# Nmap 101

The fundamentals.  
Some good sites that can be used for practicing without breaking the law (but still, be careful and considerate) can be found through [NMAP.ORG](http://scanme.nmap.org/) and [OWASP](https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project).

## Nmap Beginner's Guide

You can use the Jupyter magic %%bash to [run a cell with bash in a subprocess](https://blog.dominodatalab.com/lesser-known-ways-of-using-notebooks/).

In [1]:
%%bash

nmap

Nmap 7.60 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to 

Did you get all that?  
Nmap is a very versatile tool, but in this notebook we're going to stick to the basics.  
To get started, the following command will scan all of your local IP range (assuming you're in the 192.168.1.0-254 range), and will perform service identification (-sV) and will scan all ports (-p 1-65535).  
Since you are running this as a normal user and not root it will be TCP Connect based scan that should take about 90-120 seconds.  
If you run the command with sudo at the front it will run as a TCP SYN scan.

In [2]:
%%bash

nmap -sV -p 1-65535 192.168.1.1/24


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:38 PST
Nmap done: 256 IP addresses (0 hosts up) scanned in 105.58 seconds


This command will scan a single IP address on the network:

In [3]:
%%bash

nmap 192.168.0.1


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:39 PST
Nmap scan report for 192.168.0.1
Host is up (0.0074s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
23/tcp   closed telnet
80/tcp   open   http
139/tcp  closed netbios-ssn
443/tcp  open   https
445/tcp  closed microsoft-ds
1900/tcp open   upnp
5000/tcp open   upnp

Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds


You can also scan a host, courtesy of the kind folks at [Scanme.nmap.org](http://scanme.nmap.org/).  
Please note:  

`
We set up this machine to help folks learn about Nmap and also to test and make sure that their Nmap installation (or Internet connection) is working properly. You are authorized to scan this machine with Nmap or other port scanners. Try not to hammer on the server too hard. A few scans in a day is fine, but don't scan 100 times a day or use this site to test your ssh brute-force password cracking tool.
`

Scan a range of IP addresses:

In [4]:
%%bash

nmap 192.168.0.1-20


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:39 PST
Nmap scan report for 192.168.0.1
Host is up (0.0071s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
23/tcp   closed telnet
80/tcp   open   http
139/tcp  closed netbios-ssn
443/tcp  open   https
445/tcp  closed microsoft-ds
1900/tcp open   upnp
5000/tcp open   upnp

Nmap scan report for 192.168.0.2
Host is up (0.0020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.0.5
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
23/tcp    open  telnet
20005/tcp open  btx

Nmap done: 20 IP addresses (3 hosts up) scanned in 8.99 seconds


This command scans a subnet.  
Scanning a subnet will allow the scan to monitor multiple hosts.  
This command is useful when checking on multiple networks as well:

In [5]:
%%bash

nmap 192.168.0.1/24


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:40 PST
Nmap scan report for 192.168.0.1
Host is up (0.0063s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
23/tcp   closed telnet
80/tcp   open   http
139/tcp  closed netbios-ssn
443/tcp  open   https
445/tcp  closed microsoft-ds
1900/tcp open   upnp
5000/tcp open   upnp

Nmap scan report for 192.168.0.2
Host is up (0.0019s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.0.5
Host is up (0.031s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
23/tcp    open  telnet
20005/tcp open  btx

Nmap done: 256 IP addresses (3 hosts up) scanned in 13.44 seconds


### Nmap port selection

To utilize Nmap effectively, you will need to understand how to use the port selection options.  
The port selection options determine what ports will be scanned and whether the scan order is random or in a sequential order.

This is the command to scan a single port.  
Some malware will consistently operate on a specific port on every host it infects.  
By knowing these ports, you can sometimes quickly determine what kind of malware you are dealing with.  
A single port scan would be useful in this situation:

In [6]:
%%bash

nmap -p 80 192.168.0.1


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:40 PST
Nmap scan report for 192.168.0.1
Host is up (0.0024s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds


The ability to specify a range of ports can be very useful.  
The following command will scan a range of ports from 1 to 100.  

