Nmap 6: Network Exploration and Security Auditing Cookbook: Want to master Nmap and its scripting engine? Then this book is for you – packed with practical tasks and precise instructions, it's a comprehensive guide to penetration testing and network monitoring. Security in depth.

In recent years, Nmap has become the de facto tool for network exploration, leaving all other scanners far behind. Its popularity comes from having a vast number of features that are useful to penetration testers and system administrators. It supports several ping and port scanning techniques applied to host and service discovery, correspondingly.

Hosts protected by packet filtering systems, such as firewalls or intrusion prevention systems sometimes cause incorrect results because of rules that are used to block certain types of traffic. The flexibility provided by Nmap in these cases is invaluable, since we can easily try an alternate host discovery technique (or a combination of them) to overcome these limitations. Nmap also includes a few very interesting features to make our traffic less suspicious. For this reason, learning how to combine these features is essential if you want to perform really comprehensive scans.

System administrators will gain an understanding of the...

Ping scans are used for detecting live hosts in networks. Nmap's default ping scan (-sP) uses a TCP ACK and an ICMP echo request to determine if a host is responding, but if a firewall is blocking these requests, we will miss this host. Fortunately, Nmap supports a scanning technique called the TCP SYN ping scan that is very handy in these situations, where system administrators could have been more flexible with other firewall rules.

This recipe will talk about the TCP SYN ping scan and its related options.

$ nmap -sP -PS 192.168.1.1/24

$ nmap -sP -PS 192.168.1.1/24 
Nmap scan report for 192.168.1.101 
Host is up (0.088s latency). 
Nmap scan report for 192.168.1.102 
Host is up (0.000085s latency). 
Nmap scan report for 192.168.1.254 
Host is up (0.0042s latency). 
Nmap done: 256 IP addresses (3 hosts up) scanned...

Similar to the TCP SYN ping scan, the TCP ACK ping scan is used to determine if a host is responding. It can be used to detect hosts that block SYN packets or ICMP echo requests, but it will most likely be blocked by modern firewalls that track connection states.

The following recipe shows how to perform a TCP ACK ping scan and its related options.

# nmap -sP -PA <target>

# nmap -sP -PA 0xdeadbeefcafe.com 


Note: Host seems down. If it is really up,...

Ping scans are used to determine if a host is responding and can be considered online. UDP ping scans have the advantage of being capable of detecting systems behind firewalls with strict TCP filtering leaving the UDP traffic forgotten.

This next recipe describes how to perform a UDP ping scan with Nmap and its related options.

# nmap -sP -PU <target>

# nmap -sP -PU scanme.nmap.org 


Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.089s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds 

Ping scans are used to determine if a host is online and responding. ICMP messages are used for this purpose, and hence ICMP ping scans use these types of packets to accomplish this.

The following recipe describes how to perform an ICMP ping scan with Nmap, and the flags for the different types of ICMP messages.

# nmap -sP -PE scanme.nmap.org

# nmap -sP -PE scanme.nmap.org 


Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.089s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds 

SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request...

Ping sweeps are very important for host discovery. System administrators and penetration testers use them to determine which hosts are online and responding. Nmap implements several ping scanning techniques, including one called an IP protocol ping scan. This technique tries sending different packets using different IP protocols, hoping to get a response indicating that a host is online.

This recipe describes how to perform IP protocol ping scans.

# nmap -sP -PO scanme.nmap.org

# nmap -sP -PO scanme.nmap.org  
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.091s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds 

Ping scans are used by penetration testers and system administrators to determine if hosts are online. ARP ping scans are the most effective wayof detecting hosts in LAN networks.

Nmap really shines by using its own algorithm to optimize this scanning technique. The following recipe goes through the process of launching an ARP ping scan and its available options.

