Learn Nmap Network Port Scanning

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn the fundamentals of network port scanning using Nmap, a powerful open - source network scanning tool favored by cybersecurity professionals. Port scanning is a crucial technique for network administrators and security analysts to uncover open ports and services on a target system.

You will learn to perform a basic TCP Connect scan, a common and reliable scanning method. This approach establishes a full TCP connection with the target port to check its status. By the end of this lab, you'll be able to identify open services on a network, a key first step in network security assessment and system hardening.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/tcp_connect_scan("Basic TCP Connect Scan") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") subgraph Lab Skills nmap/installation -.-> lab-415936{{"Learn Nmap Network Port Scanning"}} nmap/basic_syntax -.-> lab-415936{{"Learn Nmap Network Port Scanning"}} nmap/tcp_connect_scan -.-> lab-415936{{"Learn Nmap Network Port Scanning"}} nmap/save_output -.-> lab-415936{{"Learn Nmap Network Port Scanning"}} nmap/target_specification -.-> lab-415936{{"Learn Nmap Network Port Scanning"}} end

Understanding Network Ports and Services

Before we start learning about scanning, it's crucial to understand what network ports are and why they are significant in the field of cybersecurity. Network ports play a vital role in allowing different services to communicate over a network. They are like doors through which data can enter and leave a computer.

What are Network Ports?

Network ports are virtual endpoints for communication on a computer network. Think of them as specific addresses within a computer where different services can receive and send data. Each port is identified by a number ranging from 0 to 65535. Different services typically use specific ports. For example, web servers often use port 80 for HTTP (Hypertext Transfer Protocol) and port 443 for HTTPS (HTTP Secure), which is a more secure version of HTTP. SSH (Secure Shell) services, which are used for secure remote access to a computer, use port 22.

When a service runs on a computer, it "listens" on one or more ports for incoming connections. This means it waits for data to arrive at a particular port so that it can process it. Port scanning is the process of checking which ports on a computer are "open" (have a service listening on them) or "closed" (not accepting connections). By scanning ports, we can identify which services are running on a computer and potentially find security vulnerabilities.

Setting Up a Service to Scan

Now, let's set up a simple service on your local machine that we can scan. We'll use Python's built-in HTTP server, which is a convenient way to create a basic web server. This server will listen on port 8080.

First, make sure you're in the project directory. The project directory is where all the files related to this experiment will be stored. You can navigate to it using the following command:

cd /home/labex/project

Now, let's create a simple HTML file that our server will host. HTML (Hypertext Markup Language) is the standard language for creating web pages. The following command will create an index.html file with a simple welcome message:

echo "<html><body><h1>Welcome to Port Scanning Lab</h1></body></html>" > index.html

Next, we'll start a Python HTTP server on port 8080. We'll run it in the background so that you can continue with the lab while the server is running. The & symbol at the end of the command tells the system to run the command in the background.

python3 -m http.server 8080 &

You should see output similar to:

Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

This means a web server is now running on your machine and listening on port 8080. To verify that the server is working correctly, you can open a new terminal and use the curl command. curl is a tool used to transfer data from or to a server. The following command will send a request to the server running on your local machine at port 8080:

curl http://localhost:8080

You should see the HTML content we created earlier. This confirms that our service is running and ready to be scanned.

Introduction to Nmap and TCP Connect Scanning

Now that we have a service up and running, it's time to explore Nmap and understand how to use it for port scanning. Port scanning is a crucial technique in network security, as it helps us identify open ports on a target system. Open ports can be potential entry points for attackers, so knowing which ports are open and what services are running on them is essential for securing a network.

What is Nmap?

Nmap, short for Network Mapper, is one of the most well - known and powerful tools in the field of network discovery and security auditing. It offers a wide range of capabilities that are extremely useful for network administrators and security professionals.

  • Discover hosts and services on a network: Nmap can help you find out which devices are connected to a network and what services they are offering. For example, it can detect if there are web servers, file servers, or email servers on a local network.
  • Identify open ports on target systems: By sending packets to different ports on a target system, Nmap can determine which ports are open and ready to accept connections.
  • Determine what services are running on those ports: Once an open port is identified, Nmap can try to figure out what service is running on that port. For instance, if port 80 is open, it's likely that a web server is running.
  • Detect operating systems and service versions: Nmap can analyze the responses from a target system to guess the operating system it's running and the versions of the services. This information can be used to identify potential vulnerabilities.
  • Perform various types of scans for different scenarios: Depending on your needs, Nmap can perform different types of scans, such as TCP Connect scans, SYN scans, UDP scans, etc.

Understanding TCP Connect Scan

The TCP Connect scan is the most fundamental form of TCP scanning. To understand how it works, we first need to know about the TCP three - way handshake. The TCP three - way handshake is a process that two devices use to establish a reliable connection. It involves three steps: the client sends a SYN (synchronize) packet to the server, the server responds with a SYN - ACK (synchronize - acknowledgment) packet, and then the client sends an ACK (acknowledgment) packet to complete the connection.