In [7]:
%%bash

nmap -p 1-100 192.168.0.1


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:40 PST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
Not shown: 97 filtered ports
PORT   STATE  SERVICE
22/tcp closed ssh
23/tcp closed telnet
80/tcp open   http

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds


You can choose to scan the 100 most common ports, which is faster than scanning all of them.  
The `-f` flag will trigger a [default scan (fastscan or fragscan)](https://nmap.org/book/man-bypass-firewalls-ids.html) that does just that. 
The `-f` option causes the requested scan (including ping scans) to use tiny fragmented IP packets.  
The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.  
Read that last sentence several times, and be VERY careful about when and how you use it.  
But, since you are learning how to find vulnerabilities, do your scans while a [sniffer](https://en.wikipedia.org/wiki/Packet_analyzer) such as [Wireshark](https://github.com/wireshark/wireshark) is running to ensure that sent packets are fragmented.

And, because you know you want to, here is the command to scan your entire subnet and save the output to a text file.  If you are using version control, exclude the text files that are generated unless you want to share the results.
Then see what yor firewall thinks about that.

In [8]:
%%bash

nmap -v -A 192.168.1.1-255 > my_own_portscan.txt

If you want to compare notes, [ShieldsUP!](https://www.grc.com/x/ne.dll?bh0bkyd2) is a website you can visit that will run a port scan on your machine.

You can now go a step further and scan an entire subnet and save the results:

In [9]:
%%bash

nmap -v -A 192.168.0.1/24 > subnet_scan.txt

### Nmap port scan types

There are many different [types of port scans](https://nmap.org/book/man-port-scanning-techniques.html) that can be run with Nmap.  
It is important to know which type of port scan to use depending on your objective.  
For example, if you want to determine which TCP ports are active on a targeted host, run a TCP port scan.  
Hackers will often use various port scans to see if they can find a vulnerable open port to use as an attack vector.

#### Scan using TCP SYN (default)

This command determines whether the port is listening.  
Using this command is a technique called half-open scanning.  
It is called half-open scanning because you don't establish a full TCP connection.  
Instead, you only send a SYN packet and wait for the response.  
If you receive a [SYN/ACK response](http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml) that means the port is listening:

#### Scan using TCP connect

This is the command to scan using the TCP connect option.  
If a user does not have [raw packet privileges](https://en.wikipedia.org/wiki/Network_socket#Raw_socket), this is the command they will use:

Privileged access is necessary to perform the default SYN scans.  
If privileges are not sufficient, a TCP connect scan will be used.  
A TCP connect scan needs a full TCP connection to be established, and is known to be a slower scan than SYN scans.  
Disregarding discovery is often required as many firewalls or hosts will not answer to ping, so it could be missed, unless you choose the `-Pn` parameter.  
Of course, this can make the scan times much longer as you could end up sending scan probes to hosts that are not even there.

### Service and OS Detection

Nmap is one of the most popular tools used for the enumeration of a targeted host.  
Nmap can use scans that provide the OS, version, and service detection for individual or multiple devices.  
Detection scans are critical to the enumeration process when conducting penetration testing of a network.  
It is important to know where vulnerable machines are located on the network so they can be fixed or replaced before they are attacked.  
Many attackers will use these scans to figure out what payloads would be most effective on a victim's device.  
The OS scan works by using the TCP/IP stack fingerprinting method.  
The services scan works by using the Nmap-service-probes database to enumerate details of services running on a targeted host.

#### OS Detection

This is the command to scan and search for the OS (and the OS version) on a host.  
This command will provide valuable information for the enumeration phase of your network security assessment.

#### Service Detection

This is the command to scan for running service.  
Nmap contains a database of about 2,200 well-known services and associated ports.  
Examples of these services are HTTP (port 80), SMTP (port 25), DNS (port 53), and SSH (port 22):

In [12]:
%%bash

nmap -sV 192.168.0.1


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:50 PST
Nmap scan report for 192.168.0.1
Host is up (0.0057s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE      VERSION
22/tcp   closed ssh
23/tcp   closed telnet
80/tcp   open   tcpwrapped
139/tcp  closed netbios-ssn
443/tcp  open   tcpwrapped
445/tcp  closed microsoft-ds
1900/tcp open   http         Cisco DPC3828S WiFi cable modem
5000/tcp open   tcpwrapped
Service Info: Device: WAP; CPE: cpe:/h:cisco:dpc3828s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds


More aggressive service detection.