In this lab, you will learn how to perform aggressive scanning in Nmap. The lab covers running an aggressive scan on a target IP address, scanning specific ports, adding verbosity to the scan, saving the scan results, analyzing the detailed output, and comparing it with a basic scan. You'll use commands like nmap -A, nmap -A -p, nmap -v -A, and nmap -A -oN in the Xfce terminal to achieve these tasks.
In this step, we will perform an aggressive scan using Nmap. An aggressive scan combines several scan techniques to gather comprehensive information about a target. The -A option enables OS detection, version detection, script scanning, and traceroute. This type of scan is useful for identifying open ports, services running on those ports, and the operating system of the target.
Before we begin, let's clarify what an IP address is. An IP address is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. In our case, 192.168.1.1 is a private IP address, commonly used in home or small office networks.
Now, let's execute the aggressive scan. Open your Xfce terminal. Ensure you are in the ~/project directory.
cd ~/projectThen, run the following Nmap command:
sudo nmap -A 192.168.1.1You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.
This command will initiate an aggressive scan against the target IP address 192.168.1.1. Nmap will attempt to identify the operating system, detect versions of running services, run default scripts, and perform a traceroute.
The output will display a detailed report of the scan results, including open ports, service versions, and other information gathered during the scan. The exact output will depend on the target system and its configuration. Here's an example of what the output might look like (though your results will likely differ):
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p0 Ubuntu 7ubuntu2 (protocol 2.0)
| ssh-hostkey:
| 2048 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (RSA)
| 256 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (ECDSA)
|_ 256 SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2018-08-22T12:20:36
| Not valid after: 2028-08-19T12:20:36
| ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.00 ms 192.168.1.1
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 secondsThis output shows open ports (22, 80, and 443 in this example), the services running on those ports (SSH and HTTP), and information about the operating system (Linux). The traceroute section shows the path to the target.
In this step, we will focus our Nmap scan on specific ports. Instead of scanning all ports or relying on Nmap's default port selection, we'll specify that Nmap should only scan ports 22 and 80 on the target IP address 127.0.0.1. This is useful when you want to quickly check the status of known services or reduce the scan time.
Before we proceed, let's understand what ports are. In networking, a port is a virtual point where network connections start and end. Ports are software-based and managed by the operating system. They allow multiple applications to simultaneously utilize a single network connection. Port 22 is commonly used for SSH (Secure Shell), a secure protocol for remote access, and port 80 is typically used for HTTP (Hypertext Transfer Protocol), the foundation of data communication on the World Wide Web.
127.0.0.1 is the loopback address, also known as localhost. It refers to the current machine you are working on. Scanning 127.0.0.1 is useful for testing services running on your own machine.
Now, let's execute the Nmap command to scan specific ports. Open your Xfce terminal. Ensure you are in the ~/project directory.
cd ~/projectThen, run the following Nmap command:
sudo nmap -A -p 22,80 127.0.0.1You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.
This command will initiate an aggressive scan, but only on ports 22 and 80 of 127.0.0.1. Nmap will attempt to identify the services running on these ports and gather other information.
The output will display a report of the scan results, specifically for ports 22 and 80. Here's an example of what the output might look like (though your results may differ):
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
| ssh-hostkey:
| 3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (RSA)
| 256 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (ECDSA)
|_ 256 SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.57 secondsThis output shows that port 22 is open and running SSH, and port 80 is open and running Apache HTTP Server. The version information for each service is also displayed.
In this step, we will add verbosity to our Nmap aggressive scan. Verbosity in Nmap means increasing the amount of information displayed during the scan. This can be helpful for understanding what Nmap is doing and for troubleshooting any issues. The -v option increases the verbosity level. Using -v multiple times (e.g., -vv or -vvv) increases the verbosity level further, providing even more detailed output.
Let's clarify why verbosity is useful. By default, Nmap provides a summary of the scan results. However, when troubleshooting or trying to understand the scan process, more detailed information can be invaluable. Verbose output shows the progress of the scan, the probes being sent, and the responses received.
