Running scans with Nmap
Various examples of how to run different types of scans using Nmap.
Intro: Different types of scans with Nmap
In this practical exercise we will see how to use nmap to perform different types of scans through which we will obtain different details about our target. For this exercise I will use a local lab I have created for Active Directory practices as the target. This lab runs in VMware locally and consists of the following machines:
Type
IP
DC: Domain Controller
192.168.31.131
Client1: Win 10 Enterprise
192.168.31.132
Client2: Windows 10 Pro
192.168.31.133
This lab is intended to practice certain vulnerabilities of various types, some of them detailed below:
LLMNR and NBT-NS Poisoning
SMB Relay Attacks
Kerberoasting
BloodHound and other enumeration tools
Golden Ticket
Token Impersonation
IPv6 DNS Takeover Attacks
Credentials Dumping with Mimikatz
With this in mind it should help us obtain information through the different types of scans using Nmap that we will see in this exercise.
Part 1: Basic Scans.
In this first part of the practical we will see the simplest scans we can perform with nmap.
Pinging with Nmap.
The first thing we can try is how to ping our target. For now let's start with a single target IP, that of the domain controller.
To do a simple scan of a host with nmap we can use the following switch -sn, it returns several details about the target besides informing us if the host is up, such as latency and the host's MAC address.
The full command is as follows:
nmap -sn 192.168.31.131
With this simple scan we obtained the following information about our target:
Information Obtained
Value
Host Status (Up/Down)
Host is up
MAC Address
00:0C:29:1C:F8:3D (VMware)
Latency
0.00039s
Detecting the Operating System.
To detect the target's operating system we can use the following nmap switch: -O. Which gives us the following output in the console:
The full command looks like this:
sudo nmap -O 192.168.31.131
This switch requires being executed with privileges.
As we can see this scan not only tries to detect the OS (OS fingerprinting), but also runs some additional analyses such as detection of common ports and detection of services running on each port.
In this case we see that it was not possible to detect the OS correctly, possibly due to some of the settings I have made in the local lab. It is important to know that we have an alternative switch to try to detect the OS more aggressively: --osscan-guess .
Let's see what the output looks like when it manages to detect it correctly:
We also see that it includes the data we saw in the previous scan.
Information Obtained
Value
List of open ports and their services
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Network distance to the host
1 hop
Possible Operating System Version (Example host)
Windows XP SP3 or Windows Server 2012
Scanning specific ports.
To scan certain ports we can use the switch -p which allows us to specify a series of specific ports to scan.
The command looks like this:
nmap -p 53,88,389,445 192.168.31.134
This way we can scan the desired ports.
If we want to scan a particular range of ports we can do it as follows:
nmap -p 54-445 192.168.31.131
Scanning all ports (65535).
If instead we want to scan all ports we can do it as follows, using the switch -p-.
The command looks like this:
nmap -p- 192.168.31.131
For this particular host I used the switch -Pn which allows us to tell nmap not to perform pings. Necessary for targets that do not respond to ping (ICMP) echo requests.
Version Scan.
To perform a scan that helps us identify the versions of the services running on the target we can use the following switch -sV.
The command looks like this:
nmap -sV 192.168.31.131
TCP/IP Full Open Scan
If we want to perform a fully open scan, we can use the switch -sT. In this type of scan it generally ensures a response since the session is initiated in full (SYN, SYN+ACK, ACK, RST).
Important: This scan is easily detected by firewalls and other security measures.
To perform this scan the command is as follows:
nmap -sT 192.168.31.131
Stealth Scan (Half-open)
In many cases we need to perform scans without alerting or triggering detections on the target side. For these cases nmap has the switch -sS. In this type of scan the session does not complete correctly, and only the packets SYC, SYNC+ACK and RST are used. When the target responds, the client instead of responding with ACK responds directly with RST.
This command requires privileges to run (sudo).
To run this type of scan the command looks like this:
nmap -sS 192.168.31.131
As I explained before the additional switch -Pn is necessary for hosts that do not respond to ping requests (ICMP Echo Requests) as is the case with this target I am using.