Here's how the TCP Connect scan operates:

  1. Nmap tries to establish a full three - way TCP handshake with the target port. It acts like a normal client trying to connect to a service on the target system.
  2. If the connection is successful, meaning that all three steps of the handshake are completed, the port is marked as "open". This indicates that there is a service listening on that port and ready to accept connections.
  3. If the connection is refused, for example, if the target system sends a RST (reset) packet, the port is marked as "closed". This means that there is no service listening on that port.
  4. If there's no response from the target system, the port is marked as "filtered". This usually means that the port might be blocked by a firewall or some other security mechanism.

It's important to note that the TCP Connect scan is reliable because it fully establishes a connection. However, it's not very stealthy. Since it creates a real connection, it leaves connection logs on the target system, which could alert the system administrator.

Performing Your First Nmap TCP Connect Scan

Let's scan the service we set up in the previous step. To do this, we'll open a new terminal. The terminal is a command - line interface where we can enter commands to interact with the operating system.

Once the terminal is open, run the following command:

nmap -sT localhost -p 8080

Let's break down this command to understand what each part does:

  • nmap: This is the name of the tool we're using. It tells the system that we want to run the Nmap program.
  • -sT: This is a flag that specifies a TCP Connect scan. When Nmap sees this flag, it will perform a TCP Connect scan on the target.
  • localhost: This is the target we're scanning. In this case, localhost refers to our own machine. It's a way to test the scanning process on the local system.
  • -p 8080: This option specifies the port we want to scan. Here, we're scanning port 8080.

After running the command, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-20 12:34 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

The output shows the details of the scan. It tells us that Nmap has started, the target it scanned, whether the host is up, and the state of the port we scanned. In this case, port 8080 is marked as "open" and the service running on it is identified as "http - proxy".

Now, let's save this output to a file for later reference. Saving the output is useful because we can review it later or share it with others. To do this, run the following command:

nmap -sT localhost -p 8080 > /home/labex/project/nmap_scan_output.txt

This command performs the same TCP Connect scan as before. The > symbol is used to redirect the output of the command. Instead of displaying the output on the terminal screen, it will be written to a file named nmap_scan_output.txt located in the /home/labex/project directory.

Let's view the contents of the file to confirm that the output has been saved correctly. Run the following command:

cat /home/labex/project/nmap_scan_output.txt

The cat command is used to display the contents of a file. After running this command, you should see the same Nmap output as before, now saved in the file.

Analyzing Scan Results and Understanding Port States

Now that we've successfully performed our first scan, it's time to dig deeper into the results and understand what each piece of information means. This step is crucial as it helps us make sense of the data we've collected and draw meaningful conclusions about the target system.

Understanding Port States in Nmap

Nmap, a powerful network scanning tool, classifies ports into six different states. Each state provides valuable information about the status of a port on the target system.

  1. open - When a port is reported as "open", it means that an application is actively listening for incoming connections on that port. This indicates that there is a service running and ready to accept requests.
  2. closed - A "closed" port means that no application is currently listening on it. However, the port is still accessible, which means that it could potentially be used by a service in the future.
  3. filtered - If Nmap reports a port as "filtered", it means that it cannot determine whether the port is open or not. This is usually because a firewall or some other security measure is blocking access to the port.
  4. unfiltered - An "unfiltered" port means that Nmap can access the port, but it cannot determine if it is open or closed. This could be due to various factors, such as the target system's configuration or network conditions.
  5. open|filtered - When Nmap reports a port as "open|filtered", it means that it cannot determine whether the port is open or filtered. This is a common result when scanning through a firewall or other security device.
  6. closed|filtered - A "closed|filtered" port means that Nmap cannot determine whether the port is closed or filtered. Similar to the "open|filtered" state, this is often due to security measures blocking access to the port.

In our scan results, port 8080 was reported as "open". This tells us that our Python HTTP server is successfully listening on that port and ready to accept incoming connections.

Understanding Service Detection

You may have noticed that Nmap identified the service on port 8080 as "http-proxy". Nmap uses a database of common port assignments to make an educated guess about what service might be running on a port. Port 8080 is commonly used for HTTP proxy services, so Nmap made that assumption based on its database.

However, this guess may not always be accurate. To get more precise information about the service running on a port, you can use the service detection flag (-sV). This flag tells Nmap to perform additional checks to determine the exact service and its version.

Let's try using the service detection flag:

nmap -sT -sV localhost -p 8080 > /home/labex/project/nmap_service_output.txt

In this command, -sT specifies a TCP connect scan, -sV enables service detection, localhost is the target we are scanning, -p 8080 specifies that we are only scanning port 8080, and > /home/labex/project/nmap_service_output.txt redirects the output to a file.