Now, let's execute the Nmap command with verbosity. Open your Xfce terminal. Ensure you are in the ~/project directory.
cd ~/projectThen, run the following Nmap command:
sudo nmap -v -A 192.168.1.1You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.
This command will initiate an aggressive scan against the target IP address 192.168.1.1, with increased verbosity. Nmap will display more information about the scan process as it progresses.
The output will be more detailed than the previous aggressive scan. You will see information about the probes being sent, the responses received, and the progress of each stage of the scan. Here's an example of what the output might look like (though your results will likely differ):
Starting Nmap 7.80 ( https://nmap.org )
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Executing script msrpc-enum on 192.168.1.1
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting runlevel 3 (of 3) scan.
NSE: Finished script pre-scanning.
Initiating Ping Scan at 14:35
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 14:35, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:35
Completed Parallel DNS resolution of 1 host. at 14:35, 0.00s elapsed
Initiating SYN Stealth Scan at 14:35
Scanning 192.168.1.1 [1000 ports]
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 443/tcp on 192.168.1.1
Completed SYN Stealth Scan at 14:35, 0.15s elapsed (1000 total ports)
Initiating Service scan at 14:35
Scanning 3 services on 192.168.1.1
Completed Service scan at 14:35, 5.23s elapsed (3 services total)
Initiating OS detection at 14:35
Completed OS detection at 14:35, 5.18s elapsed
Nmap scan report for 192.168.1.1
Host is up (0.00078s latency).
Not shown: 997 closed ports
... (rest of the output) ...The verbose output shows the different stages of the scan, such as the ping scan, port scanning, service detection, and OS detection. It also shows the scripts being executed by the Nmap Scripting Engine (NSE).
In this step, we will learn how to save the output of an Nmap aggressive scan to a file. This is useful for later analysis, reporting, or comparison with other scans. Nmap provides several options for saving output in different formats. We will use the -oN option, which saves the output in a "normal" human-readable format.
The -oN option followed by a filename tells Nmap to save the scan results in the specified file using the normal output format. This format is designed to be easily read by humans.
Now, let's execute the Nmap command to save the aggressive scan output to a file. Open your Xfce terminal. Ensure you are in the ~/project directory.
cd ~/projectThen, run the following Nmap command:
sudo nmap -A -oN aggressive.txt 127.0.0.1You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.
This command will initiate an aggressive scan against the target IP address 127.0.0.1, and save the output in normal format to a file named aggressive.txt in the ~/project directory.
After the scan completes, you can view the contents of the aggressive.txt file using a text editor like nano or cat.
To view the contents of the file using nano, run the following command:
nano aggressive.txtThis will open the aggressive.txt file in the nano text editor. You can scroll through the file to view the scan results.
Alternatively, you can use the cat command to display the contents of the file in the terminal:
cat aggressive.txtThis will print the contents of the aggressive.txt file to the terminal.
The content of the aggressive.txt file will be similar to the output you see on the screen when running Nmap without the -oN option, but it is now saved in a file for later use.
## Nmap 7.80 scan initiated Mon Nov 21 14:45:32 2023 as: nmap -A -oN aggressive.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
| ssh-hostkey:
| 3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (RSA)
| 256 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (ECDSA)
|_ 256 SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
## Nmap done at Mon Nov 21 14:45:35 2023 -- 1 IP address (1 host up) scanned in 2.57 secondsIn this step, we will analyze the detailed output from the aggressive scan we saved in the previous step. Understanding the output of Nmap scans is crucial for identifying potential vulnerabilities and misconfigurations in a system. We will use the cat command to view the contents of the aggressive.txt file in the Xfce terminal and discuss the key sections of the output.
