Learn Nmap Fundamentals and Scanning Techniques

Introduction

In this lab, you will learn the fundamentals of Nmap, a powerful network scanning tool commonly used in cybersecurity for network discovery and security auditing. You will explore how to use Nmap to scan networks, discover open ports, and identify running services.

By mastering these techniques, you will gain essential skills for network administration and security assessment. This hands - on experience will offer practical knowledge applicable in real - world scenarios, helping you understand network infrastructure and security considerations.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("Cybersecurity")) -.-> cybersecurity/NmapGroup(["Nmap"]) nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) cybersecurity/NmapGroup -.-> cybersecurity/nmap_installation("Nmap Installation and Setup") cybersecurity/NmapGroup -.-> cybersecurity/nmap_port_scanning("Nmap Port Scanning Methods") cybersecurity/NmapGroup -.-> cybersecurity/nmap_timing_performance("Nmap Timing and Performance") cybersecurity/NmapGroup -.-> cybersecurity/nmap_stealth_scanning("Nmap Stealth and Covert Scanning") nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/timing_performance("Timing and Performance") nmap/NmapGroup -.-> nmap/stealth_scanning("Stealth and Covert Scanning") subgraph Lab Skills cybersecurity/nmap_installation -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} cybersecurity/nmap_port_scanning -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} cybersecurity/nmap_timing_performance -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} cybersecurity/nmap_stealth_scanning -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} nmap/installation -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} nmap/port_scanning -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} nmap/timing_performance -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} nmap/stealth_scanning -.-> lab-415937{{"Learn Nmap Fundamentals and Scanning Techniques"}} end

Understanding Nmap Basics

Nmap, short for Network Mapper, is an open - source tool that plays a crucial role in network discovery and security auditing. In the world of cybersecurity, it's like a detective that uses raw IP packets to gather information. With Nmap, you can figure out which hosts are present on a network, what services those hosts are providing, the operating systems they're running, and other important characteristics.

Let's start our journey with the basics of Nmap. First, we need to open a terminal. The terminal is like a command - center where you can type in commands to interact with your system. You can open it by clicking on the terminal icon in the taskbar or by pressing Ctrl+Alt+T.

Once the terminal is open, we need to make sure we're in the project directory. The project directory is a specific folder where all our related files and operations for this experiment will take place. To navigate to the project directory, use the following command:

cd /home/labex/project

Now that we're in the right place, let's check the version of Nmap installed on our system. Knowing the version is important because different versions may have different features and behaviors. To check the version, run this command:

nmap --version

After running the command, you should see output similar to this. This output shows the version of Nmap installed on your system, along with some other information about the libraries it was compiled with and the available nsock engines.

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Now, let's perform our very first basic Nmap scan. We'll scan our localhost, which is like a self - check of your own system. This scan will help us see what ports are open on our system. Ports are like doors in a building; different services use different ports to communicate. Run the following command:

nmap localhost

This command scans the most common 1000 ports on your localhost. After running the command, you should see output similar to this. The output tells us which ports are open on our system. For example, port 22 is typically used for SSH (Secure Shell), which is a protocol for securely accessing a remote computer, and port 80 is used for HTTP (web services). Keep in mind that your output might show different open ports depending on the services running on your system.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 15:45 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

For our next exercise, we need a service to scan. We'll create a simple service using netcat, which is a versatile networking utility. This service will listen on port 8888. Run the following command:

nc -lk 8888 &

Let's break down this command. The -l option tells netcat to listen for incoming connections. The -k option makes netcat keep listening even after a client disconnects. The & at the end runs the command in the background, so you can continue using the terminal for other tasks.

To verify that the service is running, we can use the following command:

netstat -tuln | grep 8888

This command lists all the network connections and filters the output to show only the information related to port 8888. If the service is running, you should see output similar to this:

tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN

This output confirms that our mock service is running and listening on port 8888.