Now, let's view the output:

cat /home/labex/project/nmap_service_output.txt

After running this command, you should see additional information about the service running on port 8080. It might identify the service as "Python http.server" or something similar, giving you a more accurate understanding of what is running on that port.

Exploring More Information with Verbose Mode

If you want a more detailed understanding of what Nmap is doing during the scan, you can use verbose mode with the -v flag. Verbose mode provides additional information about the scanning process, including details about the packets sent and received, timing information, and the exact steps Nmap took to determine the port state.

Let's try using verbose mode:

nmap -sT -v localhost -p 8080 > /home/labex/project/nmap_verbose_output.txt

In this command, -sT is for the TCP connect scan, -v enables verbose mode, localhost is the target, -p 8080 specifies the port to scan, and > /home/labex/project/nmap_verbose_output.txt redirects the output to a file.

Let's check the output:

cat /home/labex/project/nmap_verbose_output.txt

The verbose output will give you a more in-depth look at the scanning process, helping you understand how Nmap arrives at its conclusions about the port state and the services running on the target system.

Expanding Your Scanning Knowledge

Now that you have grasped the basics of TCP Connect scanning, it's time to take your knowledge to the next level. In this section, we'll learn how to scan multiple ports and understand how to interpret the results. This will help you gain a more comprehensive view of the network services running on a target system.

Scanning Common Ports

Let's start by scanning the most common ports on your local machine, also known as the localhost. These common ports are often used by well - known network services.

nmap -sT localhost --top-ports 10 > /home/labex/project/common_ports_scan.txt

In this command, the -sT option tells Nmap to perform a TCP Connect scan. The localhost specifies the target, which is your own machine. The --top-ports 10 option instructs Nmap to scan the 10 most commonly used ports. The > symbol redirects the output of the scan to a file named common_ports_scan.txt in the /home/labex/project directory.

Now, let's see the results of this scan:

cat /home/labex/project/common_ports_scan.txt

The cat command is used to display the contents of a file. When you run this command, you'll see a list of ports. For example, port 21 is used for FTP (File Transfer Protocol), port 22 for SSH (Secure Shell), port 23 for Telnet, port 25 for SMTP (Simple Mail Transfer Protocol), and port 80 for HTTP (Hypertext Transfer Protocol). On your system, most of these ports will probably be closed, unless you have specific services running. For instance, if our HTTP server on port 8080 is among the top 10 ports, it will show as open.

Scanning a Range of Ports

In addition to scanning common ports, you can also scan a specific range of ports. Let's scan ports from 8000 to 8100 on your localhost.

nmap -sT localhost -p 8000-8100 > /home/labex/project/port_range_scan.txt

Here, the -p 8000 - 8100 option tells Nmap to scan the ports in the range from 8000 to 8100. The output of this scan is redirected to a file named port_range_scan.txt in the /home/labex/project directory.

To view the results of this scan:

cat /home/labex/project/port_range_scan.txt

In the output, you should see that port 8080 (if it's within the scanned range) is open, while the other ports in the range are likely to be closed.

Combining Techniques

Let's combine the techniques we've learned so far. We'll perform a TCP Connect scan and also try to detect the services running on the ports in the range from 8000 to 8100.

nmap -sT -sV localhost -p 8000-8100 > /home/labex/project/combined_scan.txt

The -sV option is used to enable service detection. This means that Nmap will not only tell you whether a port is open or closed but also try to identify the service running on the open ports. The output of this combined scan is saved in the combined_scan.txt file in the /home/labex/project directory.

To check the results:

cat /home/labex/project/combined_scan.txt

This scan provides the most detailed information so far. It shows the state of each port in the specified range and attempts to identify the services running on the open ports.

Cleaning Up

Before we finish this lab, we need to clean up by stopping the Python HTTP server we've been using. First, we need to find the process ID (PID) of the server.

ps aux | grep "python3 -m http.server 8080"

The ps aux command lists all the running processes on your system. The | symbol is a pipe, which takes the output of the ps aux command and passes it to the grep command. The grep command then searches for the line that contains the text "python3 -m http.server 8080", which is the command used to start the Python HTTP server.

Look for the line that shows the Python HTTP server process. The second column of this line contains the process ID (PID). Once you've noted the PID, you can use the kill command to stop the process.

kill <PID>

Replace <PID> with the actual process ID you found. For example, if the PID is 1234, you would run:

kill 1234

Summary

In this lab, you have learned the fundamentals of network port scanning using Nmap. You practiced setting up a service for scanning, conducting basic TCP Connect scans, and analyzing the scan results.

Key skills acquired include understanding network ports and the importance of scanning them, setting up a simple HTTP server, using Nmap for TCP Connect scans, interpreting port states, using Nmap options for detailed information, scanning multiple ports and ranges, and identifying services on open ports. These skills are the foundation of network reconnaissance, vital for network administration and security assessment. As you progress in cybersecurity, you can build on these basics to explore advanced techniques and security practices.