What is it?
nmap is a portscanner.
nmap means “network mapper” so nmap can be used to map out networks
The amazing thing is the amount of features it provides to help you gather all kinds of information.
It is one of the tools that grows on you as you grow on it.
It is is helpful for the beginner as well as for the pro and is probably one of the most used tool in your toolbox.
The man page of nmap is huge and worth looking at. We will go through some of the uses here.
We are assuming here that we only want to scan a single host. We will deal with scanning networks in a later article.
Lets start with the most basic scan:
nmap uses ICMP to figure out wether a host is up or not. If you know that its up and it maybe blocks ICMP you can disable this host discovery by using the -Pn switch
nmap -Pn 10.10.186.116
By default nmap scans the 1.000 most common ports.
you can change that by providing the -p switch.
If you want to make sure not to miss anything you can scan all ports there are:
nmap -p- 10.10.186.116
This will scann all ports from 1- 65535. This might rarely be usefull though.
But you can also provide a list
nmap -p22,80 10.10.186.116
or a range of ports
nmap -p22-80 10.10.186.116
So far so good.
But we can get much more info than just the open ports:
sudo nmap -Pn -O 10.10.186.116
The -O switch tells nmap to make an educated guess about the Operating System that runs on the machine.
Depending on the information nmap can gather from the host that guess will be more or less accurate. You can see in the picture above we didn’t get a 100% certainty here so we might want to use other means as well to see what OS is running.
So that would already be interesting. We know the open ports and the OS.
But we can do more: nmap also offers the option to find out what versions of a service is running on a machine by setting the -sV switch.
nmap -Pn -sV 10.10.186.116
This is really a lot of information that we get here. And since there seems to be a IIS on that machine we can now be pretty sure that its running windows.
Let’s look at a different example
So again we did a version scan- this time against a different target.
And with the Information we get here we can go directly go to exploitdb and search for weaknesses and available exploits.
In This case we will find that the Proftpd is vulnerable.
With these few steps and a single tool we already found a possible vulnerability in minutes.