LabEx
Log InJoin Free

Perform Comprehensive Scanning in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to perform comprehensive scanning using Nmap. The lab focuses on combining different scan types to gather detailed information about a target.

You will execute full scans using options like -sS (TCP SYN scan), -sU (UDP scan), -O (OS detection), and -sV (service version detection). You'll also explore adding scripts with -sC, adjusting timing with -T3, increasing verbosity with -v, and saving scan results to a file using -oN. Finally, you will analyze the comprehensive output generated by these scans in the Xfce terminal.

Run full scan with nmap -sS -sU -O -sV 192.168.1.1

In this step, we will perform a full scan of a target IP address using Nmap. A full scan combines several scan types to gather comprehensive information about the target. This includes TCP SYN scan (-sS), UDP scan (-sU), OS detection (-O), and service version detection (-sV).

Before we begin, let's briefly explain each of these Nmap options:

  • -sS: TCP SYN scan (also known as stealth scan or half-open scan). It's a fast and stealthy scan that doesn't complete the TCP connection.
  • -sU: UDP scan. It sends UDP packets to the target and listens for responses to determine which UDP ports are open.
  • -O: OS detection. It attempts to identify the operating system of the target host by analyzing its TCP/IP stack fingerprint.
  • -sV: Service version detection. It determines the version of the software running on open ports.

Now, let's execute the full scan command. We'll be scanning the IP address 192.168.1.1. Make sure that the target IP address is reachable from your LabEx VM. If you don't have a specific target in mind, you can use your own machine's IP address or a test IP address within your local network.

Open your Xfce terminal and navigate to the ~/project directory. Then, execute the following command:

nmap -sS -sU -O -sV 192.168.1.1

This command will initiate a full scan of the target IP address 192.168.1.1. Nmap will perform a TCP SYN scan, a UDP scan, OS detection, and service version detection.

The output will display the open ports, the services running on those ports, the operating system of the target, and other relevant information.

Example output (the actual output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p0 Ubuntu 7ubuntu2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
139/tcp  open  netbios-ssn Samba netbios-ssn (workgroup: WORKGROUP)
445/tcp  open  microsoft-ds Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5353/udp open  mdns    Avahi mDNS/DNS-SD

OS details: Linux 3.2 - 4.9
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.20 ms 192.168.1.1

Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds

This output shows the open ports (e.g., 22, 80, 139, 445), the services running on those ports (e.g., ssh, http, netbios-ssn, microsoft-ds), and the operating system of the target (Linux). The UDP scan result shows port 5353 is open.

Add scripts with nmap -sS -sU -sC -p 22,80 127.0.0.1

In this step, we will enhance our Nmap scan by incorporating Nmap scripts. Nmap scripts are powerful tools that can automate various tasks, such as vulnerability detection, service enumeration, and more. The -sC option tells Nmap to use the default set of scripts. We will also specify the ports to scan using the -p option.

Before we proceed, let's clarify the purpose of the -sC and -p options:

  • -sC: This option tells Nmap to run the default set of scripts against the target. These scripts are designed to provide basic information about the services running on the target.
  • -p: This option allows you to specify the ports you want to scan. In this case, we are specifying ports 22 and 80.

Now, let's execute the command. We will be scanning 127.0.0.1 (localhost) on ports 22 and 80, using the default scripts.

Open your Xfce terminal and navigate to the ~/project directory. Then, execute the following command:

nmap -sS -sU -sC -p 22,80 127.0.0.1

This command will perform a SYN scan (-sS) and UDP scan (-sU) on ports 22 and 80 of the localhost (127.0.0.1), and it will also run the default scripts (-sC) against those ports.

The output will display the open ports, the services running on those ports, and the results of the scripts that were executed.

Example output (the actual output will vary depending on the services running on your localhost):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   2048 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (RSA)
|_  256 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (ECDSA)
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

In this example, port 22 (SSH) is open, and the ssh-hostkey script has provided information about the SSH host key. Port 80 (HTTP) is closed. The UDP scan did not reveal any open ports.

Adjust timing with nmap -sS -sU -T3 192.168.1.1

In this step, we will learn how to adjust the timing of Nmap scans using the -T option. The -T option controls the aggressiveness of the scan, which affects the speed and accuracy of the results. A higher timing template can make scans faster, but also increases the chances of being detected or missing some results.

