In this lab, we will explore the installation and basic usage of Nmap, a powerful network scanning and security auditing tool. Nmap, short for Network Mapper, is an open-source utility used by system administrators and security professionals to discover hosts, services, and vulnerabilities on a network. This lab will guide you through the process of installing Nmap, setting up a local service to scan, and performing basic scans to understand Nmap's capabilities.
In this step, we will install Nmap on your Ubuntu Linux system. Nmap is available in the default Ubuntu repositories, making the installation process straightforward.
First, open your terminal. By default, you should be in the /home/labex/project directory. If not, navigate there using the following command:
cd /home/labex/project
Now, let's update the package list and install Nmap:
sudo apt update
sudo apt install nmap -yThe sudo command allows you to run commands with administrative privileges. The -y flag automatically answers "yes" to any prompts during the installation process.
After the installation is complete, verify that Nmap was installed correctly by checking its version:
nmap --versionYou should see output similar to this (note that your version might be different):
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll selectThis output confirms that Nmap is installed and provides information about the version and compilation options.
Before we start scanning with Nmap, it's useful to have a service running that we can target. In this step, we'll set up a simple HTTP server using Python's built-in http.server module.
First, let's create a new directory for our HTTP server:
mkdir -p /home/labex/project/http-server
cd /home/labex/project/http-serverNow, let's create a simple HTML file that our server will serve:
echo "<html><body><h1>Welcome to the Nmap Lab</h1></body></html>" > index.htmlThis command creates a file named index.html with a basic HTML structure and a welcome message.
Next, we'll start the Python HTTP server:
python3 -m http.server 8000This command starts a simple HTTP server on port 8000.
Open a new terminal tab or window to continue.
To verify that the server is running, you can use the curl command:
curl http://localhost:8000You should see the HTML content we created earlier:
127.0.0.1 - - [13/Sep/2024 15:24:21] "GET / HTTP/1.1" 200 -
<html><body><h1>Welcome to the Nmap Lab</h1></body></html>Now that we have Nmap installed and a local service running, let's perform some basic scans to understand how Nmap works.
First, let's perform a simple TCP connect scan on our local HTTP server:
nmap -sT -p 8000 localhostIn this command:
-sT specifies a TCP connect scan-p 8000 tells Nmap to scan only port 8000localhost is the target of our scanYou should see output similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 15:27 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 0.06 secondsThis output shows that port 8000 is open and running an HTTP service.
Now, let's perform a more detailed scan that attempts to determine the version of the service running:
nmap -sV -p 8000 localhostThe -sV option tells Nmap to probe open ports to determine service/version info.
You should see output similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 15:27 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
8000/tcp open http SimpleHTTPServer 0.6 (Python 3.10.12)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.48 secondsThis output provides more detailed information about the service running on port 8000, including the fact that it's a Python SimpleHTTPServer.
You can view the Nmap requests in the logs of the terminal where you started the Python HTTP server.
In real-world scenarios, you often need to scan multiple ports or even entire port ranges. Let's explore how to do this with Nmap.
First, let's scan the most common 1000 ports on localhost:
nmap localhostStarting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 15:29 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
3001/tcp open nessus
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 0.08 secondsThis command, without any port specification, will scan the top 1000 most common ports. You should see a list of open, closed, and filtered ports.
Now, let's scan all 65535 ports:
nmap -p- localhostThe -p- option tells Nmap to scan all ports from 1 to 65535. This scan will take longer to complete.
Finally, let's scan a specific range of ports:
nmap -p 1-1000 localhostThis command scans ports 1 through 1000.
Nmap provides various output formats that can be useful for different purposes. In this step, we'll explore some of these formats and learn how to save scan results.
First, let's perform a scan and save the output in normal format:
nmap -oN normal_output.txt localhostThe -oN option tells Nmap to save the output in normal format to the specified file.
Now, let's save the output in XML format:
nmap -oX xml_output.xml localhostThe -oX option saves the output in XML format, which can be useful for parsing with scripts or importing into other tools.
Finally, let's save the output in grepable format:
nmap -oG grepable_output.txt localhostThe -oG option saves the output in a format that's easy to parse with tools like grep.
You can view the contents of these files using the cat command, for example:
cat normal_output.txtIn this lab, we explored the fundamental aspects of Nmap, a powerful network scanning and security auditing tool. We began by installing Nmap on an Ubuntu Linux system and verifying its installation. We then set up a local HTTP server to provide a target for our scans, demonstrating how to create a simple service for testing purposes.
We progressed through various scanning techniques, starting with basic port scans and moving on to more detailed service version detection. We learned how to scan specific ports, port ranges, and even all 65535 ports on a system. This knowledge is crucial for understanding the network landscape and identifying potential vulnerabilities.
Finally, we explored Nmap's output options, learning how to save scan results in different formats including normal text, XML, and grepable output. These output formats are essential for documentation, further analysis, and integration with other security tools.
Through this lab, you've gained practical experience with Nmap, setting a foundation for more advanced network scanning and security auditing tasks. Remember, while Nmap is a powerful tool for understanding network structures and identifying potential security issues, it should always be used responsibly and with proper authorization.
