”.
For UID 0 users, Nmap sends:
- If target is on the same subnet as the attacker, Nmap sends an ARP request
- If the target is on a different subnet, Nmap sends an ICMP Echo Request, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP Timestamp Request
For non-UID 0 users, Nmap sends a TCP SYN to port 80 and a TCP SYN to port 443.
To perform a sweep against a subnet using this default behavior, you would use nmap -sP [targetIP]. While the -sP is commonly (and misleadingly) known as the ping scan option, it doesn’t just ping with ICMP.
Nmap Service Detection:
When you perform an Nmap scan with the default options, the results will include the SERVICE column. That column does not reflect the service that is listening on the port, but rather the service specified in the “nmap-protocols” file. You can test this by changing the listening port in the sshd_config file from 22 to 23, starting the service, and then scanning with Nmap. Nmap will report that telnet is listening on port 23 instead of SSH. You should not depend on the SERVICE column when scanning with the default options.
For that reason is important to also perform service detection. Nmap service detection (-sV) works by probing the specified ports and matching the probe response to a string that will indicate the running service. All of the probes and matches are located in the file “nmap-service-probes”. In that file, the lines that start with “Probe” indicate the messages to send to target services, while the lines that start with “match” indicate the response text to look for when identifying the given service.
Nmap Scripting Engine (NSE):
NSE scripts extend Nmap’s features by adding scripts (written in Lua) that can do a variety of things, such as more aggressive fingerprinting, brute forcing, conduct vulnerability scanning, look for backdoors, etc. Each script is used in one or more categories, which are defined locally in the “script.db” file. NSE scripts can either be called individually (–script=ssl-enum-ciphers), by category (–script “default”), or by using logical operators (nmap –script “(default or safe or intrusive) and not http-*”).
One particular command I often see run is nmap -A [targetIP]. The -A switch does -O -sV -sC –traceroute. The thing to note is the -sC command runs all scripts in the NSE Default category, so if you’re not sure which scripts are in that category, you may not want to use the -A option. A great idea would be to customize your script.db file and select specify which scripts run in the Default category.