The -T option accepts values from 0 to 5, with each value representing a different timing template:

  • -T0: Paranoid (very slow, used for intrusion detection systems)
  • -T1: Sneaky (slow, avoids detection)
  • -T2: Polite (slows down the scan to avoid overwhelming the target)
  • -T3: Normal (default, balanced speed and accuracy)
  • -T4: Aggressive (fast, may increase the risk of detection or inaccurate results)
  • -T5: Insane (very fast, high risk of detection and inaccurate results)

In this step, we will use the -T3 option, which represents the "Normal" timing template. This is the default setting, but we'll explicitly specify it for demonstration purposes. We will also perform a SYN scan (-sS) and a UDP scan (-sU) on the target IP address 192.168.1.1.

Open your Xfce terminal and navigate to the ~/project directory. Then, execute the following command:

nmap -sS -sU -T3 192.168.1.1

This command will perform a SYN scan and UDP scan on the target IP address 192.168.1.1 using the "Normal" timing template.

The output will display the open ports and the services running on those ports, similar to the previous scans. The main difference is that the scan will be performed with the default timing settings.

Example output (the actual output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh     OpenSSH 7.6p0 Ubuntu 7ubuntu2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
139/tcp  open  netbios-ssn Samba netbios-ssn (workgroup: WORKGROUP)
445/tcp  open  microsoft-ds Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5353/udp open  mdns    Avahi mDNS/DNS-SD

Nmap done: 1 IP address (1 host up) scanned in 10.24 seconds

This output is similar to the output from the first step, but it demonstrates how to explicitly set the timing template using the -T option.

Add verbosity with nmap -v -sS -sU -O 127.0.0.1

In this step, we will add verbosity to our Nmap scan using the -v option. Verbosity increases the amount of information displayed during the scan, providing more details about the process and the results. This can be helpful for troubleshooting or for gaining a deeper understanding of what Nmap is doing.

The -v option increases the verbosity level. You can use it multiple times (e.g., -vv) to further increase the verbosity.

In this step, we will perform a SYN scan (-sS), a UDP scan (-sU), and OS detection (-O) on the target IP address 127.0.0.1 (localhost), and we will add verbosity using the -v option.

Open your Xfce terminal and navigate to the ~/project directory. Then, execute the following command:

nmap -v -sS -sU -O 127.0.0.1

This command will perform the specified scans with increased verbosity. You will see more detailed output about the scan process, including the probes being sent, the responses being received, and the OS detection attempts.

Example output (the actual output will vary depending on the target and the services running on it):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
NSE: Loaded 0 scripts for scanning.
Initiating SYN Stealth Scan
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Completed SYN Stealth Scan
Initiating UDP Scan
Scanning localhost (127.0.0.1) [1000 ports]
Completed UDP Scan
Initiating OS detection.
Scanning localhost (127.0.0.1)
Completed OS detection.
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
5353/udp open  mdns

Device type: General purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.15

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.24 seconds

Notice the additional information displayed about the scan process, such as "Initiating SYN Stealth Scan", "Completed UDP Scan", and "Initiating OS detection." This is the result of the increased verbosity.

Save full scan with nmap -sS -sU -sV -oN full.txt 192.168.1.1

In this step, we will learn how to save the output of an Nmap scan to a file using the -oN option. This is useful for later analysis or for documenting the results of a scan.

The -oN option specifies that the output should be saved in "normal" format to the specified file. The "normal" format is a human-readable format that is easy to parse.

In this step, we will perform a SYN scan (-sS), a UDP scan (-sU), and service version detection (-sV) on the target IP address 192.168.1.1, and we will save the output to a file named full.txt in the ~/project directory.

Open your Xfce terminal and navigate to the ~/project directory. Then, execute the following command:

nmap -sS -sU -sV -oN full.txt 192.168.1.1

This command will perform the specified scans and save the output to the full.txt file.

After the scan is complete, you can view the contents of the full.txt file using the cat command or a text editor like nano.

cat full.txt

or

nano full.txt

The full.txt file will contain the output of the Nmap scan in a human-readable format.