Scan machines on the network
If we want to get an overview of the machines that are active on the network we are scanning we can use the switch -sP. It may take some time to finish depending on how extensive our network is. In this case the target lab is quite small.
We can use the command like this:
nmap -sP 192.168.31.*
Note that in this case we are passing part of the IP, and indicate the last value as * so that nmap automatically scans all the machines that are part of the same subnet.
Alternatively we can use the switches -PS (SYN Ping) or -PR (ARP Scan) which return results like these:
For the moment we will not explain the use of the additional switches/flags that you can see in the previous image. We will cover those later in this exercise.
Scan with Default scripts
Nmap includes scripts (NSE) that allow us to indicate if during the scan we also want nmap to try to run the scripts it comes with. These scripts test common vulnerabilities that can provide good information about the target and about how to exploit them to gain access. This is done using the switch -sC.
The command for this type of scan is the following:
nmap -sC 192.168.31.131
We see that the results we obtain include a lot of information about the domain controller (in this case) scanned. These results vary depending on which target we are scanning and which vulnerabilities nmap can detect for each particular case.
Part 2: Multiple scans.
In this part of the practical we will see some more advanced scans and begin to use several switches or flags at the same time in our commands.
Let's say I want to quickly obtain all the information we saw in the individual scans, to have an overall view of the target as soon as possible. Normally when I run a scan with nmap for a lab I start keeping the following in mind:
Types of data I need to obtain
Types of data I would like to obtain
How quickly I want to obtain the results
Usually in practice labs or Capture The Flag type challenges, I use the following set of nmap switches or flags:
sudo nmap -sC -sV -Pn -p- -T5 -O -v -oN results 192.168.31.131
As we can see in that previous line, there are several new switches or flags that we are passing to nmap that we have not seen in this exercise yet. Let's see one by one what function they perform.
Switch/Flag
Function
-T5
Indicates the scan speed. Possible values 1 to 5, with 5 being the highest. (Increases the likelihood of our scan being detected by the target's defense mechanisms)
-v
Tells nmap to produce verbose output, providing the user with a lot of detail about each scan and its result.
-oN <outputFile>
Tells nmap to generate an output file with the results. In this case in common (text) format.
This type of scan usually results in extensive output in the console, so it's a good idea to save it directly to a file to consult when necessary.
The result of this scan in its entirety can be seen in the following block, since it does not warrant capturing it entirely in images:
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -Pn -p- -T5 -O -v -oN results 192.168.31.131
[sudo] password for kali:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-06 13:48 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:48
Completed NSE at 13:48, 0.00s elapsed
Initiating NSE at 13:48
Completed NSE at 13:48, 0.00s elapsed
Initiating NSE at 13:48
Completed NSE at 13:48, 0.00s elapsed
Initiating ARP Ping Scan at 13:48
Scanning 192.168.31.131 [1 port]
Completed ARP Ping Scan at 13:48, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.01s elapsed
Initiating SYN Stealth Scan at 13:48
Scanning 192.168.31.131 [65535 ports]
Discovered open port 53/tcp on 192.168.31.131
Discovered open port 135/tcp on 192.168.31.131
Discovered open port 139/tcp on 192.168.31.131
Discovered open port 445/tcp on 192.168.31.131
Discovered open port 49703/tcp on 192.168.31.131
Discovered open port 9389/tcp on 192.168.31.131
Discovered open port 49667/tcp on 192.168.31.131
Discovered open port 3268/tcp on 192.168.31.131
Discovered open port 636/tcp on 192.168.31.131
Discovered open port 49674/tcp on 192.168.31.131
Discovered open port 49676/tcp on 192.168.31.131
Discovered open port 3269/tcp on 192.168.31.131
Discovered open port 49666/tcp on 192.168.31.131
SYN Stealth Scan Timing: About 45.08% done; ETC: 13:49 (0:00:38 remaining)
Discovered open port 593/tcp on 192.168.31.131
Discovered open port 5985/tcp on 192.168.31.131
Discovered open port 49673/tcp on 192.168.31.131
Discovered open port 88/tcp on 192.168.31.131
Discovered open port 464/tcp on 192.168.31.131
Discovered open port 49710/tcp on 192.168.31.131
Discovered open port 49686/tcp on 192.168.31.131
Discovered open port 389/tcp on 192.168.31.131
Completed SYN Stealth Scan at 13:49, 55.14s elapsed (65535 total ports)
Initiating Service scan at 13:49
Scanning 21 services on 192.168.31.131
Completed Service scan at 13:50, 53.60s elapsed (21 services on 1 host)
Initiating OS detection (try #1) against 192.168.31.131
Retrying OS detection (try #2) against 192.168.31.131
NSE: Script scanning 192.168.31.131.
