Basic Vulnerability Scanning with Nmap

Introduction

Welcome to this lab on basic vulnerability scanning with Nmap. Nmap (Network Mapper) is a powerful, open-source tool used by network administrators and security professionals for network discovery and security auditing. It can identify what hosts are available on a network, what services those hosts are offering, what operating systems they are running, and much more.

In this lab, you will get hands-on experience with Nmap. You will start by installing it on an Ubuntu system, then use it to scan your own machine (localhost) to find open ports, and finally, learn how to interpret the scan results to identify the services running and their versions, which is the first step in assessing potential vulnerabilities.

Install Nmap on Ubuntu 22.04

In this step, you will install the Nmap tool on your Ubuntu 22.04 system. Before you can use any software, you must first ensure it is installed. We will use the apt package manager, which is the standard for Debian-based Linux distributions like Ubuntu.

First, it's a good practice to update your system's package list. This ensures you are getting the latest available versions of software. Open a terminal and run the following command:

sudo apt update

You will see output as apt fetches the latest package information from the repositories.

Next, install Nmap using the apt install command. The -y flag automatically answers "yes" to any prompts, making the installation non-interactive.

sudo apt install -y nmap

Once the installation is complete, you can verify that Nmap was installed correctly by checking its version.

nmap --version

You should see output similar to the following, confirming the installation and showing the installed version.

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libz-1.2.11 libpcre-8.39 nmap-libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Now that Nmap is installed, you are ready to perform your first scan.

Perform a Localhost Port Scan to Identify Open Services

In this step, you will perform a basic port scan on your local machine to identify any open ports and the services associated with them. Scanning localhost (which has the IP address 127.0.0.1) is a safe way to practice using Nmap, as you are only scanning your own system.

A port scan checks for open "doors" on a computer that services use to communicate over the network. By default, Nmap scans the 1000 most common TCP ports.

To run a basic scan on your local machine, execute the following command in your terminal:

nmap localhost

Nmap will now scan your machine and report its findings. The output will look something like this. Note that the lab environment has been pre-configured to have a service running on port 8000.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
8000/tcp open  http-alt       SimpleHTTPServer 0.6 (Python 3.10.12)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Let's break down this output:

• PORT: The port number and protocol (e.g., 8000/tcp).
• STATE: The status of the port. open means a service is actively accepting connections on this port.
• SERVICE: The common name for the service typically found on that port (e.g., ssh for port 22).

From this scan, you've identified that ports 22 and 8000 are open on your machine.

Interpret Nmap Scan Results for Potential Vulnerabilities

In this step, you will learn how to interpret the Nmap scan results to gather more detailed information, which is crucial for identifying potential vulnerabilities. Knowing a port is open is useful, but knowing the exact software and version running on that port is much more powerful.

An open port itself is not a vulnerability. The risk comes from the service running on that port. If the service is outdated or misconfigured, it could be exploited.

To find out more about the services, you can use Nmap's version detection feature with the -sV flag. This will probe the open ports to determine the service and version information.

Run the following command to perform a version scan on localhost:

nmap -sV localhost

The output will now be more detailed. Pay close attention to the VERSION column.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
3001/tcp open  ssl/nessus?
8000/tcp open  http        SimpleHTTPServer 0.6 (Python 3.10.12)

Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds

As you can see, Nmap has now identified the specific version of the services running. For example, on port 8000, it's not just a generic web service (http-alt), but specifically SimpleHTTPServer 0.6 (Python 3.10.12).

With this version information, a security analyst (or an attacker) could search online vulnerability databases (like CVE) for known exploits affecting "SimpleHTTPServer 0.6 (Python 3.10.12)". This is the fundamental process of basic vulnerability scanning.

Summary

Congratulations on completing this lab! You have successfully taken your first steps into the world of network scanning with Nmap.

In this lab, you learned how to:

• Install the Nmap tool on an Ubuntu system using apt.
• Perform a basic port scan on localhost to discover open ports.
• Use the version detection scan (-sV) to identify the specific software and version running on those ports.
• Understand the basic principle of interpreting scan results to identify potential areas of weakness.

These are foundational skills for anyone in cybersecurity, system administration, or network engineering. We encourage you to continue exploring Nmap's many other features, such as its powerful scripting engine (NSE) for more advanced scanning.