Exploring Nmap Port Scanning Techniques

Nmap is a powerful tool in the field of cybersecurity, especially when it comes to port scanning. Port scanning is a method used to discover which ports on a target system are open and what services might be running on those ports. Different types of port scanning techniques exist, each with its own unique advantages and specific use cases. In this step, we'll explore some of these techniques by scanning our mock service.

First, let's perform a basic TCP connect scan specifically targeting our port 8888. A TCP connect scan is a straightforward way to check if a port is open. It works by attempting to establish a full TCP connection to the target port. If the connection is successful, the port is considered open.

nmap -p 8888 localhost

In this command, the -p option is used to specify which port(s) we want to scan. Here, we're telling Nmap to scan port 8888 on the localhost, which refers to the current machine. After running this command, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 15:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8888/tcp open  sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

This output confirms that our port 8888 is open. Nmap has also identified the service name associated with this port according to its internal database.

Now, let's try a SYN scan. A SYN scan is a stealthier approach compared to the TCP connect scan. It doesn't complete the full TCP connection, which makes it less likely to be detected by intrusion detection systems.

sudo nmap -sS -p 8888 localhost

The -sS option specifies that we want to perform a SYN scan. This type of scan requires root privileges because it involves sending raw network packets, which is a low - level operation. That's why we use the sudo command. The output should be similar to the previous scan:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 15:55 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8888/tcp open  sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Next, let's try a UDP scan. UDP (User Datagram Protocol) is a different type of network protocol compared to TCP. While TCP provides a reliable, connection - oriented service, UDP is a connectionless protocol. We'll use a UDP scan to check if port 8888 is open for UDP traffic.

sudo nmap -sU -p 8888 localhost

The -sU option specifies a UDP scan. UDP scans can be more time - consuming than TCP scans because UDP doesn't have the same built - in acknowledgment mechanism as TCP, so Nmap has to wait longer to determine if a port is open or closed. The output might look like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 16:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE  SERVICE
8888/udp closed sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Notice that the UDP port is shown as closed. This is expected because our netcat service is listening for TCP connections, not UDP.

Finally, let's perform a service version detection scan. This type of scan helps us identify what specific service and its version are running on a particular port.

nmap -sV -p 8888 localhost

The -sV option tells Nmap to perform service/version detection. It tries to send specific probes to the open ports and analyze the responses to determine the service and its version. The output might look like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 16:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE VERSION
8888/tcp open  http    Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds

The version detection might not accurately identify our netcat service as a genuine application, but it demonstrates how Nmap tries to determine what's running on open ports.

Let's save our findings to a file for future reference. Saving the scan results allows us to review them later, share them with others, or use them for further analysis.

nmap -p 8888 localhost > /home/labex/project/nmap_scan_results.txt

In this command, the > symbol is used to redirect the output of the Nmap scan to a file named nmap_scan_results.txt located in the /home/labex/project directory.

You can view the saved results with:

cat /home/labex/project/nmap_scan_results.txt

The cat command is used to display the contents of a file.

This concludes our exploration of different Nmap port scanning techniques.

Understanding Timing and Performance Templates

When you're conducting Nmap scans, timing plays a crucial role. If your scans are too aggressive, they might be detected by intrusion detection systems (IDS). An IDS is a security tool that monitors network traffic for suspicious activity. Aggressive scans can also overwhelm the target system, causing it to malfunction or become unresponsive. On the other hand, if your scans are too slow, they might take an impractical amount of time to complete, which isn't efficient, especially when you have a large number of targets to scan.

Nmap provides timing templates that give you control over the speed and aggressiveness of your scans. These templates range from T0 (paranoid) to T5 (insane). The higher the number, the faster and more aggressive the scan will be.

