Learn Target Specification Techniques in Nmap

Introduction

In this lab, you will learn about Nmap, a powerful network scanning tool widely used by security professionals. The lab specifically focuses on target specification techniques in Nmap, which are crucial for defining the hosts and networks to be scanned.

Understanding these techniques is essential for effective network reconnaissance and security assessment. By the end of this lab, you will be able to use various methods to specify targets in Nmap and interpret the scan results effectively.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") subgraph Lab Skills nmap/installation -.-> lab-415935{{"Learn Target Specification Techniques in Nmap"}} nmap/basic_syntax -.-> lab-415935{{"Learn Target Specification Techniques in Nmap"}} nmap/output_formats -.-> lab-415935{{"Learn Target Specification Techniques in Nmap"}} nmap/port_scanning -.-> lab-415935{{"Learn Target Specification Techniques in Nmap"}} nmap/target_specification -.-> lab-415935{{"Learn Target Specification Techniques in Nmap"}} end

Installing and Exploring Nmap

In this step, we're going to make sure Nmap is installed correctly on your system and start exploring its basic functions. Nmap, short for Network Mapper, is an open - source tool. It's widely used for network discovery and security auditing. With Nmap, you can figure out which devices are connected to a network and what services those devices are offering. This is crucial in cybersecurity as it helps you understand the network landscape and identify potential security risks.

First, we need to check if Nmap is already installed on your system. To do this, we'll use the terminal. The terminal is a text - based interface where you can enter commands to interact with your computer. Open a terminal and run the following command:

nmap --version

This command asks the system to show the version of Nmap installed. If Nmap is installed correctly, you'll see output similar to this, which includes the Nmap version and build information:

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1d nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Next, we want to understand how to specify targets for Nmap scans. Target specification is important because it tells Nmap which devices or networks you want to scan. To learn about this, we'll look at some basic Nmap documentation. Run the following command in the terminal:

nmap -h | grep -A 10 "TARGET SPECIFICATION"

This command first uses nmap -h to get the help text of Nmap. Then, it pipes the output to grep -A 10 "TARGET SPECIFICATION", which searches for the "TARGET SPECIFICATION" section in the help text and shows the next 10 lines. You'll see an explanation of different ways to specify targets for Nmap scans.

Now, we need a place to store the results of our Nmap scans. We'll create a directory for this purpose. A directory is like a folder on your computer where you can organize files. Run the following commands in the terminal:

mkdir -p /home/labex/project/nmap_scans
cd /home/labex/project/nmap_scans

The mkdir -p command creates a directory named nmap_scans in the /home/labex/project path. The -p option ensures that if any intermediate directories don't exist, they will be created as well. The cd command then changes the current working directory to the newly created nmap_scans directory.

Let's see Nmap in action by running a simple scan on your local machine. The local machine is the computer you're currently using. Run the following command:

nmap localhost > local_scan.txt

This command scans your local machine using Nmap. The > symbol redirects the output of the scan to a file named local_scan.txt. This way, we can save the scan results for later analysis.

Finally, let's look at the scan results. Run the following command:

cat local_scan.txt

The cat command displays the contents of the local_scan.txt file. You'll see a list of ports that Nmap scanned on your local machine. Along with the port numbers, you'll find information about which ports are open and what services might be running on those open ports. This information can help you understand the security status of your local machine.

Setting Up a Service and Scanning Specific Ports

In this step, we're going to learn how to start a local web server and then use a powerful tool called Nmap to find it by scanning specific ports. Understanding this process is crucial because it shows you how Nmap can be used to identify services that are currently running on a network or a machine.

First, we need to navigate to our project directory. This is where we'll set up our simple web server. Once we're in the right place, we'll start a Python HTTP server that will listen on port 8000. Port 8000 is a common port used for testing web servers. Here's the command to do that:

cd /home/labex/project/nmap_scans
python3 -m http.server 8000 &

The & at the end of the command is important. It runs the server in the background. This means that you can continue using the terminal for other tasks while the server is running. After you run the command, you should see some output indicating that the server has started successfully:

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Now that our server is running, we want to make sure it's actually listening on port 8000. We can use the lsof command, which stands for "list open files". This command helps us check what processes are currently using a specific port. Here's how we use it:

lsof -i :8000

If the server is running correctly, you should see output similar to this:

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
python3 12345 labex   4u  IPv4 123456      0t0  TCP *:8000 (LISTEN)

This output tells us that Python is listening on port 8000, which means our server is working as expected.

Next, we'll use Nmap to scan port 8000 on the local machine. The goal is to detect our HTTP server. Here's the command:

nmap -p 8000 localhost > http_server_scan.txt

In this command, the -p flag is used to specify which port we want to scan. In our case, we're scanning port 8000 on the localhost, which is our own machine. The > symbol redirects the output of the Nmap scan to a file named http_server_scan.txt. This way, we can easily review the results later.

