Learn Basic Nmap Scanning Techniques

Introduction

In this lab, you will learn about Nmap, a crucial tool for network discovery and security auditing. Widely used by network administrators and security professionals, Nmap helps identify open ports, detect running services, and uncover potential network vulnerabilities.

In this lab, you will also learn basic Nmap scanning techniques. Understanding network configurations through scanning is a fundamental cybersecurity skill. By the end, you'll be able to run basic Nmap scans and interpret their output, laying a solid foundation for advanced network security tasks.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") subgraph Lab Skills nmap/installation -.-> lab-415929{{"Learn Basic Nmap Scanning Techniques"}} nmap/basic_syntax -.-> lab-415929{{"Learn Basic Nmap Scanning Techniques"}} nmap/port_scanning -.-> lab-415929{{"Learn Basic Nmap Scanning Techniques"}} nmap/target_specification -.-> lab-415929{{"Learn Basic Nmap Scanning Techniques"}} wireshark/interface -.-> lab-415929{{"Learn Basic Nmap Scanning Techniques"}} end

Setting Up a Web Server for Scanning

In this step, we're going to set up a simple web server using Docker. Docker is a powerful platform that lets you package applications along with all their dependencies into standardized units called containers. These containers can be easily deployed and run on different systems. By setting up this web server, we'll have a target to scan with Nmap in the upcoming steps.

1. Navigating to the Working Directory

First, open a terminal window. The terminal is a command - line interface where you can enter commands to interact with your system. Once the terminal is open, you need to navigate to the project directory. This directory will serve as your working area for this lab.

To navigate to the project directory, use the cd command. The cd command stands for "change directory". Here's the command you need to run:

cd /home/labex/project

2. Creating a Dockerfile

A Dockerfile is a crucial part of building Docker images. It's a text document that contains a series of commands that Docker uses to build an image. In this case, we're going to create a Dockerfile for a simple web server based on Nginx, which is a popular web - server software.

To create a new file named Dockerfile, we'll use the nano text editor. nano is a simple and user - friendly text editor that you can use directly in the terminal. Run the following command:

nano Dockerfile

After running this command, the nano editor will open, and you can start adding content to the Dockerfile. Add the following lines to the file:

## Use the nginx image as the base
FROM nginx

## Expose port 80
EXPOSE 80

The FROM command tells Docker to use the nginx image as the base for our new image. The EXPOSE command indicates that the container will listen on port 80.

To save the file, press Ctrl+O and then Enter. To exit the editor, press Ctrl+X.

3. Building the Docker Image

Now that we have our Dockerfile ready, we can build the Docker image. An image is like a blueprint that contains all the necessary files and configurations needed to run an application.

To build the image, run the following command:

docker build -t cyber-seed-portal .

In this command, the -t flag is used to tag the image. We're tagging our image as "cyber - seed - portal". The . at the end of the command tells Docker to use the current directory as the build context.

When you run this command, Docker will start the build process, and the output will look something like this:

Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM nginx
latest: Pulling from library/nginx
a803e7c4b030: Pull complete
8b625c47d697: Pull complete
4d3239651a63: Pull complete
0f816efa513d: Pull complete
01d159b8db2f: Pull complete
5fb9a81470f3: Pull complete
Digest: sha256:32da30332506740a2f7c34d5dc70467b7dfe6c23451f6c66c84eeb3cdadab213
Status: Downloaded newer image for nginx:latest
 ---> 61395b4c586d
Step 2/2 : EXPOSE 80
 ---> Running in 1c2d5e2a8e7f
Removing intermediate container 1c2d5e2a8e7f
 ---> 7683abcf62b0
Successfully built 7683abcf62b0
Successfully tagged cyber-seed-portal:latest

4. Running the Docker Container

Once the image is built, we can create and run a container from it. A container is a running instance of an image.

