Running scans with Nmap
Various examples of how to run different types of scans using Nmap.
Intro: Different types of scans with Nmap
In this practical exercise we will see how to use nmap to perform different types of scans through which we will obtain different details about our target. For this exercise I will use a local lab I have created for Active Directory practices as the target. This lab runs in VMware locally and consists of the following machines:
Type
IP
DC: Domain Controller
192.168.31.131
Client1: Win 10 Enterprise
192.168.31.132
Client2: Windows 10 Pro
192.168.31.133
This lab is intended to practice certain vulnerabilities of various types, some of them detailed below:
LLMNR and NBT-NS Poisoning
SMB Relay Attacks
Kerberoasting
BloodHound and other enumeration tools
Golden Ticket
Token Impersonation
IPv6 DNS Takeover Attacks
Credentials Dumping with Mimikatz
With this in mind it should help us obtain information through the different types of scans using Nmap that we will see in this exercise.
Part 1: Basic Scans.
In this first part of the practical we will see the simplest scans we can perform with nmap.
Pinging with Nmap.
The first thing we can try is how to ping our target. For now let's start with a single target IP, that of the domain controller.
To do a simple scan of a host with nmap we can use the following switch -sn, it returns several details about the target besides informing us if the host is up, such as latency and the host's MAC address.
The full command is as follows:
nmap -sn 192.168.31.131
With this simple scan we obtained the following information about our target:
Information Obtained
Value
Host Status (Up/Down)
Host is up
MAC Address
00:0C:29:1C:F8:3D (VMware)
Latency
0.00039s
Detecting the Operating System.
To detect the target's operating system we can use the following nmap switch: -O. Which gives us the following output in the console:
The full command looks like this:
sudo nmap -O 192.168.31.131
This switch requires being executed with privileges.
As we can see this scan not only tries to detect the OS (OS fingerprinting), but also runs some additional analyses such as detection of common ports and detection of services running on each port.
In this case we see that it was not possible to detect the OS correctly, possibly due to some of the settings I have made in the local lab. It is important to know that we have an alternative switch to try to detect the OS more aggressively: --osscan-guess .
Let's see what the output looks like when it manages to detect it correctly:
We also see that it includes the data we saw in the previous scan.
Information Obtained
Value
List of open ports and their services
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Network distance to the host
1 hop
Possible Operating System Version (Example host)
Windows XP SP3 or Windows Server 2012
Scanning specific ports.
To scan certain ports we can use the switch -p which allows us to specify a series of specific ports to scan.
The command looks like this:
nmap -p 53,88,389,445 192.168.31.134
This way we can scan the desired ports.
If we want to scan a particular range of ports we can do it as follows:
nmap -p 54-445 192.168.31.131
Scanning all ports (65535).
If instead we want to scan all ports we can do it as follows, using the switch -p-.
The command looks like this:
nmap -p- 192.168.31.131
For this particular host I used the switch -Pn which allows us to tell nmap not to perform pings. Necessary for targets that do not respond to ping (ICMP) echo requests.
Version Scan.
To perform a scan that helps us identify the versions of the services running on the target we can use the following switch -sV.
The command looks like this:
nmap -sV 192.168.31.131
TCP/IP Full Open Scan
If we want to perform a fully open scan, we can use the switch -sT. In this type of scan it generally ensures a response since the session is initiated in full (SYN, SYN+ACK, ACK, RST).
Important: This scan is easily detected by firewalls and other security measures.
To perform this scan the command is as follows:
nmap -sT 192.168.31.131
Stealth Scan (Half-open)
In many cases we need to perform scans without alerting or triggering detections on the target side. For these cases nmap has the switch -sS. In this type of scan the session does not complete correctly, and only the packets SYC, SYNC+ACK and RST are used. When the target responds, the client instead of responding with ACK responds directly with RST.
This command requires privileges to run (sudo).
To run this type of scan the command looks like this:
nmap -sS 192.168.31.131
As I explained before the additional switch -Pn is necessary for hosts that do not respond to ping requests (ICMP Echo Requests) as is the case with this target I am using.
