Serverspace Black Friday
JT
October 22, 2024
Updated October 22, 2024

Nmap: how to scan machine in the network?

Linux Networks Security Windows

One of the most important steps in infrastructure protection is an audit, which helps identify weaknesses at the initial or final stages, during the design and implementation of defence systems. Intruders use similar tactics and procedures to damage an organisation's assets, actively scanning networks, ports through which to attack and gain initial access to the infrastructure.

Today let's take a look at one of the tools that both hackers and IS specialists use to identify weaknesses in network infrastructure.

Please note that the demonstration of the software is for training purposes! The scanning targets are owned by Serverspace. The author is not responsible for the consequences of its use.

What is Nmap?

Nmap or network mapping is a multifunctional utility that allows you to scan networks to identify hosts, ports, as well as check services for vulnerabilities. The utility can scan both in passive and active mode, aggressively but quickly identifying services or machines. To install it in Linux distributions, just write the command:

apt install nmap -y

And for Windows users, use an alternative package manager:

winget install Insecure.Nmap
Installation
Screenshot №1 — Installation

After that packages will be available on the device and environment variables will write the path to the executable file. So when you restart the terminal the nmap command will be available, check it by typing it:

nmap
Help page
Screenshot №2 — Help page

If the conclusion is that the installation was successful, just in this huge conclusion you can see several steps that are fundamental to the exploration of your infrastructure. To make it clearer, let's depict this in a diagram format:

Schema
Screenshot №3 — Schema

First, the array of devices is searched, this process is called Host Discovery. It allows you to determine the list of available devices on the network using various methods.

If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.

Create Server
Screenshot №4 — Create Server

How to scan hosts via Nmap?

For example, we can scan the network and determine by pinging which devices are currently available:

  nmap -sn 127.0.0.0/24
Ping-discovery
Screenshot №5 — Ping Discovery

However, often the ping response can be blocked and the researcher mistakenly forms the opinion that there are no machines in the segment. For such cases, the segment is repeatedly scanned by ports to determine whether the host is up or down. The principle is based on the fact that if the service is available, then the host is also up:

nmap -PA -PS -T3 127.0.0.0/24
Host Discovery
Screenshot №6 — Host Discovery

The -PA/PS option means that TCP handling of SYN/ACK packets will be used, and the -T3 flag will set a time interval that will allow a slow scan of the network. This option is great for testing your IPS and its ability to detect such reconnaissance. Also don't forget to add the -PU option, which will allow you to detect UDP services as well.

How to scan ports via Nmap?

The result should be a list of hosts with open ports that are available on the given network. Now we need to go through it and find all the services on them, if any. To do this, use the following command:

nmap -v -sV -sA -sS -sU -T3 -p U:53,T:80,21-22 4 127.0.1.1
Result of audit
Screenshot №7 — Result of audit

According to the results we get a list of service versions that are available by port, this approach is more delicate and allows hackers to leave less traces for the NWI. In this case we have specified only one target, but you may have more. The -sV option allows you to determine the software version that occupies the port, T3 the scanning speed parameter. And specific UDP and TCP ports with targets on which to detect them.

If you conducted Host Discovery by ICPM or the -sn parameter, you can scan ports from scratch with the command:

nmap -v -sV -sA -sS -sU -T3 127.0.1.1 --open

Great, from a network intelligence perspective we've done a machine scan of their ports and also recognised services with versions that occupy them.

Vulnerability scanning

Let's imagine that a regulator's ticket with vulnerabilities has arrived and it is necessary to check them, for this purpose we use a vulnerability scanner. This is the same nmap scanner, but with selected nse modules, which extends the functionality. To do this, go to the scripts folder and download the necessary NSE instructions in Lua:

cd /usr/share/nmap/scripts && \
apt update && apt upgrade && \
sudo git clone git@github.com:vulnersCom/nmap-vulners.git
Vulnerability scan
Screenshot №7 — Vulnerability scan

After downloading the scripts they can be called into the utility from anywhere, let's scan our ports, either completely or in a range using the -p option. Let's write the command:

sudo nmap -d -sV -sU -sS --script "*vuln*" 127.0.1.1
Result of scan
Screenshot №8 — Result of scan

After that, the results will show all possible CVEs, which are presented according to the version of the detected software. This method of vulnerability scanning is considered passive, as it reads and compares the versions with the vulnerability database. Software developers may close a gap within one version or the employees themselves may come up with a way to patch the vulnerability. Therefore, not always what is found corresponds to what is actually found, pay attention to this! Once the list of vulnerabilities has been obtained, it is necessary to go through the infrastructure manually and check if the service is vulnerable.

Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
33145 North Miami, FL 2520 Coral Way apt 2-135
+1 302 425-97-76
700 300
ITGLOBAL.COM CORP
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.