# nmap -sP -PR 192.168.1.1/24 

# nmap -sP -PR 192.168.1.1/24 


Nmap scan report for 192.168.1.102 
Host is up. 
Nmap scan report for 192.168.1.103 
Host is up (0.0066s latency). 
MAC Address: 00:16:6F:7E:E0:B6 (Intel) 
Nmap scan report for 192.168.1.254 
Host is up (0.0039s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.94 seconds 

Broadcast pings send ICMP echo requests to the local broadcast address, and even if they do not work all the time, they are a nice way of discovering hosts in a network without sending probes to the other hsts.

This recipe describes how to discover new hosts with a broadcast ping using Nmap NSE.

# nmap --script broadcast-ping 

Pre-scan script results: 
| broadcast-ping: 
|   IP: 192.168.1.105  MAC: 08:00:27:16:4f:71 
|   IP: 192.168.1.106  MAC: 40:25:c2:3f:c7:24 
|_  Use --script-args=newtargets to add the results as targets 
WARNING: No targets were specified, so 0 hosts scanned. 
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.25 seconds 

Packets generated by Nmap scans usually just have the protocol headers set and, only in certain cases, include specific payloads. Nmap implements a feature to decrease the likelihood of detecting these known probes, by using random data as payloads.

This recipe describes how to send additional random data in packets sent by Nmap during a scan.

# nmap -sS -PS --data-length 300 scanme.nmap.org

DNS names reveal valuable information very often because system administrators name their hosts according to their functions, such as firewall or mail.domain.com. Nmap, by default, does not perform DNS resolution if a host is offline. By forcing DNS resolution, we can gather extra information about the network even if the host seemed to be offline.

This recipe describes how to force DNS resolution for offline hosts during Nmap scans.

# nmap -sS -PS -F -R XX.XXX.XXX.220-230

There will be situations where host exclusion is necessary to avoid scanning certain machines. For example, you may lack the authorization, or it may be that the host has already been scanned and you want to save some time. Nmap implements an option to exclude a host or list of hosts to help you in these cases.

This recipe describes how to exclude hosts from your Nmap scans.

# nmap -sV -O --exclude 192.168.1.102,192.168.1.254 192.168.1.1/24

# nmap -sV -O --exclude 192.168.1.102,192.168.1.254 192.168.1.1/24 


Nmap scan report for 192.168.1.101 
Host is up (0.019s latency). 
Not shown: 996 closed ports 
PORT     STATE    SERVICE VERSION 
21/tcp   filtered ftp 
53/tcp   filtered domain 
554/tcp  filtered rtsp 
3306...

Although we haven't exhausted all if the IPv4 addresses as some people predicted, IPv6 addresses are becoming more common, and the Nmap development team has been working hard on improving its IPv6 support. All of the port scanning and host discovery techniques have been implemented already, and this makes Nmap essential when working with IPv6 networks.

This recipe describes how to scan an IPv6 address with Nmap.

# nmap -6 ::1

Nmap scan report for ip6-localhost (::1) 
Host is up (0.000018s latency). 
Not shown: 996 closed ports 
PORT     STATE SERVICE VERSION 
25/tcp   open  smtp    Exim smtpd 
80/tcp   open  http    Apache httpd 2.2.16 ((Debian)) 
631/tcp  open  ipp     CUPS 1.4 
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1 

Broadcast requests often reveal protocol and host details, and with some help from the Nmap Scripting Engine, we can gather valuable information from a network. NSE broadcast scripts perform tasks such as detecting dropbox listeners, sniffing to detect hosts, and discovering MS SQL and NCP servers, among many other things.

This recipe describes how to use the NSE broadcast scripts to collect interesting information from a network.

# nmap --script broadcast

Pre-scan script results: 
| targets-ipv6-multicast-invalid-dst: 
|   IP: fe80::a00:27ff:fe16:4f71  MAC: 08:00:27:16:4f:71  IFACE: wlan2 
|_  Use --script-args=newtargets to add the results as targets 
| targets-ipv6-multicast-echo: 
|   IP: fe80::a00:27ff:fe16:4f71   MAC...