Scan machines on the network
If we want to get an overview of the machines that are active on the network we are scanning we can use the switch -sP. It may take some time to finish depending on how extensive our network is. In this case the target lab is quite small.
We can use the command like this:
nmap -sP 192.168.31.*
Note that in this case we are passing part of the IP, and indicate the last value as * so that nmap automatically scans all the machines that are part of the same subnet.
Alternatively we can use the switches -PS (SYN Ping) or -PR (ARP Scan) which return results like these:
For the moment we will not explain the use of the additional switches/flags that you can see in the previous image. We will cover those later in this exercise.
Scan with Default scripts
Nmap includes scripts (NSE) that allow us to indicate if during the scan we also want nmap to try to run the scripts it comes with. These scripts test common vulnerabilities that can provide good information about the target and about how to exploit them to gain access. This is done using the switch -sC.
The command for this type of scan is the following:
nmap -sC 192.168.31.131
We see that the results we obtain include a lot of information about the domain controller (in this case) scanned. These results vary depending on which target we are scanning and which vulnerabilities nmap can detect for each particular case.
Part 2: Multiple scans.
In this part of the practical we will see some more advanced scans and begin to use several switches or flags at the same time in our commands.
Let's say I want to quickly obtain all the information we saw in the individual scans, to have an overall view of the target as soon as possible. Normally when I run a scan with nmap for a lab I start keeping the following in mind:
Types of data I need to obtain
Types of data I would like to obtain
How quickly I want to obtain the results
Usually in practice labs or Capture The Flag type challenges, I use the following set of nmap switches or flags:
sudo nmap -sC -sV -Pn -p- -T5 -O -v -oN results 192.168.31.131
As we can see in that previous line, there are several new switches or flags that we are passing to nmap that we have not seen in this exercise yet. Let's see one by one what function they perform.
Switch/Flag
Function
-T5
Indicates the scan speed. Possible values 1 to 5, with 5 being the highest. (Increases the likelihood of our scan being detected by the target's defense mechanisms)
-v
Tells nmap to produce verbose output, providing the user with a lot of detail about each scan and its result.
-oN <outputFile>
Tells nmap to generate an output file with the results. In this case in common (text) format.
This type of scan usually results in extensive output in the console, so it's a good idea to save it directly to a file to consult when necessary.
The result of this scan in its entirety can be seen in the following block, since it does not warrant capturing it entirely in images:
In this way we saw various types of scans that we can perform with nmap to obtain important information about our target. In the next section we will quickly compile all the data we managed to obtain throughout this exercise about the scanned target.
Part 3: Gathering the information.
In this part we will compile and present all the information we obtained from all the types of scans practiced.
During this exercise we saw how we can use a subset of functionalities offered by nmap to perform different types of scans on our target in order to obtain a series of details for our pentest.
Data
Detail
Open ports and services (DC)
53 (domain Simple DNS Plus) 135 (MS Windows RPC) 139 (MS Netbios SSN) 445 (MS DS) 49703 (MS Win RPC) 9389 (.NET Message Framing) 49667 ( MS Win RPC) 3268 (MS Active Directory LDAP)
3269 (MS Active Directory LDAP) 636 (SSL LDAP) 49674 (MS Win RPC) 49666 (MS Win RPC) 593 (MS Win RPC Over HTTP 1.0) 5985 (Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP))
49673 (Microsoft Win RPC over HTTP 1.0)
88 (MS Kerberos)
464 (kpasswd5)
49710 (MS Win RPC)
49686 (MS Win RPC)
389 (MS Active Directory LDAP).
Domain Controller Domain Name
Chukaro-DC.CHUKARO.local
Operating System
MS Windows
Active machines in the DC's subnet
192.168.31.1
192.168.31.2
192.168.31.131 (DC) 192.168.31.31.132 (Client1) 192.168.31.31.133 (Client2)
192.168.31.31.134
This is where we finish this nmap scanning exercise; we saw how to execute different types of scans to obtain various pieces of information and learned the basic use of nmap.
Last updated
Was this helpful?