To run a container, use the following command:

docker run --name cyber-seed-server -d -p 8080:80 cyber-seed-portal

Let's break down this command:

--name cyber-seed-server: This gives the container the name "cyber - seed - server". Naming the container makes it easier to manage and identify.
-d: This runs the container in detached mode, which means the container will run in the background, and you can continue using the terminal for other tasks.
-p 8080:80: This maps port 8080 of your machine to port 80 of the container. So, when you access port 8080 on your machine, it will be redirected to port 80 inside the container.
cyber-seed-portal: This specifies the image that the container will be based on.

When you run this command, the output will be a container ID, something like:

3a7b1a23c3c5d17b3e4b3e5e6f7g8h9i

You've now successfully set up a web server running in a Docker container. You can access this server at http://localhost:8080. This server will be the target for your Nmap scans in the next steps.

Discovering Open Ports with Nmap

In this step, we're going to use Nmap to find out which ports are open on your local machine. Understanding open ports is a basic yet crucial skill in network security. Ports are like doors to a computer on a network. Each port can be used by different services, and knowing which ports are open helps us figure out what services are accessible on the network.

Understanding Nmap

Nmap, which stands for Network Mapper, is a free and open - source tool. It's mainly used for network discovery and security auditing. Think of it as a detective for your network. System and network administrators often use Nmap to keep track of what's on their network, plan when to upgrade services, and check if hosts or services are up and running.

Scanning for Open Ports

Now, we'll use Nmap to scan your localhost, which has the IP address 127.0.0.1, to find open ports. The -p- option in Nmap is like telling it to check every single possible door (port) on your computer. There are a total of 65535 TCP ports, and this option makes Nmap look at all of them.

Run the following command in your terminal:

nmap -p- localhost

This command will take some time to finish because it's scanning a large number of ports. Once it's done, the output will look something like this:

Starting Nmap 7.80  at 2024-03-15 10:59 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
3000/tcp  open  ppp
3001/tcp  open  nessus
3002/tcp  open  exlm-agent
8080/tcp  open  http-proxy
36921/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

Understanding the Scan Results

The scan results give us a lot of useful information about your machine. Let's break down the columns:

PORT: This column shows the port number and the protocol, which in this case is TCP. The port number is like the specific address of a door on your computer, and TCP is the way data is sent through that door.
STATE: This column tells us whether the port is open, closed, or filtered. An open port means that a service is listening on that port and ready to accept connections. A closed port means there's no service listening. A filtered port might be blocked by a firewall.
SERVICE: This column shows the common service that usually uses that port.

In the scan results, you should see port 8080/tcp listed as open. In the previous step, we mapped this port to our Docker container. The "http - proxy" service indicates that this port is commonly used for HTTP proxy services, but in our situation, it's being used by the Nginx web server.

Other open ports you might see include:

Port 22 (SSH): This port is used for secure remote access. It allows you to connect to your computer from another location in a secure way.
Port 3000 - 3002: These ports are used by various services. They might be related to development environments or other applications running on your machine.
Port 36921: This is an unknown service. It could be a custom service or something that Nmap can't immediately identify.

Now that you've found the open ports on your machine, you've successfully completed your first Nmap scan. In the next steps, we'll learn more advanced Nmap scanning techniques.

Service Version Detection with Nmap

In this step, we'll explore how to use Nmap's service version detection capabilities. This is a powerful feature that helps us figure out which services are running on the open ports of a target system. Understanding the services and their versions is crucial for security assessments and network management.

Understanding Service Version Detection

Just knowing that a port is open gives us some basic information. However, identifying the specific service and its version provides much more valuable insights. Different versions of services can have different security vulnerabilities. For example, an older version of a web server might have known security flaws that have been fixed in newer releases. By knowing the service version, we can check if there are any known vulnerabilities and take appropriate actions to secure our network.

Performing a Service Version Scan

Nmap provides the -sV option to enable service version detection. When you use this option, Nmap will send special probes to the open ports on the target system. These probes are designed to gather information about the services running on those ports, such as the service name and its version.

Let's run a service version scan on your localhost. The localhost refers to your own computer. To do this, execute the following command in your terminal:

nmap -sV localhost

This command tells Nmap to perform a service version scan on your local machine. After running the command, Nmap will start sending probes to the open ports on your localhost and collect information about the services running on them.