Let's check the results of the scan:

cat http_server_scan.txt

If the scan is successful, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-25 12:34 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

This output shows that port 8000 is open and running an HTTP service, which means Nmap was able to detect our server.

Finally, let's try scanning a range of ports to see if there are any other services running on our local machine. Here's the command:

nmap -p 1-1000 localhost > port_range_scan.txt

This command tells Nmap to scan all ports from 1 to 1000 on the localhost. Again, we're redirecting the output to a file named port_range_scan.txt.

Let's examine the results:

cat port_range_scan.txt

The output will show which ports in the range 1 - 1000 are open on your local machine. This is a useful way to discover services that you might not have known were running.

Advanced Target Specification

In this step, we'll delve into more advanced Nmap target specification techniques. Nmap is a powerful tool in network reconnaissance, and it offers various ways to specify multiple targets in a single command. This is extremely useful when you need to scan multiple hosts or networks at once, saving you time and effort.

Let's start by creating a text file that contains multiple IP addresses we want to scan. We'll include the localhost (127.0.0.1) and a couple of other local IP addresses. The localhost is a special IP address that refers to the current device itself. By including it, we can test the scanning process on our own machine.

cd /home/labex/project/nmap_scans
echo "127.0.0.1" > targets.txt
echo "127.0.0.2" >> targets.txt
echo "127.0.0.3" >> targets.txt

In the above code, the cd command changes the current working directory to /home/labex/project/nmap_scans. The echo command is used to output text. The > operator creates a new file and writes the text into it, while the >> operator appends the text to an existing file. So, we first create a file named targets.txt and write 127.0.0.1 into it. Then we append 127.0.0.2 and 127.0.0.3 to the same file.

Now, let's take a look at the file we just created to make sure the IP addresses are correctly added.

cat targets.txt

The cat command is used to display the contents of a file. After running this command, you should see the following output:

127.0.0.1
127.0.0.2
127.0.0.3

Next, we'll use the -iL flag in Nmap to scan all the IP addresses listed in the targets.txt file at once. The -iL flag tells Nmap to read the targets from a file.

nmap -iL targets.txt > multiple_targets_scan.txt

Here, the nmap command is used to perform the network scan. The -iL flag specifies the file containing the targets. The > operator redirects the output of the scan to a file named multiple_targets_scan.txt.

Let's check the results of the scan:

cat multiple_targets_scan.txt

After running this command, you should see the scan results for all three IP addresses. Note that 127.0.0.1 will usually show open ports because it's the localhost and there might be some services running on it. However, 127.0.0.2 and 127.0.0.3 might not respond because they're not typically configured on most systems.

Another way to specify multiple targets is to use space notation or CIDR notation directly in the Nmap command.

nmap 127.0.0.1 127.0.0.2 > space_notation_scan.txt

In this command, we use spaces to separate the IP addresses. This tells Nmap to scan both 127.0.0.1 and 127.0.0.2. The output of the scan is redirected to a file named space_notation_scan.txt.

Let's check the results:

cat space_notation_scan.txt

We can also use CIDR notation to scan a range of IP addresses. CIDR (Classless Inter-Domain Routing) notation is a way to represent a range of IP addresses in a concise form.

nmap 127.0.0.0/30 > cidr_notation_scan.txt

The 127.0.0.0/30 in CIDR notation represents a range of IP addresses from 127.0.0.0 to 127.0.0.3, which is a total of 4 addresses. The output of this scan is redirected to a file named cidr_notation_scan.txt.

Let's check the results:

cat cidr_notation_scan.txt

Finally, let's explore how to exclude specific targets from a scan. This is useful when you want to scan a network but don't want to include certain hosts.

nmap 127.0.0.0/30 --exclude 127.0.0.3 > exclude_scan.txt

In this command, we use the --exclude flag to tell Nmap to skip the IP address 127.0.0.3 when scanning the range 127.0.0.0/30. The output of the scan is redirected to a file named exclude_scan.txt.

Let's check the results:

cat exclude_scan.txt

You should see scan results for 127.0.0.0, 127.0.0.1, and 127.0.0.2, but not for 127.0.0.3.

These advanced target specification techniques allow you to precisely control which hosts Nmap scans, making your network reconnaissance more efficient and targeted.

Summary

In this lab, you have learned how to use Nmap for network reconnaissance, focusing on target specification techniques. First, you installed Nmap and explored its basic functions by performing simple scans on your local machine. Then, you set up a local HTTP server and used Nmap to find it by scanning specific ports.

These skills are essential for network administrators and security professionals to discover and evaluate network devices. Mastering Nmap target specification allows you to efficiently scan networks of any scale and complexity, targeting specific hosts and services relevant to your task. Always use Nmap responsibly and only on authorized networks to avoid legal and ethical issues.