The aggressive scan (nmap -A) performs several types of scans, including:
Now, let's analyze the output. Open your Xfce terminal. Ensure you are in the ~/project directory.
cd ~/projectThen, use the cat command to display the contents of the aggressive.txt file:
cat aggressive.txtThe output will be displayed in the terminal. Let's break down the key sections:
Nmap Scan Report: This section provides general information about the scan, including the target IP address, hostname (if available), and the start and end times of the scan.
## Nmap 7.80 scan initiated Mon Nov 21 14:45:32 2023 as: nmap -A -oN aggressive.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
Other addresses for localhost (not scanned): ::1Port Scan Results: This section lists the open, closed, and filtered ports on the target host. For each open port, Nmap attempts to identify the service running on that port and its version.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
| ssh-hostkey:
| 3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (RSA)
| 256 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (ECDSA)
|_ 256 SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)PORT: The port number and protocol (e.g., 22/tcp).STATE: The state of the port (open, closed, filtered).SERVICE: The identified service running on the port (e.g., ssh, http).VERSION: The version of the service (e.g., OpenSSH 8.2p1, Apache httpd 2.4.41).ssh-hostkey: The SSH host key fingerprint.http-server-header: The HTTP server header.Service Info: This section provides additional information about the services running on the target host, such as the operating system.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS Detection: This section displays the results of Nmap's OS detection attempts. Nmap compares the responses it receives from the target host with a database of known OS fingerprints to identify the operating system.
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap Scripting Engine (NSE) Results: This section shows the output of any NSE scripts that were executed during the scan. These scripts can provide a wide range of information, such as identifying vulnerabilities, gathering user information, and detecting misconfigurations. (This section might not be present if no scripts were run or if they didn't produce any output.)
Scan Summary: This section summarizes the scan results, including the number of IP addresses scanned and the total scan time.
## Nmap done at Mon Nov 21 14:45:35 2023 -- 1 IP address (1 host up) scanned in 2.57 secondsBy analyzing the detailed output of the aggressive scan, you can gain a comprehensive understanding of the target system's network services, operating system, and potential vulnerabilities.
In this step, we will perform a basic Nmap scan and compare its output with the aggressive scan we performed earlier. This comparison will highlight the differences in the level of detail and the types of information gathered by each scan. A basic scan typically only performs a TCP connect scan, which is faster but provides less information than an aggressive scan.
A basic Nmap scan, without any specific options, performs a TCP connect scan on the most common 1000 ports. It identifies whether these ports are open, closed, or filtered. It does not perform service version detection, OS detection, or run NSE scripts by default.
Now, let's execute a basic Nmap scan and compare the results. Open your Xfce terminal. Ensure you are in the ~/project directory.
cd ~/projectRun the following Nmap command to perform a basic scan against the target IP address 127.0.0.1:
sudo nmap 127.0.0.1You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.
The output of the basic scan will be displayed in the terminal. It will show the open, closed, and filtered ports on the target host.
Starting Nmap 7.80 ( https://nmap.org ) at Mon Nov 21 15:00:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.15 secondsNow, let's compare this output with the output of the aggressive scan we saved in the aggressive.txt file. You can use the cat command to view the contents of the aggressive.txt file again:
cat aggressive.txtCompare the output of the basic scan with the contents of the aggressive.txt file. You will notice the following differences:
OpenSSH 8.2p1, Apache httpd 2.4.41), while the basic scan only identifies the service name (e.g., ssh, http).In summary, the aggressive scan provides a more detailed and comprehensive view of the target system than the basic scan. However, it also takes longer to complete and may be more likely to be detected by intrusion detection systems. The choice of which type of scan to use depends on the specific goals of the assessment and the constraints of the environment.
In this lab, participants learned to perform aggressive scanning using Nmap. They executed commands like nmap -A to conduct comprehensive scans that combine OS detection, version detection, script scanning, and traceroute. They also learned to scan specific ports with -p, add verbosity with -v, and save scan results to a file using -oN. Additionally, they analyzed detailed scan outputs and compared them with basic scans in the Xfce terminal.
