So every time you want to pentest / hack something , normally we start with NMAP Scan. So interestingly the victims have started taking some measures to safeguard themselves. and hence it is worth knowing how to effectively use NMAP. In this guide we will see the basic details and meaning of majority of available options in NMAP.

Part 1 : https://www.ethicalhackx.com/nmap-tutorial-part-1/

NMAP Scan Types

TCP SYN Scan ( -sS )

In TCP / SYN Scan, the three-way handshake does not happens and hence on the target system no sessions are created, no logs on the target system for your activity with NMAP. This means you can use this where first priority is hiding yourself. root/administrator is required for this scan.
We will also see this in Wireshark to understand better what is TCP SYN Scan, half open scanning

root@ETHICALHACKX:~# nmap -sS -p 80 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:51 IST
Nmap scan report for 192.168.56.103
Host is up (0.00019s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
TCP SYN Scan
TCP SYN Scan

So we can see above in Wireshark that TCP SYN Scan does not completes Three-way handshake. The connect() method is not invoked and hence no connection is established, and hence no logs

TCP Connect Scan ( -sT )

TCP Connect Scan unlike SYN Scan, uses Operating System’s connect() call, which create a connection and thus three-way handshake is complete. This is default scan when root/admin is not available. Also keeping in mind this is only for TCP and not UDP ports. We will also see in Wireshark logs how is this different from SYN scan.

root@ETHICALHACKX:~# nmap -sT -p 80 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:53 IST
Nmap scan report for 192.168.56.103
Host is up (0.00022s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
root@ETHICALHACKX:~# 
TCP Connect () scan

Notice the difference in SYN ACK packets in SYN and Connect() scan.

UDP Scan ( -sU)

UDP Scan looks for open UDP ports on the target machine. If the response is appropriate menas the port is open else it is closed.

root@ETHICALHACKX:~# nmap -sU 192.168.56.103 -F
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:54 IST
Nmap scan report for 192.168.56.103
Host is up (0.00030s latency).
Not shown: 93 closed ports
PORT     STATE         SERVICE
53/udp   open          domain
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
111/udp  open          rpcbind
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
2049/udp open          nfs
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 99.21 seconds
root@ETHICALHACKX:~# 

So we see the result is all open UDP ports on the target machine.

FIN Scan ( -sF )

Since Cyber Awareness is on rise, Firewalls are in place, which tends to drop SYN packets. Here FIN scan comes to our rescue as in this only FIN flag is set, FIN is finished flag usually by sender. No TCP handshake takes place

root@ETHICALHACKX:~# nmap -sF -p 80 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:56 IST
Nmap scan report for 192.168.56.103
Host is up (0.00039s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

Again we can see in Wireshark logs and notice no handshake, and hence no logs are created.

NMAP FIN Scan

NULL Scan ( -sN )

All the headers are set to NULL and most of the time target host is not sure what to do in such case, the result might be unreliable as the packet is considered as invalid. Windows Servers are unlikely to give any useful information. But this is sometimes helpful in cases where non-Windows servers is behind a firewall

root@ETHICALHACKX:~# nmap -sN -p 80 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:54 IST
Nmap scan report for 192.168.56.103
Host is up (0.00035s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
NMAP Null scan

Xmas Scan

Just like NULL scan where every header was null, here every header is set to on. Now again due to TCP stack implementation in windows machines , won’t respond. XMas Scan manipulates FIN URG and PSH Headers in TCP

root@ETHICALHACKX:~# nmap -sX -p80 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 01:05 IST
Nmap scan report for 192.168.56.103
Host is up (0.00026s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

Notice the flags set in Wireshark.

NMAP Xmas Scan

RPC Scan

RPC Scan ( Remote Procedure Call ) scans the target for any ports which responds to RPC calls. RPC Scan scans system since RPC Service can run on a number of ports and hence this scan tries to list programs out along with their version. RPC allows remote calls to execute on the target system under certain conditions and lucky you are if you get one of these. So sometimes it is good idea to scan.

Bounce Scan

Bounce Scan is named so because an old loophole in FTP Protocol ( mostly fixed now). When you scan the FTP Server it ‘bounces’ the scan packets to the connected internal network which is normally not accessible, which may sometimes breah the firewall. So here a valid FTP Server should be present attached to network you are trying to ‘Bounce Scan’

Idle Scan

Idle scan is a very controversial method and a very stealthy method as it can only be used for malicious purposes. It is one of the stealthiest scan . The packets needs to bounce off to a zombie host which you don’t need to have any control but has to meet some conditions.