Here's a detailed breakdown of the timing templates:

-T0 (Paranoid): This is an extremely slow timing template. It's mainly used when you want to evade intrusion detection systems. By sending requests very slowly, it's less likely to trigger any alarms in the IDS.
-T1 (Sneaky): Similar to the paranoid template, it's also slow and used for IDS evasion. It sends requests at a slightly faster pace than the paranoid template but still slow enough to avoid detection.
-T2 (Polite): This template slows down the scan to use less bandwidth and resources on the target machine. It's a good choice when you don't want to cause any disruption to the target system.
-T3 (Normal): This is the default Nmap timing template. It strikes a balance between speed and reliability, suitable for most general - purpose scans.
-T4 (Aggressive): This template speeds up the scan, assuming that you're working on a reasonably fast and reliable network. It sends requests more quickly, which can reduce the overall scan time.
-T5 (Insane): This is a very aggressive timing template. It assumes that you have an extraordinarily fast network. It sends requests at a very high rate, which can significantly reduce the scan time but also increases the risk of being detected.

Let's start by trying a scan with the default timing template (T3). We'll use the time command to measure how long the scan takes. The time command is a useful tool that shows you how much real - time, user - time, and system - time a command takes to execute.

time nmap -T3 -p 8888 localhost

After running this command, you should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 16:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8888/tcp open  sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

real    0m0.115s
user    0m0.033s
sys     0m0.015s

Now, let's try a more aggressive timing template (T4). We'll use the same time command to measure the scan time.

time nmap -T4 -p 8888 localhost

You might notice that the scan completes slightly faster. Here's an example of what the output might look like:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 16:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8888/tcp open  sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

real    0m0.105s
user    0m0.032s
sys     0m0.014s

To see a more noticeable difference in scan time, let's try scanning all ports with both T3 and T4 templates.

time nmap -T3 -p- --max-retries 0 localhost | grep "open" > /dev/null

The -p- option tells Nmap to scan all 65535 ports on the target system. The --max - retries 0 option reduces the number of retries for each port scan, which helps to speed up the scan. We're redirecting the output to grep to filter out only the lines that contain the word "open", and then redirecting the result to /dev/null so that we can focus on the timing of the scan.

time nmap -T4 -p- --max-retries 0 localhost | grep "open" > /dev/null

You should notice a more significant difference in scan time with these comprehensive scans.

Now, as requested in the original lab, let's save a stealthy scan result to a file. We'll use the T4 timing template to balance speed and reliability.

nmap -T4 -p 8888 localhost > /home/labex/project/nmap_stealthy_scan.txt

You can view the saved results using the cat command:

cat /home/labex/project/nmap_stealthy_scan.txt

The T4 timing template is a good choice for most scenarios as it balances speed and reliability. When conducting security assessments, it's important to adjust the timing template based on your specific requirements and constraints, such as network speed, the sensitivity of the target system, and the risk of detection.

Output Formats and Scan Results Analysis

Nmap offers multiple output formats, which are extremely useful for various purposes. For instance, they can be used for documentation to record your scan results, for further in - depth analysis, or for integrating with other security tools. In this step, we'll take a closer look at these output formats and learn how to analyze the scan results effectively.

Nmap supports the following main output formats:

Normal output (default): This is a human - readable text format. It presents the scan results in a way that is easy for you to understand at a glance, similar to a report.
XML output (-oX): XML is a structured format. It arranges the data in a hierarchical and organized manner, which is very convenient for programs to parse and process.
Greppable output (-oG): This format is designed to be easily parsed using tools like grep and other text - processing utilities. It has a specific structure that makes it straightforward to extract relevant information.
All formats (-oA): When you use this option, Nmap will save the scan results in normal, XML, and greppable formats simultaneously. This is useful when you want to have all types of outputs for different needs.

Let's try each of these formats one by one:

First, we'll save a scan in the normal format. The following command will scan port 8888 on the localhost and save the results in a text file:

nmap -p 8888 localhost -oN /home/labex/project/normal_output.txt

Now, let's save a scan in the XML format. This command will perform the same scan on port 8888 of localhost and save the results in an XML file:

nmap -p 8888 localhost -oX /home/labex/project/xml_output.xml

Next, we'll save a scan in the greppable format. The command below will scan port 8888 on localhost and save the results in a file that can be easily parsed by grep:

nmap -p 8888 localhost -oG /home/labex/project/grep_output.txt

Finally, let's save a scan in all formats. The following command will create three files with different formats for the same scan on port 8888 of localhost:

nmap -p 8888 localhost -oA /home/labex/project/all_formats

This will create three files: all_formats.nmap, all_formats.xml, and all_formats.gnmap.

