Scribd
Upload
51 views23 pages

Information Security - NMAP

Uploaded by

hamza.jtt1020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
51 views23 pages

Information Security - NMAP

Uploaded by

hamza.jtt1020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

NMAP

Intro.
 Mujtaba Rehman (Senior Cyber Defense Analyst )
 Professional Trainings
 Diamond Model of Intrusion Analysis
 SANS SEC504 – Hacker Tools, Techniques, Exploits & Incident Handling
 AWS Solutions Architect
 Microsoft Security Operations Analyst (SC-200)
 Microsoft Azure Security Technologies (AZ-500)
 SANS FOR509: Enterprise Cloud Forensics and Incident Response
 Applied Network Defense
 SANS FOR500 Windows Forensic Analysis
 Hands on Experience on Multiple SIEM like IBM QRadar, Microsoft
Sentinel, WAZUH, ELK, and LogSign.
 Hands on Experience on EDRs like CrowdStrike Falcon, Microsoft
Defender, and Viper
What is NMAP
 Nmap is short for Network Mapper. It is an open-source Linux command-
line tool that is used to scan IP addresses and ports in a network and to
detect installed applications.
 Simple Network Discovery Tool
 Command Line Based Utility
 Nmap has a graphical user interface called Zenmap. It helps you
develop visual mappings of a network for better usability and reporting.
Scope of NMAP

IT &
BLUE TEAM PENTEST
NETWORKING
NMAP & MITRE ATT&CK
 NMAP falls under T1046
 Explain MITRE ATT&CK and use of Nmap
 Blue Team Perspective
 Red Team Perspective
Features of NMAP?

 Ability to quickly recognize all the devices including servers, routers,


switches, mobile devices, etc on single or multiple networks.
 Helps identify services running on a system including web servers, DNS
servers, and other common applications.
 Nmap can also detect application versions with reasonable accuracy to
help detect existing vulnerabilities.
 Nmap can find information about the operating system running on
devices. It can provide detailed information like OS versions, making it
easier to plan additional approaches during penetration testing.
Basic Scan

 There are two types of scans you can use for that:
 Ping Scan/List of Devices: Scans the list of devices up and running on a given
subnet.
 nmap –sP <IP>

 Scan a single host — Scans a single host for 1000 well-known ports. These
ports are the ones used by popular services like SQL, SNTP, apache, and
others.
 nmap <hostname>
Stealth Scan
 Stealth scanning is performed by sending an SYN packet and analyzing
the response. If SYN/ACK is received, it means the port is open, and you
can open a TCP connection.
 A stealth scan never completes the 3-way handshake, which makes it
hard for the target to determine the scanning system.
Command

 namp –sS <IP>


 Use the ‘-sS’ Flags to perform a stealth scan.
 Stealth scanning is slower and not as aggressive as the other types of
scanning.
Anatomy of Stealth Scan
 In stealth scan, only SYN and ACK is initiated

Client Server

SYN

SYN-ACK

ACK
Some Other Techniques
 TCP SYN port scan (Default)
 nmap 192.168.81.132 -sS
 TCP connect port scan
 nmap 192.168.81.132 –sT
 UDP port scan
 nmap 192.168.81.132 –sU
Version Scanning
 Finding application versions is a crucial part in penetration testing.
 It makes your life easier since you can find an existing vulnerability from
the Common Vulnerabilities and Exploits (CVE) database for a particular
version of the service.
 You can then use it to attack a machine using an exploitation tool like
Metasploit.
 Use the ‘-sV’ command for version scanning. Nmap will provide a list of
services with its versions.
 Do keep in mind that version scans are not always 100% accurate, but it
does take you one step closer to successfully getting into a system.
 Command: namp –sV <IP>
OS Scanning

 Nmap can provide information about the underlying operating system


using TCP/IP fingerprinting. Nmap will also try to find the system uptime
during an OS scan.
 Command:
 nmap –O <IP>
 nmap 192.168.81.132 -O -osscan-guess
Aggressive Scanning

 Nmap has an aggressive mode that enables OS detection, version


detection, script scanning, and traceroute. You can use the -A argument
to perform an aggressive scan
 Aggressive scans provide far better information than regular scans.
However, an aggressive scan also sends out more probes, and it is more
likely to be detected during security audits.
 Command:
 namp –A <hostname/IP>
Scanning Multiple Hosts
 Nmap has the capability of scanning multiple hosts simultaneously.
 Scanning Options:
 IPs
 nmap 192.164.1.1 192.164.0.2 192.164.0.2
 Use the asterisk (*) to scan all of the subnets at once.
 nmap 192.164.1.*

 Add commas to separate the addresses endings instead of typing the entire
domains.
 nmap 192.164.0.1,2,3,4
Cont.
 Use a hyphen to specify a range of IP addresses
 nmap 192.164.0.0–255
Port Scanning
 Port scanning is one of the most fundamental features of Nmap. You can
scan for ports in several ways.
 Using the -p param to scan for a single port
 Command: namp –p <port number> <IP>
 If you specify the type of port, you can scan for information about a
particular type of connection, for example for a TCP connection.
 Command: nmap -p T:7777, <IP>
 A range of ports can be scanned by separating them with a hyphen.
 Command: nmap -p 76–973 <IP>
 You can also use the -top-ports flag to specify the top n ports to scan.
 Command: nmap --top-ports 10 <IP>
NMAP Scripting Engine

 The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and
flexible features. It allows users to write (and share) simple scripts to
automate a wide variety of networking tasks.
 Users can rely on the growing and diverse set of scripts distributed with
Nmap, or write their own to meet custom needs.
Script Categories

 Following are the defined categories:


 auth
 Broadcast
 Brute
 Default
 Discovery
 Dos
 Exploit
 External
 Fuzzer
 Intrusive
 Malware
 Safe
 Version
 vuln
Scanning From a File

 If you want to scan a large list of IP addresses, you can do it by


importing a file with the list of IP addresses.
 Command: nmap -iL /input_ips.txt
Verbose Output

 The verbose output provides additional information about the scan


being performed. It is useful to monitor step by step actions Nmap
performs on a network, especially if you are an outsider scanning a
client’s network.
 Command: nmap –v <IP>
Output in text/xml File

 Nmap scans can also be exported to a text file. It will be slightly


different from the original command line output, but it will capture all
the essential scan results.
 Commands
 nmap -oN output.txt <IP>
 nmap -oX output.xml <IP>
 The following command will export the scan result in three files —
output.xml, output.nmap and output.gnmap.
 nmap -oA output <IP>
Any Questions

You might also like