Как сканировать несколько IP-адресов одновременно с использованием Nmap в области кибербезопасности

Introduction

In the field of cybersecurity, understanding your network infrastructure is essential for maintaining security. Nmap (Network Mapper) is a widely-used open-source tool that enables security professionals to discover hosts and services on computer networks. This tutorial will guide you through the process of using Nmap to scan multiple IP addresses simultaneously, allowing you to efficiently map your network and identify potential security issues.

By the end of this lab, you will understand how to install Nmap, perform basic scans, target multiple IP addresses using different techniques, and interpret the results. These skills form a fundamental part of network reconnaissance in cybersecurity assessments and are valuable for both defensive and offensive security operations.

Installing Nmap and Performing Your First Scan

In this first step, we will install Nmap on our Ubuntu system and perform a basic scan to verify it works correctly.

Installing Nmap

Nmap is available in the Ubuntu repositories, making it easy to install. Open a terminal and run the following commands:

## Update the package lists
sudo apt update

## Install Nmap
sudo apt install nmap -y

This command will download and install Nmap along with any required dependencies. Let's verify the installation was successful by checking the Nmap version:

nmap --version

You should see output similar to this:

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39
Compiled without: nmap-update npcap ipv6
Available nsock engines: epoll poll select

Understanding Nmap Basic Syntax

The basic syntax for Nmap is:

nmap [scan type] [options] [target]

Where:

• [scan type] specifies the type of scan to perform (e.g., TCP SYN scan)
• [options] are additional parameters to customize the scan
• [target] is the host or network to scan

Your First Scan: Scanning the Local Machine

Let's start with a simple scan of your local machine. This is a safe way to test Nmap without scanning external networks:

nmap localhost

This command scans the most common 1000 TCP ports on your local machine. You should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-23 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

The output shows:

• The scan start time
• The target being scanned
• Host status (up or down)
• Open ports with their service names
• Scan statistics

Note that the exact open ports you see may differ based on your system configuration.

Understanding Port States

Nmap categorizes ports into different states:

• open: An application is actively accepting connections on this port
• closed: The port is accessible but no application is listening on it
• filtered: Nmap cannot determine if the port is open because a firewall is blocking access
• unfiltered: The port is accessible but Nmap cannot determine if it is open or closed
• open|filtered: Nmap cannot determine if the port is open or filtered
• closed|filtered: Nmap cannot determine if the port is closed or filtered

In your scan results, most ports will likely be listed as "closed," with a few "open" ports for services running on your system.

Scanning Multiple IP Addresses Using Different Methods

Now that we have Nmap installed and have performed our first scan, let's explore different ways to scan multiple IP addresses simultaneously. This is particularly useful for network administrators and security professionals who need to assess multiple systems efficiently.

Method 1: Using IP Ranges

One of the easiest ways to scan multiple IP addresses is by specifying an IP range. Let's create a small virtual network to scan safely.

First, let's see our current network interfaces:

ip addr show

Now, we'll scan a range of IP addresses on our local network. For demonstration purposes, we'll use a small range:

nmap 127.0.0.1-5

This command scans 5 IP addresses: 127.0.0.1, 127.0.0.2, 127.0.0.3, 127.0.0.4, and 127.0.0.5. You'll see output for each host that responds to the scan. Typically, only 127.0.0.1 (localhost) will respond.

Method 2: Using CIDR Notation

Another common method to specify multiple targets is using CIDR (Classless Inter-Domain Routing) notation, which is a concise way to specify IP address ranges.

Let's scan the local loopback range:

nmap 127.0.0.0/24

This command scans 256 IP addresses from 127.0.0.0 to 127.0.0.255. The /24 indicates that the first 24 bits of the IP address are fixed, while the last 8 bits vary.

To make the scan faster and focus just on finding active hosts without port scanning, we can use the -sn option:

nmap -sn 127.0.0.0/24

This performs a ping scan which only determines if hosts are online, without scanning their ports. You should see output like:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-23 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 2.66 seconds

Method 3: Using a List of IP Addresses

For specific non-sequential IP addresses, you can create a file containing the targets and use the -iL option.