Now, let's examine each of these files to understand the differences in their formats.

To view the normal output, we use the cat command:

cat /home/labex/project/normal_output.txt

You should see the standard Nmap output, which is easy for humans to read. Here is an example of what it might look like:

## Nmap 7.80 scan initiated Mon Oct 30 16:45:00 2023 as: nmap -p 8888 -oN /home/labex/project/normal_output.txt localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).

PORT     STATE SERVICE
8888/tcp open  sun-answerbook

## Nmap done at Mon Oct 30 16:45:00 2023 -- 1 IP address (1 host up) scanned in 0.04 seconds

To view the XML output, we also use the cat command:

cat /home/labex/project/xml_output.xml

This format is structured for easy parsing by programs. Here is an example of the XML output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -p 8888 -oX /home/labex/project/xml_output.xml localhost" start="1698684307" startstr="Mon Oct 30 16:45:07 2023" version="7.80" xmloutputversion="1.04">
<scaninfo type="connect" protocol="tcp" numservices="1" services="8888"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1698684307" endtime="1698684307"><status state="up" reason="conn-refused" reason_ttl="0"/>
<address addr="127.0.0.1" addrtype="ipv4"/>
<hostnames>
<hostname name="localhost" type="user"/>
<hostname name="localhost" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="8888"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="sun-answerbook" method="table" conf="3"/></port>
</ports>
<times srtt="100" rttvar="5000" to="100000"/>
</host>
<runstats><finished time="1698684307" timestr="Mon Oct 30 16:45:07 2023" elapsed="0.04" summary="Nmap done at Mon Oct 30 16:45:07 2023; 1 IP address (1 host up) scanned in 0.04 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

To view the greppable output, we use the cat command again:

cat /home/labex/project/grep_output.txt

This format is designed to be easily parsed with tools like grep. Here is an example of the greppable output:

## Nmap 7.80 scan initiated Mon Oct 30 16:45:15 2023 as: nmap -p 8888 -oG /home/labex/project/grep_output.txt localhost
Host: 127.0.0.1 (localhost)	Status: Up
Host: 127.0.0.1 (localhost)	Ports: 8888/open/tcp//sun-answerbook///
## Nmap done at Mon Oct 30 16:45:15 2023 -- 1 IP address (1 host up) scanned in 0.04 seconds

Let's practice using grep to extract specific information from the greppable output. The following command will show all lines with open ports:

grep "open" /home/labex/project/grep_output.txt

The output should be:

Host: 127.0.0.1 (localhost)	Ports: 8888/open/tcp//sun-answerbook///

You can also use more complex filters. The following command extracts just the port number of open ports:

grep -E "Ports:.*open" /home/labex/project/grep_output.txt | cut -d':' -f3 | cut -d'/' -f1

The output will be:

These different output formats allow you to integrate Nmap scan results with other tools and workflows, making it a versatile addition to your security toolkit.

Summary

In this lab, you have learned the fundamentals of Nmap, a powerful network scanning and security assessment tool. You began by mastering basic Nmap usage, such as scanning hosts and identifying open ports. Subsequently, you explored various port - scanning techniques like TCP connect scans, SYN scans, and UDP scans, each with unique advantages and use cases.

You also practiced using timing templates to balance scan speed and stealth. Finally, you learned to save scan results in different formats and analyze them with text - processing tools. These skills form a basis for network discovery, security assessment, and vulnerability identification. Nmap is crucial for network administrators, security professionals, and ethical hackers. Remember to use these tools responsibly and ethically, and always obtain proper authorization before scanning unfamiliar networks or systems.