Nmap Flags

Now, Nmap the go to tool for every reconnaissance. It’s likely even if you don’t know much about pentesting, or networking you are likely to have either seen or heard of nmap. It appears in lots of films, including the matrix and mostly any hacking film. They even have a list on their website for spotting (https://nmap.org/movies/)

So, what does nmap do? Well it’s a port scanner. You tell it which flags you want and what single or range of IPs you want to check and it cleverly goes off and tries to create a connection with each of those ports. It then comes back with 1 of 3 answers:

1 – Open – An application on that port is listening for connections/packets

2 – Filtered – Something like a firewall or network obstacle is blocking the port, so nmap can’t tell if the port is open or closed

3 – Closed – No application currently listening on this port

When doing an nmap scan, we are generally interested in the open ports. The open ports could be anything, there are standard ports that things run on, e.g port 22 for ssh, port 80 for HTTP, port 443 for HTTPS, 20/21 for FTP, 23 for telnet, 25 for SMTP etc etc)

However, these can always be changed, good practice for example is to change your ssh port to a high number so it will be brute forced a lot less when connected to the internet (if you have a droplet that you ssh into for example)

So, the syntax to start nmap is:

nmap <flags> <ip address>

So a very simple scan would be nmap -sV

The flags all do different things, for various reasons and depending on what you are scanning and what you want to find out!

What I’ll do is a few different ones and show some examples of outputs (using juicebox from OWASP). Flags can be combined, so although this currently is a list, further down there are expressions that I’d be more likely to put together.

There is a good nmap cheat sheet which I like, which is: https://blogs.sans.org/pen-testing/files/2013/10/NMap_5120x2880.png

Basic Flags that I use regularly:

-sP – Ping sweep. If you are scanning a whole IP range, this lets you know which hosts are online on which IPs.

-sS – TCP SYN Scan. This means it will scan ports that operate over TCP (rather than UDP) using a SYN packet, this is the initiator of the three-way handshake that happens when TCP connects. If it receives a ACK then the port is open.

-sU – Scan all UDP ports. Similar to above, however there is no three-way handshake, data just gets returned.

-sV – Looks further into open ports to try and determine the service & any version info (e.g port 80 apache httpd v2.4.37)

-p 1 – 65535 – This runs a scan on the amount of ports you want. Nmap generally only scans the most popular 1,000 ports. So if you want to scan higher ports, you need to put in the “p” flag and port numbers.

-v – This is the verbosity level of the output. Ranges from -v to -vvv depending on the level of output you want to see

-O – Enables OS detection. Will try to work out what OS the host is using.

-oN – This outputs the results into a text file. You need to give it the path to save the files in.

-T4 / T5 – Sets the timing for scanning. The higher the number between 0-5 means it’s faster, however it’s also less accurate. T4 is the default

So a regular scan that I would do, for example on HackTheBox would be:

nmap -sS -sV -T4 -O -oN hackthebox/<boxname>/nmap.txt <IP Address>

Once that has completed and I have some things to look at, I’ll usually do a more in-depth scan, as HTB is there to trip you up.

nmap -sS -sV -T4 -O -p 1 – 65535 -O -oN hackthebox/<boxname>/nmap-full.txt <IP Address>

Then if I think there might be any UDP, i’ll do a UDP scan.

nmap -sU -oN hackthebox/<boxname>/nmap-UDP.txt

It’s worth pointing out that some of the flags can’t be used together, for example doing different scan techniques (e.g -sS -sA).

Now this will get you started, and bring back some ports, versions, operating systems. This then lets you do further enumeration and looking into various exploits.

Nmap is however vastly more powerful than just a port scanner. It also has a range of scripts that do all sorts of things.

The list of scripts is kept within: /usr/share/nmap/scripts.

These scripts allow for various further enumeration and in some cases brute force via the nmap platform.