Ping Scan ( -sP & -sn )

Ping scan is used to check if the host is alive. -sn means no port scan is done

root@ETHICALHACKX:~# nmap -sn 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:58 IST
Nmap scan report for 192.168.56.103
Host is up (0.00032s latency).
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Version Detection ( -sV )

Version detection scans tells you the version of services running on the respective ports, this helps you to determine the related exploits for the particular versions, greatly helps in hacking / penetration testing. In the result below I have scanned only few ports so to keep the result sort as metasploitable2 has many open ports.

root@ETHICALHACKX:~# nmap -sV -p1-50 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:32 IST
Nmap scan report for 192.168.56.103
Host is up (0.0016s latency).
Not shown: 46 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open  telnet  Linux telnetd
25/tcp open  smtp    Postfix smtpd
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds

OS Detection Scan ( -O )

OS Detection SCan tries to guess the Operating System on the target machine. The Nmap nmap-os-db database contains about 2600 Operating Systems, and sending TCP UDP Packets, nmap compares the results in database , resulting into identifying the Operating System on target machine. If you go through lines you can notice this is mostly based on the ports detected. The OS Detection scan may also give unreliable results sometimes and also the result might match to many in the nmap-os-db.

root@ETHICALHACKX:~# nmap -O 192.168.56.102
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 00:04 IST
Nmap scan report for 192.168.56.102
Host is up (0.00040s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
5001/tcp open  commplex-link
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
MAC Address: 08:00:27:6C:38:0C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds
root@ETHICALHACKX:~# nmap -O 192.168.56.103

in case of unreliable scan results for OS Scan , you might use –osscan-guess argument

Aggressive Scan ( -A )

Scan Aggressively to harvest as much information possible. Be careful of the network before you run this .

root@ETHICALHACKX:~# nmap -A 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 00:21 IST
Nmap scan report for 192.168.56.103
Host is up (0.00047s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: 2019-11-02T00:22:02+00:00; +5h29m58s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login       OpenBSD or Solaris rlogind
514/tcp  open  shell       Netkit rshd
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 10
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, ConnectWithDatabase, SupportsCompression, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, Support41Auth
|   Status: Autocommit
|_  Salt: R^`I-DN9t]Si8y{|{wci
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2019-11-02T00:22:02+00:00; +5h29m59s from scanner time.
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 5h29m58s, deviation: 0s, median: 5h29m57s
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.56.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.08 seconds
root@ETHICALHACKX:~# 

Timing Template and Performance

 T0T1T2T3T4T5
NameParanoidSneakyPoliteNormalAggressiveInsane

This can be used same as other arguments appending -T5 , -T4…..

IDS Evasion while Scanning

Discussed above in the scan types, we talked about nmap getting caught by firewall, IPS IDS. Lets scan with some evasion techniques.

Decoy Scan ( -D )

Specifying a Zombie Machine while scanning, I wonder what it does when you specify a IP which belongs to same internal network as scan initiator. Watch the Wireshark log for Decoy Scan . Keep in mind that router path tracing can reveal the actual machine IP doing the scan behind the Zombie IP. And the Zombie Ip you are using better be up.

root@ETHICALHACKX:~# nmap -p 22 -D 192.168.56.111 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 00:38 IST
Nmap scan report for 192.168.56.103
Host is up (0.00034s latency).

PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
root@ETHICALHACKX:~# 

Fragmented Scan ( -f )

The fragmented packets meaning the actual Ip packet is divided into more tiny pieces so that the packet capture / filters can be evaded. Also be cautious that the fragmented packets sometimes might not be usable at the other end on target machine, so it all depends on the scan type and timing of packets here.

Spoof Source Port Number ( –source-port ; -g )

What in case a firewall is setup to allow/drop packets from a port number ? Or network admin is monitoring you nmap activities coming from a fixed port. Or just say you want the traffic to appear from a fixed port number of your choice

root@ETHICALHACKX:~# nmap -p 44 -g 22 -D 192.168.56.222 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 01:03 IST
Nmap scan report for 192.168.56.103
Host is up (0.00037s latency).

PORT   STATE  SERVICE
44/tcp closed mpm-flags
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

I have combined the Decoy scan and source port here.

NMAP Change Source Port

Nmap Scripts

Default Script Scan ( -sC )

Banner Grabbing Sscan ( -script banner )

root@ETHICALHACKX:~# nmap -script banner 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 01:01 IST
Nmap scan report for 192.168.56.103
Host is up (0.0013s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_banner: 220 (vsFTPd 2.3.4)
22/tcp   open  ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp   open  telnet
|_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
25/tcp   open  smtp
|_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
|_banner: \x01Where are you?
513/tcp  open  login
514/tcp  open  shell
|_banner: \x01getnameinfo: Temporary failure in name resolution
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
|_banner: root@metasploitable:/#
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
|_banner: 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.56.103]
3306/tcp open  mysql
| banner: >\x00\x00\x00\x0A5.0.51a-3ubuntu5\x00\x0D\x00\x00\x00@>TnO|E$\x
|_00,\xAA\x08\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\...
5432/tcp open  postgresql
5900/tcp open  vnc
|_banner: RFB 003.003
6000/tcp open  X11
6667/tcp open  irc
| banner: :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostna
|_me...\x0D\x0A:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resol...
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.67 seconds
root@ETHICALHACKX:~# 

So this was basics about NAMP, I hope this was informational and useful. In the next part we will see some useful namp scripts like scanning target for vulnerability with nmap and more.

What Do You Think on This ? Say Here