How to Use Nmap for Host Enumeration

Nmap is a powerful network scanning and host enumeration program developed originally by Gordon Lyon. Nmap is both free and open-source which has helped lead to it becoming the most popular network enumeration tool out there.

If you’re thinking of taking the OSCP, PNPT, Pentest+, or any other red-team certificate you’ll definitely have to be fluent with the operation of this tool.

First of all, what is Nmap for in plain english?

If you want to find out what hosts are on a network and what ports are open, this is what Nmap was built for. There are also advanced scripting options that can help further enumerate what’s happening on the network which can help both red and blue teams.

Introduction

The simplest way to run Nmap is just by typing

nmap <ip address to scan>

That’s it. That’s all it takes to run your first scan. There are numerous options and many ways to view this information so let’s delve into that next.

Whenever you run Nmap against a host, you’ll get one of three responses from each port that you scan:
Open –  The port is accepting a connection
Closed – No service is listening
Filtered – probes are not reaching the port and no response is returned. This is normally due to a firewall.

If you want the best guess Nmap has as to why something is open or closed, type –reason

Now what happens if you’re not seeing the response you expect? You can try a few different attack methods:

Primary Scanning Methods

-Perform a TCP connect scan using the -sT flag
This uses the operating system to send packets and completes the TCP connection. This does tend to create connection log records.
Sends a SYN:
–If closed, responds with RST
–If open, will respond with SYN/ACK
—Nmap will respond with ACK
–If the firewall blocks it, there will be no response and Nmap will report that the port is filtered

-Perform a Syn “half-open” or “stealth” scan using the -sS flag
Stealthy-ish scan
–Like a Connect scan except sends a RST instead of ACK to open ports
–Never completes TCP connection
–Risk of knocking some unstable services offline
–Requires sudo in Linux
–Default scan when run with sudo

-Perform a UDP scan using the -sU flag
nmap -sU <IP>
Sends UDP packet
–If closed, victim responds with ICMP Unreachable
–If open, no response
Typically run with “–top-ports 20” to reduce scan time

Secondary Scanning Methods

If that didn’t work, you can try some firewall evasion techniques by editing TCP flags directly:

TCP Null: -sN
TCP Connect scan but with no flags set
nmap -sN <IP>

TCP Fin: -sF
TCP Connect scan but with FIN flag set
nmap -sF <IP>

TCP Xmas (so called because it lights up flags like a Christmas tree and also tends to be noisy): -sX
TCP Connect scan but with URG, PUSH, and FIN flag set
nmap -sX <IP>

Firewall Evasion Techniques

Let’s stay that didn’t work either. Here’s a short section on firewall evasion
Did you try -Pn ? (Caution: Will take long time since it doesn’t check for host being online)
Try -f to fragment packets to reduce chance of firewall or IDS detecting
Try –mtu <multiple of 8> to try different MTU sizes
Try –scan-delay <time>ms to delay packets. Can evade some IDS situations.
Try –badsum to send invalid checksums which helps determine presence of firewall. Firewall may potentially respond automatically.
Try –data-length <num> to add arbitrary data to end of packets

Misc. Options

If you’re just looking to perform host discovery using ICMP ping sweeping, you can type
nmap -sn <IP> 

What about if you want to enumerate the service versions being run?
nmap -sV <IP>
Attempts to determine version of the port service

What about if you only are targeting a specific port or range of ports? Try this:
nmap -p <port> <IP>
nmap -p22,25 : Only checks TCP port 22 and 25
nmap -p U:53, T:22,25 : Checks for UDP port 53 and TCP 22 and 25
nmap –exclude-ports 53
Scan all ports: nmap -p- <IP>

If you don’t want to perform the full version detection for all ports on a host and just want to fingerprint the operating system, try
nmap -O <IP>

If you expect a lot of hidden devices on the network, you can skip the host discovery phase of a scan by typing:
nmap -Pn <IP>
This treats all hosts as online regardless of response and is very slow since it will ping offline machines

If you happen to have a pre-made file of all known IPs on the network and want to import that, use this command:
nmap -iL <filename>

What about if you want to control the speed of a scan?
-T0 one port per 5 minutes
-T1 one port per 15 seconds
-T2 Slow
-T3 Normal
-T4 Extremely fast
-T5 May crash

If you want extra verbosity, try the -v or -vv switches

If you’re doing a CTF and don’t particular care about alerting the world to what you’re doing, you can bundle the service/OS fingerprinting/traceroute/common scripts all together and perform an aggressive scan using the -A switch

Output Control

We can also control our output format:

-oN Normal output
nmap -oN <filename> <IP>

-oG Grepable output
nmap -oG <filename> <IP>

-oX XML output
nmap -oX <filename> <IP>

-oA combined format
nmap -oA <filename> <IP>

Why would we want to save scans? You could check before/after network conditions using the Linux ndiff command to see what’s changing on your network:

ndiff <target1.xml> <target2.xml> 

Nmap Scripting Engine

Nmap also comes with a powerful scripting engine that can be referenced here

It can be easily used by typing –script=<script-name>

For example:
–script=http-fileupload-exploiter

Commas can add more scripts if needed:
–script=smb-enum-users,smb-enum-shares

Here’s a link to the master script list 

The local directory for scripts: /usr/share/nmap/scripts

Alternatively, you can run this command to try to find useful scripts. Substitute your keyword of choice for ^http (which will find scripts that start with “http”)

nmap –script-help “http*” | grep “^http-”

Here’s a SMB attack script example:

nmap -p 445 –script=smb-enum-shares.nse,smb-enumusers.nse <IP> 

Here’s a Nmap scan to show network file systems attached to port 111 using rpcbind:

nmap -p 111 –script=nfs-ls,nfs-statfs,nfs-showmount <IP>

Whenever reviewing the NSE script engine, here’s an explanation of category terms:
Safe: won’t affect target
Intrusive: not safe
Vuln: scan for vulnerabilities
Exploit: attempt to exploit vulnerabilities
Auth: attempt to bypass authentication for running services (like anonymous login)
Brute: attempt to brute force
Discovery: attempt to query running services (i.e. SNMP)

I hope this helps you with your CTF and certification exam studying. Happy scanning!

Leave a Reply