The output of the command will look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 11:30 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
3000/tcp open  ppp?
3001/tcp open  nessus?
3002/tcp open  ssl/nessus?
8080/tcp open  http        nginx 1.23.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.94 seconds

Understanding the Service Version Scan Results

The output of the service version scan provides detailed information about the services running on each open port. Let's break down the important parts:

Port 22: The output shows that port 22 is open and running the SSH (Secure Shell) service. The specific version is OpenSSH 8.2p1, which is running on an Ubuntu system. SSH is a protocol used for secure remote access to a computer.
Port 8080: This port is open and running the HTTP service, specifically the Nginx web server version 1.23.4. Nginx is a popular web server used to serve web pages.

For ports 3000 - 3002, you'll notice question marks next to the service names. This means that Nmap was unable to determine the exact services running on these ports with certainty. In such cases, further investigation might be required. You could use other tools or techniques to gather more information about these services.

This detailed information about the service versions is extremely valuable for security assessments. You can use this information to check if the specific service versions have any known vulnerabilities. For example, if you find that you're running an older version of Nginx, you can look up if there are any security issues associated with that version and consider upgrading to a newer, more secure version.

By using Nmap's service version detection, you've gone beyond just identifying open ports. You now have a deeper understanding of the network services running on your system, which is essential for maintaining a secure and well - managed network.

OS Detection with Nmap

In this step, we're going to learn how to use Nmap's operating system detection feature. But first, let's understand why this is important. Knowing the operating system running on a target machine is like having a key piece of information for network administrators and security professionals. It helps them understand the potential vulnerabilities and security risks associated with that machine.

Understanding OS Detection

Operating system detection is a more advanced feature of Nmap. When you use this feature, Nmap sends special packets to the target machine and analyzes the responses it gets back. Based on these responses, Nmap makes an educated guess about the operating system running on the target. Different operating systems have different ways of handling network requests, and Nmap uses these differences to figure out what's running on the other end. This information is crucial for security assessments because different operating systems have different sets of vulnerabilities. For example, an older version of Windows might have known security holes that a newer Linux distribution doesn't have.

Performing an OS Detection Scan

To perform an operating system detection scan, we'll use the -O option in Nmap. However, this feature requires root privileges because it involves sending certain types of network packets that normal users aren't allowed to send. So, we'll need to use sudo to run the command with administrative privileges.

Run the following command in your terminal:

sudo nmap -O localhost

When you run this command, you might be prompted to enter your sudo password. This is a security measure to make sure that only authorized users can perform actions with administrative privileges. After you enter your password, Nmap will start the scan.

The output will look similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 12:00 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
3001/tcp open  nessus
3002/tcp open  ssl/nessus
8080/tcp open  http-proxy
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds

Understanding the OS Detection Results

The OS detection results give us a lot of useful information about the target's operating system. Let's break down the different parts of the results:

Device type: This tells us the general category of the device. For example, it could be a general-purpose computer, a router, or a printer. In our case, it says "general purpose," which means it's likely a regular computer.
Running: This shows the detected operating system family and the version range. Here, it says "Linux 4.X|5.X," which means Nmap has detected that the machine is running a Linux operating system with a kernel version in the 4.X or 5.X range.
OS CPE: This stands for Common Platform Enumeration. It provides standardized identifiers for the operating system, which can be used for further research and vulnerability analysis.
OS details: This gives us more specific information about the operating system version. In our example, it says "Linux 4.15 - 5.6," which means the kernel version is between 4.15 and 5.6.
Network Distance: This indicates how many network hops away the target is. Since we're scanning localhost, which is the local machine itself, the network distance is 0 hops.

In this case, Nmap has correctly identified that the machine is running Linux, specifically a kernel version between 4.15 and 5.6.

This information is extremely useful in security assessments. By knowing the operating system version, security professionals can look up known vulnerabilities associated with that version and take appropriate measures to secure the system. It's also valuable for network inventory and management, as it helps keep track of what operating systems are running on different machines in the network.