Let's create a file with a few IP addresses:

echo "127.0.0.1
127.0.0.2
127.0.0.5" > targets.txt

Now, scan these specific targets:

nmap -iL targets.txt

This command reads the IP addresses from the targets.txt file and scans each one.

Method 4: Combining Multiple Target Specifications

Nmap allows you to combine different targeting methods in a single command. For example:

nmap 127.0.0.1 127.0.0.5-10 127.0.0.0/29

This command scans:

• The single IP address 127.0.0.1
• The IP range from 127.0.0.5 to 127.0.0.10
• The CIDR range 127.0.0.0/29 (which includes 127.0.0.0 to 127.0.0.7)

Optimizing Scan Speed

When scanning multiple targets, scan time can increase significantly. Nmap provides options to control scan timing and increase efficiency:

nmap -T4 127.0.0.0/24

The -T4 option sets an "aggressive" timing template, which speeds up the scan. Timing templates range from 0 (paranoid) to 5 (insane), with higher values resulting in faster but potentially less reliable scans. For routine scans, -T4 offers a good balance between speed and reliability.

Understanding Nmap Output and Saving Results

When conducting network scans, it's important to understand how to interpret the results and save them for further analysis or reporting. In this step, we'll explore different Nmap output formats and how to save scan results.

Understanding Detailed Nmap Output

Let's perform a more detailed scan of localhost to better understand Nmap's output:

nmap -v localhost

The -v option enables verbose output, providing more information about the scan. You should see output similar to:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-23 10:30 UTC
Initiating Ping Scan at 10:30
Scanning localhost (127.0.0.1) [2 ports]
Completed Ping Scan at 10:30, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 10:30
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Completed Connect Scan at 10:30, 0.02s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

This output provides:

• The scan progress
• Each open port discovered in real-time
• The final scan report with open ports and services
• Timing statistics

Saving Scan Results to Files

Nmap can save results in several formats, which is useful for documentation, further analysis, or sharing with team members.

Normal Output Format

To save the scan results in Nmap's standard output format:

nmap localhost -oN normal_output.txt

This creates a file named normal_output.txt with the scan results in the same format as displayed in the terminal.

XML Output Format

XML output is useful for programmatic processing of scan results:

nmap localhost -oX xml_output.xml

This creates an XML file that can be parsed by other tools or scripts.

Grepable Output Format

For easy parsing with command-line tools like grep:

nmap localhost -oG grep_output.txt

This format is especially useful for quickly extracting specific information using tools like grep.

All Formats at Once

To save the output in all three formats simultaneously:

nmap localhost -oA scan_results

This creates three files: scan_results.nmap, scan_results.xml, and scan_results.gnmap.

Viewing Saved Results

Let's examine one of the saved output files:

cat normal_output.txt

You should see the Nmap scan results that were previously saved to this file.

Combining Output Options with Multiple IP Scanning

Now let's combine what we've learned by scanning multiple IPs and saving the results:

nmap 127.0.0.1-5 -oN multiple_hosts.txt

This command scans 5 IP addresses and saves the results to multiple_hosts.txt.

Let's examine these results:

cat multiple_hosts.txt

You'll see the scan results for all the specified IP addresses. Typically, only 127.0.0.1 will show as "up" with open ports in this example.

Adding Service Version Detection

To gather more information about the services running on open ports, we can use the -sV option:

nmap -sV localhost -oN service_scan.txt

This performs service version detection and saves the results to service_scan.txt.

Let's see what additional information this provides:

cat service_scan.txt

The output should now include version information for detected services, which is valuable for security assessments as specific versions may have known vulnerabilities.

Advanced Scanning Options for Network Assessment

Now that we understand the basics of Nmap and how to scan multiple targets, let's explore some advanced scanning options that are particularly useful for cybersecurity assessments.

Port Selection and Scan Types

By default, Nmap scans the most common 1000 TCP ports. However, you can customize which ports to scan.

Scanning Specific Ports

To scan specific ports:

nmap -p 22,80,443 localhost

This command scans only ports 22, 80, and 443.

To scan a range of ports:

nmap -p 20-25 localhost

This scans ports 20 through 25.