Initiating NSE at 13:50
Completed NSE at 13:51, 40.06s elapsed
Initiating NSE at 13:51
Completed NSE at 13:51, 0.07s elapsed
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
Nmap scan report for 192.168.31.131
Host is up (0.00045s latency).
Not shown: 65514 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-06 18:49:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local
| Subject Alternative Name: othername:<unsupported>, DNS:Chukaro-DC.CHUKARO.local
| Issuer: commonName=CHUKARO-CHUKARO-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-24T20:30:01
| Not valid after: 2021-11-24T20:30:01
| MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f
|_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd
|_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local
| Subject Alternative Name: othername:<unsupported>, DNS:Chukaro-DC.CHUKARO.local
| Issuer: commonName=CHUKARO-CHUKARO-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-24T20:30:01
| Not valid after: 2021-11-24T20:30:01
| MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f
|_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd
|_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local
| Subject Alternative Name: othername:<unsupported>, DNS:Chukaro-DC.CHUKARO.local
| Issuer: commonName=CHUKARO-CHUKARO-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-24T20:30:01
| Not valid after: 2021-11-24T20:30:01
| MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f
|_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd
|_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local
| Subject Alternative Name: othername:<unsupported>, DNS:Chukaro-DC.CHUKARO.local
| Issuer: commonName=CHUKARO-CHUKARO-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-24T20:30:01
| Not valid after: 2021-11-24T20:30:01
| MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f
|_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd
|_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:1C:F8:3D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: CHUKARO-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat: NetBIOS name: CHUKARO-DC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:1c:f8:3d (VMware)
| Names:
| CHUKARO-DC<20> Flags: <unique><active>
| CHUKARO-DC<00> Flags: <unique><active>
| CHUKARO<00> Flags: <group><active>
| CHUKARO<1c> Flags: <group><active>
|_ CHUKARO<1b> Flags: <unique><active>
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-12-06T18:50:40
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.56 seconds
Raw packets sent: 131159 (5.775MB) | Rcvd: 75 (3.856KB)
In this way we saw various types of scans that we can perform with nmap to obtain important information about our target. In the next section we will quickly compile all the data we managed to obtain throughout this exercise about the scanned target.
Part 3: Gathering the information.
In this part we will compile and present all the information we obtained from all the types of scans practiced.
During this exercise we saw how we can use a subset of functionalities offered by nmap to perform different types of scans on our target in order to obtain a series of details for our pentest.
Data
Detail
Open ports and services (DC)
53 (domain Simple DNS Plus) 135 (MS Windows RPC) 139 (MS Netbios SSN) 445 (MS DS) 49703 (MS Win RPC) 9389 (.NET Message Framing) 49667 ( MS Win RPC) 3268 (MS Active Directory LDAP)
3269 (MS Active Directory LDAP) 636 (SSL LDAP) 49674 (MS Win RPC) 49666 (MS Win RPC) 593 (MS Win RPC Over HTTP 1.0) 5985 (Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP))
49673 (Microsoft Win RPC over HTTP 1.0)
88 (MS Kerberos)
464 (kpasswd5)
49710 (MS Win RPC)
49686 (MS Win RPC)
389 (MS Active Directory LDAP).
Domain Controller Domain Name
Chukaro-DC.CHUKARO.local
Operating System
MS Windows
Active machines in the DC's subnet
192.168.31.1
192.168.31.2
192.168.31.131 (DC) 192.168.31.31.132 (Client1) 192.168.31.31.133 (Client2)
192.168.31.31.134
This is where we finish this nmap scanning exercise; we saw how to execute different types of scans to obtain various pieces of information and learned the basic use of nmap.
Last updated
Was this helpful?