By using Nmap's OS detection feature, you've expanded your understanding of the target system beyond just knowing which ports are open and what services are running. You now have a better idea of the underlying operating system, which is a crucial piece of information for network security and management.

Script Scanning with Nmap

In this final step, we're going to explore Nmap's scripting engine (NSE). The NSE is a really important part of Nmap that makes it even more useful. It lets users write and share scripts to automate different networking tasks. This means you can use scripts to do things faster and more efficiently than doing them manually.

Understanding Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of the most powerful and flexible features of Nmap. Think of it as a toolbox that gives you extra tools to work with networks. You can write scripts in the Lua programming language. Lua is a simple and easy - to - learn language, which makes it great for writing these kinds of scripts.

These scripts can be used for many different purposes:

Network discovery: This helps you find out what devices are on a network.
Version detection: You can figure out what versions of software are running on a device.
Vulnerability detection: It can find security weaknesses in a system.
Backdoor detection: Helps you find hidden ways that attackers could use to access a system.
Vulnerability exploitation: Although this should be done in a legal and ethical testing environment, it can show how an attacker might take advantage of a vulnerability.

Nmap comes with a bunch of pre - written scripts. These scripts are organized into libraries based on what they do. So, if you want to do a certain task, you can easily find the right script in the relevant library.

Performing a Basic Script Scan

To start with a basic script scan, we'll use the -sC option. This option tells Nmap to run a default set of scripts. These default scripts are designed to be safe and non - intrusive. That means they won't cause any harm to the target system while they're doing their job.

Let's run the following command:

nmap -sC localhost

When you run this command, Nmap will start scanning your local machine. It will use the default scripts to gather information about the open ports and the services running on them. The output will look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 12:30 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey:
|   3072 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef (RSA)
|   256 fe:dc:ba:98:76:54:32:10:fe:dc:ba:98:76:54:32:10 (ECDSA)
|_  256 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef (ED25519)
3000/tcp open  ppp
3001/tcp open  nessus
3002/tcp open  ssl/nessus
8080/tcp open  http-proxy
|_http-title: Welcome to nginx!

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

Running a Specific Script

If you want to run a particular script, you can use the --script option. After this option, you need to specify the name of the script or the category it belongs to.

For example, let's say you want to get the title of a web page. There's a script called http - title that can do this for you. To run this script, use the following command:

nmap --script=http-title -p 8080 localhost

This command tells Nmap to run the http - title script on port 8080 of your local machine. The output will look like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 12:35 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
|_http-title: Welcome to nginx!

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Understanding the Script Scan Results

The results from the script scan give you more detailed information about the services running on the open ports.

For the SSH service on port 22, the ssh - hostkey script retrieved the host keys. These keys are important for secure communication over SSH.
For the HTTP service on port 8080, the http - title script fetched the title of the web page, which is "Welcome to nginx!".

This kind of information is very useful for security assessments. It helps you understand how the services on the target system are configured and how they behave.

By using Nmap's scripting engine, you've explored one of its most powerful features. This feature can save you a lot of time and effort when it comes to network discovery and security assessment tasks.

Cleaning Up

Now that you've finished all the scanning steps, it's time to clean up. Earlier in the lab, you created a Docker container. We need to stop and remove this container to keep your system clean.

Run the following command:

docker stop cyber-seed-server && docker rm cyber-seed-server

This command first stops the running Docker container named cyber - seed - server. Then it removes the container from your system.

Congratulations! You have successfully completed all the steps in this lab. You've gained valuable hands - on experience with different Nmap scanning techniques.

Summary

In this lab, you have learned the fundamentals of network scanning using Nmap, a popular and powerful cybersecurity tool. You set up a Docker container as a scan target, creating a practical environment to apply your new skills.

You progressed through a series of advanced Nmap scanning techniques, starting with a basic port scan on your local machine. You then learned service version detection, OS detection, and used Nmap's scripting engine to automate tasks and gather more target information. These skills are the foundation of network security assessments, crucial for network administrators and security professionals. Mastering these Nmap techniques gives you a powerful tool for real - world scenarios, from network inventory to security assessments.