Basic Port Scanning with nmap


2020/11/01

drt


If you’ve ever looked into cyber security, or any type of penetration tutorial, chances are you’ve come across nmap. This tool is one of the most comprehensive port scanners around. There are plenty of options to choose from, and nmap is built to be extendable with user created scripts. nmap can be used to determine the version of the service on a port, the host OS, and even for vulnerability scanning. This will cover the basics of nmap and get you on your way to start your first scan. Even if you’ve used nmap before, sometimes it’s always great to get back to the basics. Let’s dive in!

Installation

If you’re using a security focused Linux distribution such as Kali Linux, Parrot OS, or Black Arch, then you won’t need to install nmap. These distros tend to have nmap already installed. However, if you’re using any other Linux distribution, chances are you can install it via your package manager.

Ubuntu / Debian Variants

sudo apt install -y nmap

Fedora

sudo dnf install nmap

CentOS / RHEL

sudo yum install nmap

Arch / Manjaro

sudo pacman -S nmap

Basic Usage

A basic usage of nmap needs one argument, a host. This can be either be an IP address or FQDN (fully qualified domain name). Be sure to not include http:// or https:// in the host.

nmap zonetransfer.me
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 19:01 EDT
Nmap scan report for zonetransfer.me (5.196.105.14)
Host is up (0.14s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
443/tcp  open     https
646/tcp  filtered ldp
4000/tcp open     remoteanything
8080/tcp open     http-proxy

Nmap done: 1 IP address (1 host up) scanned in 8.68 seconds

Understanding the Output

By default, nmap scans the top 1,000 most common ports. The output from nmap will have a header of the version and the time the scan was started. This will be the first thing display when a scan starts. If you’re running a long scan, you can press Enter to get an update and an estimated time remaining for the scan. Also by default, only non-closed ports will be displayed.

The output will display a small table showing the PORT and its protocol, its STATE (any non-closed state), and the SERVICE that the port usually occupies. It’s important to note that there is no banner grabbing or version checking at this time. For example, if I decided to run my SSH daemon server on port 443 instead of 22, nmap would display that port 443 was open, and the service was https, not SSH.

nmap basic scan

There are six possible states that nmap reports for ports. Below is a table with the possible state and its meaning.

STATE MEANING
open An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port.
open|filtered nmap cannot determine whether the port in question is either open or filtered. This happens when there is an open port that doesn’t return a response. This lack of response could mean that the packed was dropped due to a packet filter.
closed This shows that a host is up, nmap can communicate with the port, and that there is no service running on that port.
closed|filtered This state is used when nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
filtered nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. This is the most annoying response to receive.
unfiltered Cannot determine if the port is open or closed, but the port is accessible. Applicable to only the ACK scan.

To sudo or Not to sudo

There are some flags that require nmap to be ran with sudo. When scanning TCP connections, nmap uses Berkeley sockets to perform at TCP handshake and confirm that the port is open. This can be invoked using -sT, but is used by default without any options.

There is an option for nmap to speed up TCP scans, -sS, by performing a SYN scan. This is also known as a stealth scan. In this scan, nmap doesn’t perform a complete TCP handshake. It sends a SYN packet and if the server responds with an ACK, then the port is open and nmap moves on to the next target. For nmap to perform this type of scan, it must use raw sockets, which require elevated privileges on a Linux system.

nmap using sudo

If you try to run an option that requires elevated privileges, nmap will tell you can not default to a different type of scan. Another option that requires sudo is when scanning UDP packets. To scan UDP packets, use the -sU option. This can be combined with the stealth scan to do a solid TCP and UDP scan against a target.

sudo nmap -sS -sU scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 20:00 EDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.085s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 999 open|filtered ports, 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
646/tcp   filtered ldp
9929/tcp  open     nping-echo
31337/tcp open     Elite
123/udp   open     ntp

Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds

Ports and Port Ranges

The top 1000 most common ports are great, but what if you wanted a more controlled (or comprehensive) scan? If you want to speed up your port scan, you can tell nmap to only scan the top 100 ports using -F.

nmap -sT -F example.org

Taking this one step further, nmap provides a --top-ports flag that allows the user to scan the top n ports where n must be greater than one.

sudo nmap -sS --top-ports=33 example.org

Looking for a more targeted scan? The -p flag allows for a user to scan individual ports, separated by a comma. For example, if you’re looking for only web servers, you might try to scan for only common web (and dev) ports.

nmap -p 80,443,8080 bitbangbyte.com

We can go in the opposite direction and define a range of ports to scan. If we wanted to scan all ports on a system, we can use a command similar to the following:

nmap -p 1-65535 scanme.nmap.org

The downside to all the previous examples is that they only scan TCP ports. We can specify specific TCP and/or UDP ports (and ranges) by prepending a U: or T: to the -p option.

Note: Using U: requires -sU as a scan argument, otherwise nmap will complain.

To scan specific ports/ranges on both TCP and UDP:

sudo nmap -sS -sU -p U:123,T:22,80,9900-9999 scanme.nmap.org

screen shot of previous examples

Version Scanning

As I mentioned earlier, if I were to run my SSH daemon on port 443 instead of 22, nmap will return that port 443 is open, and is running the HTTPS service. Believe it or not, this can happen. Admins will sometimes run services on different, and strange ports. Perhaps thinking its some form of security through obscurity. Either way, we can have nmap send a series of probes on the port to try and determine the service and version running. We can enable this by adding -sV to our command arguments.

nmap version detection

Take a look at the screenshot above. Notice how the first scan returns the service as SSH. Adding in version detection correctly identified the service as HTTP and an nginx server.

If you’re interested in testing this on your own machine, I recommend running docker containers and do some port mapping so that services are running on strange ports. To replicate the example above:

docker run -it --rm -p 22:80 nginx:alpine

OS Detection

The last scan option we’ll cover this time round is OS Detection, one of nmap’s most known features. This is achieved by TCP/IP stack fingerprinting. Every operating system implements the stack a little differently, and nmap can leverage that in an attempt to figure out what version of an operating system the target is running. It sends over a load of TCP and UDP packets and meticulously analyzes the response. Do not take these results as gospel. There are times when nmap will get the OS wrong. For example, the result might return Linux kernel 2.4 when on a later kernel version (like 5.8). I’ve seen this happen, but at least you can assume that the OS is indeed Linux. There might be times that nmap get it completely wrong. If nmap cannot detect a valid OS, it will return a fingerprint of the OS detected. You can submit this back to the community to improve the results! Try it out with different machines on your local network and see what it comes up with! This can be achieved by adding the -O option, along with sudo (required). Here is the result of a VM on my network.

nmap os detection

Conclusion

We covered a lot of different options we can incorporate when scanning a host using nmap. Combining them all will give you a very comprehensive analysis of your target. This is just the tip of the iceberg when it comes to nmap’s capabilities. In future posts, we’ll go more in-depth into nmap and use some of its more advanced techniques. As a final example, this is a combination of a TCP scan against all ports with version and OS detection. Rounding out all the topics covered today. nmap full scan Make sure that you only use nmap on your local machines, or machines you have permission to run scans on! Running comprehensive scans on hosts can generate a lot of traffic and data over the network. The nmap.org website has a subdomain that allows users to test against, scanme.nmap.org. Running a full port scan with UDP and TCP, OS detection, and version detection took over 30 minutes before I decided to stop it. I checked its progress and was about 0.48% complete. So please, don’t be a jerk, and scan responsibly. Happy hacking!