Example content of full.txt (the actual content will vary depending on the target):

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p0 Ubuntu 7ubuntu2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
139/tcp  open  netbios-ssn Samba netbios-ssn (workgroup: WORKGROUP)
445/tcp  open  microsoft-ds Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5353/udp open  mdns    Avahi mDNS/DNS-SD
Service Info: Host: MYSERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

## Nmap done at Fri Oct 27 10:20:10 2023 -- 1 IP address (1 host up) scanned in 10.24 seconds

This output is similar to the output displayed in the terminal, but it is now saved in a file for later use.

Analyze comprehensive output in Xfce terminal

In this step, we will analyze the comprehensive output generated by the Nmap scans performed in the previous steps. Understanding the output is crucial for identifying potential vulnerabilities and gathering information about the target system. We will focus on interpreting the key elements of the Nmap output within the Xfce terminal.

First, let's review the different types of scans we've performed and the information they provide:

  • SYN Scan (-sS): This is a stealthy scan that quickly identifies open ports without completing the TCP handshake. It's useful for quickly mapping the open ports on a target.
  • UDP Scan (-sU): This scan identifies open UDP ports. UDP is a connectionless protocol, so this scan can be less reliable and slower than a TCP scan.
  • OS Detection (-O): This attempts to determine the operating system running on the target.
  • Service Version Detection (-sV): This attempts to determine the version of the services running on open ports.
  • Script Scan (-sC): This executes a set of Nmap scripts to identify vulnerabilities and gather more information about the target.

Now, let's analyze the output. You can either refer to the full.txt file created in the previous step or re-run a scan and observe the output directly in the terminal. For example, you can view the content of full.txt using the cat command:

cat ~/project/full.txt

Or, you can re-run the full scan command from step 1:

nmap -sS -sU -O -sV 192.168.1.1

Key elements to look for in the output:

  • Open Ports: Nmap will list the open ports on the target system. This is the first step in identifying potential services that are running.
  • Service Information: Nmap will attempt to identify the service running on each open port. This information can be used to identify known vulnerabilities in those services.
  • Operating System: Nmap will attempt to identify the operating system running on the target. This information can be used to identify OS-specific vulnerabilities.
  • Scan Latency: The output shows the latency, which is the time it takes for Nmap to communicate with the target. Higher latency can indicate network congestion or a slow connection.

Example output (the actual output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:25 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p0 Ubuntu 7ubuntu2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
139/tcp  open  netbios-ssn Samba netbios-ssn (workgroup: WORKGROUP)
445/tcp  open  microsoft-ds Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5353/udp open  mdns    Avahi mDNS/DNS-SD
Service Info: Host: MYSERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS CPE: cpe:/o:linux:linux_kernel
Aggressive OS guesses: Linux 3.10 - 4.11 (95%), Linux 3.16 (95%), Linux 4.4 (95%), Linux 4.6 - 4.7 (95%), Linux 4.8 (95%), Linux 4.9 (95%), Linux 4.12 (95%), Linux 4.13 (95%), Linux 4.14 (95%), Linux 4.15 (95%)
No exact OS matches for host.

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds

In this example output:

  • Port 22 is open and running OpenSSH 7.6p0.
  • Port 80 is open and running Apache httpd 2.4.29.
  • Ports 139 and 445 are open and running Samba.
  • Port 5353 is open and running Avahi mDNS/DNS-SD.
  • Nmap has made aggressive guesses about the OS, suggesting it's likely a Linux kernel between versions 3.10 and 4.15.

By carefully analyzing the Nmap output, you can gain valuable insights into the target system's security posture.

Summary

In this lab, we performed comprehensive scanning in Nmap, combining TCP SYN scan (-sS), UDP scan (-sU), OS detection (-O), and service version detection (-sV) to gather extensive information about a target IP address. We learned how to execute a full scan using the command nmap -sS -sU -O -sV 192.168.1.1 and interpret the output, which includes open ports, running services, and the target's operating system.

Furthermore, the lab covered adding scripts with -sC, adjusting timing with -T3, increasing verbosity with -v, and saving scan results to a file using -oN. These techniques enhance Nmap's capabilities for detailed network analysis and reporting.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux