Nmap Network Scanner – A tool to scan network and security holes

Tram Ho

I) General introduction about Nmap

As we all know, Nmap with the latest version is now 7.80 released at DEFCON 27 is an open source network scanning tool, used very popular by security experts because of its effectiveness, transparency that it provides because an open source tool can enable the cybersecurity community around the world to contribute, build and develop together.

In this article I will guide you to use the Nmap tool to scan the operating system, specific running services and more with the website Viblo.asia . This article is written for educational purposes only and I do not accept any responsibility and do not recommend relying on this article to exploit information and conduct intrusions without permission.

1. How it works

Nmap uses IPs on packets in different special ways to identify hosts on a network, thereby determining if services are running on that system, the operating system is running. , what are the filters and the firewall it is using.

2. Features of Nmap

  • Security detection
  • exploit security holes
  • discovered the backdoor
  • network scan
  • scan servers and ports on servers on the system
  • Determine the operating system, service, firewall you are using
  • provides information about device type, DNS name, Mac address
  • execute NSE or Lua scripts with the test objects

II) Instructions for downloading and installing

Nmap can be used on Windows and macOS and is supported on Linux distributions including Red Hat, Mandrake, SUSE and Fedora and works on other operating systems including BSD, Solaris, AIX and AmigaOSfaffa

1. On the Windows operating system

Go to https://nmap.org/download.html and download the installation as follows:

2. On some of the other Linux distributions

For Debian based I use the command: #sudo apt install nmap

For Red Hat Based we use the command: #yum install nmap

And press “Y” to confirm installation https://images.viblo.asia/d73df3e8-19f0-48f0-bea4-85b6d2decd1c.png

After installing Nmap, we can check if the installation is successful and what the version is using the command: #nmap --version

III) Use Nmap

1. NSE script

Nmap Scripting Engine (NSE) is one of the most dangerous options in Nmap. It allows users to write and share simple scripts to perform various tasks in the networking field automatically. These scripts can be used to detect vulnerabilities and exploit vulnerabilities.

To perform this function of nmap use the option: –-script [tên_script].nse

In nmap we include 4 types of NSE scripts as follows:

  • Host script : A type of script that is executed after nmap has performed its task , such as scanning hosts, network ports or operating systems, etc.
  • Prerule script : is a script that is executed before any scanning or information gathering task
  • Service script : is a script that runs against a service that is listening above the pentest target
  • postrule sciprt : is a script that runs after Nmap executes the target scan

Location of NSE script: The scripts (.nse file) are in the script directory when installing nmap, users can customize editing, adding other scirpt.

On each different operating system they will be stored in a different location:

  • On linux : ~/.nmap/scripts/ or /usr/share/nmap/scripts/ or in $NMAPDIR. Or the easiest way is to run the command: locate *.nse
  • On Mac: / usr / local / Cellar / nmap // share / nmap / scripts /.
  • On windows : C: Program Files (x86) Nmap scripts or C: Program Files Nmap scripts
  • Also in case you want to update NSE scripts on Nmap use the command: sudo nmap --script-updatedb

Here are some examples of using NSE Script to scan for security holes in the system

2. Status of ports in Nmap

During the scan we can see the status of the ports as follows:

  • Open : There is a service that makes an outbound connection but is not monitored by a firewall.
  • Closed : The target device still receives and responds, but no application is listening on that port. When the port is closed, it can still tell if the host is live
  • Filtered : Once blocked by the firewall, you will not receive any response from the target.
  • Unfiltered : Not blocked, but cannot know whether the port is closed or open.
  • Open / Filtered : It is not known whether the port is open or filtered. It happens for the type of scan that the port is open but does not respond at all so its expression is like filtering.
  • Closed / Filtered : A status that appears when Nmap does not know if the port is Closed or Filtered. It is used for scanning IPID Idle.

3. Common commands in Nmap

  • Check if the host is still alive: #nmap -sn [IP_của_mục tiêu]
  • Check the operating system of the server: #nmap -O [IP_của_mục tiêu]
  • Scan a specific port: #nmap -p [số_cổng] [IP_của_mục tiêu]
  • Scanning the TCP connection, Nmap will perform a three-step #nmap -sT [IP_của_mục tiêu] scan: #nmap -sT [IP_của_mục tiêu]
  • Scan UDP connection: #nmap -sU [IP_của_mục tiêu]
  • Scan to determine the version of the service that is running on the host: #nmap -PN -p [số_cổng] -sV [IP_của_mục tiêu]

And there are many more arguments you can refer to the following: https://hackersonlineclub.com/nmap-commands-cheatsheet/

4. Realistic demo with Viblo

First, when we have identified the target, to get the IP try with ping: ping viblo.asia

But as you can see the IP we see is 104.27.188.151. But in fact it is not the IP of Viblo.asia ‘s web server but the IP of Cloudflare that viblo.asia is pointing to

Refer to Cloudflare’s IP series here: https://www.cloudflare.com/ips/

In my experience, in this case you should use the Netcraft system at https://toolbar.netcraft.com/ . Netcraft is a company that has been exploring the Internet since 1995 and has been collecting Internet variation over the past 25 years

So I started looking for reports in Netcraft about Viblo.asia

As you can see here this is also reported as Cloudflare’s IP. And scroll down to find some of the following information

So we see netcraft has recorded 3 IP is 160.16.198.185 , 160.16.124.150 , 139.162.17.246

In which the first 2 IPs we can see are SAKURA Internet or takoyaki.asia site (The ability previously 2016 that site also uses this IP coudflare). But pay attention to the 3rd IP in the other SPF section is 139.162.17.246 . Most likely it will be the IP of Viblo.asia

To know, try to access it

At this point, it will continue to page 404. But that’s enough for Viblo.asia to be 139.162.17.246

Now it’s time to go back to Nmap 😃 ) Run the simplest command

There is little we can see note appeared https://li859-246.members.linode.com/ from which we can add 1 information is Viblo.asia running on Linode VPS

Next, you don’t see what ports are there and blocked by the firewall. But it’s okay for us to bypass it by using the --spoof-mac

Okay, we found the open ports on the server. Including ports 22,80,443,6001 and below is a table of names of services that usually run on those ports

Now if you want to know what the operating system is using on that server, add the -O argument to the command. Then we have this

because here we can see that no port is closed, the accuracy of determining the operating system is also reduced and as in this case we temporarily know that HDH uses the Linux kernel.

Combining some arguments to get a comprehensive view, I will use the command #nmap -sC -sV -O -spoof-mac Cisco 139.162.17.246 where -sC is running the default script and -sV will display information. Service details as below

And here comes a little more information and operating system capabilities that in this situation of the VPS is running

——— End of Demo ———-

I hope everyone follows this article to have a more specific view of Nmap as well as get some direction in the process of reconnaissance in pentesting.

Share the news now

Source : Viblo