To scan all 65535 TCP ports:

nmap -p- localhost

Note that scanning all ports takes significantly longer.

Using Different Scan Types

Nmap supports various scan techniques. The default is a TCP SYN scan (-sS), but this requires root privileges. Without root privileges, Nmap uses a TCP connect scan (-sT).

Let's try a TCP connect scan explicitly:

nmap -sT localhost

For a more stealthy scan (requires root privileges):

sudo nmap -sS localhost

To scan UDP ports (which is often overlooked but important for security):

sudo nmap -sU -p 53,161,162 localhost

This scans UDP ports 53 (DNS), 161 and 162 (SNMP).

OS Detection and Version Scanning

For more comprehensive information, let's combine OS detection and service version scanning:

sudo nmap -sS -O -sV localhost

The -O option attempts to identify the operating system of the target. This provides valuable information for security assessments, as different operating systems may have different vulnerabilities.

Let's break down what each option does:

• -sS: Performs a SYN scan (requires root)
• -O: Attempts to identify the target's operating system
• -sV: Probes open ports to determine service/version info

The output will include detailed information about the operating system and service versions running on the target.

Using Nmap Scripts

Nmap includes a powerful Nmap Scripting Engine (NSE) that can perform a wide range of tasks, from advanced service detection to vulnerability scanning.

Let's run a basic script that checks for commonly exposed services:

nmap --script=default localhost

For a more security-focused scan:

nmap --script=vuln localhost

This runs vulnerability detection scripts against the target, which can identify common security issues.

Timing and Performance Options

When scanning multiple targets, optimizing scan performance becomes crucial. We've already seen the -T option, but there are more granular controls available.

nmap -T4 --max-rtt-timeout 200ms --min-rate 1000 127.0.0.1/24

This command:

• Uses the "aggressive" timing template (-T4)
• Sets the maximum round-trip timeout to 200ms
• Sets a minimum rate of 1000 packets per second

These settings can significantly speed up scans of multiple hosts, though they may be less reliable on congested or high-latency networks.

Combining Everything for a Comprehensive Scan

Let's combine multiple techniques for a comprehensive scan of our local network:

sudo nmap -sS -sV -O -p 1-1000 --script=default -T4 -oA comprehensive_scan 127.0.0.1

This command performs:

• A SYN scan
• Service version detection
• OS detection
• Scans ports 1-1000
• Runs default scripts
• Uses aggressive timing
• Saves results in all formats with the prefix "comprehensive_scan"

Let's examine the results:

cat comprehensive_scan.nmap

This comprehensive scan provides a wealth of information about the target system, including open ports, running services, service versions, and potential vulnerabilities.

Ethical Considerations and Best Practices

Before concluding, it's important to emphasize that Nmap should only be used on networks where you have explicit permission to scan. Unauthorized scanning can be illegal and may be perceived as a hostile action.

Some best practices to follow:

1. Always obtain permission before scanning any network or system
2. Use less aggressive scans when possible to minimize network impact
3. Be aware of the potential for false positives and false negatives
4. Document your scanning activities for reference and accountability
5. Respect privacy and confidentiality of the information discovered

Summary

In this lab, you have learned how to use Nmap to efficiently scan multiple IP addresses simultaneously, a crucial skill for network administrators and cybersecurity professionals. We covered:

1. Installing Nmap and performing basic scans to understand its core functionality
2. Various methods to specify multiple targets, including IP ranges, CIDR notation, and target lists
3. How to interpret and save scan results in different formats for further analysis
4. Advanced scanning techniques that provide deeper insights into network services and potential vulnerabilities

These skills form a foundation for network reconnaissance and security assessment. By efficiently scanning multiple IP addresses, you can quickly map a network, identify running services, and discover potential security weaknesses.

To further develop your Nmap skills, consider exploring:

• More specialized NSE scripts for focused security assessments
• Integration of Nmap with other security tools
• Automating scans with scripts for regular security monitoring
• Developing custom NSE scripts for specific scanning needs

Remember that network scanning tools like Nmap should always be used responsibly and ethically, with proper authorization to scan the target systems.