7 Absolutely Essential Nmap Commands for Pen Testing
7 Absolutely Essential Nmap Commands for Pen Testing
| certifications | security - Matt McClure

7 Absolutely Essential Nmap Commands for Pen Testing

Kali is a beast, no doubt about it. The Linux pentesting distro is preloaded with hundreds of tools for exploration, enumeration, and exploitation. Learning all of them can be overwhelming, but a handful you’ll keep coming back to day in and day out as you pursue pentesting savviness.  We covered these top tools in a previous post. and today we’re going to deep dive into the tippy top of those top tools, the pentester’s Swiss Army knife, Nmap.

This open-source network scanner can do it all, from host discovery to port poking to OS detection.  It’s also completely extensible, meaning anyone can write add ons using the Nmap Scripting Engine. Tie these things together and it’s super easy to script scanning a LAN for, say, Windows servers running unpatched versions of SMB. Getting a list of these machines back by running a single command is gold. Vulnerable SMB equals the lowest hanging of fruit for getting SYSTEM access to a Windows server, and domain admin won’t be far off for a capable pentester.

This is just the start of Nmap’s power. Heck, even Trinity used it in this scene from The Matrix Reloaded.  Pause at four seconds in and you can see the end of Nmap’s output showing a machine with SSH running on open port 22.  The following “sshnuke” exploit is Hollywood shenanigans, but it is completely based on real pentesting methodology!  That one line saying “Attempting to exploit SSHv1 CRC32” is based on a real buffer overflow that can provide remote command execution.

Presumably, she used an Nmap to find machines with both port 22 open running a vulnerable version of the SSH server.  Sshnuke then connects to via SSH, exploits the vuln to get remote code execution, and runs the passwd command to change the root password to Z10N0101 (nice leet touch there with that password).  Add some dramatic music and a flashing “ACCESS GRANTED” for the benefit of any non-hax0r viewers, all that’s left is to connect via SSH, login as root, and the power system is pwned.  All thanks to Nmap.

You probably won’t be taking down power plants in a simulation of humanity anytime soon. But let’s dig into how you can and will daily use Nmap in your slightly less exciting pentesting operations.

Using Kali & Stapler to Enumerate Targets with Nmap

To help explore some of the usage of Nmap, we’re going to play with a boot-to-root image called Stapler. If you recall from a recent article, boot-to-root images are virtual machines that are prebuilt with system services and other software installed and configured to look like a real-world server. They are intentionally vulnerable to hacking in some way though; the machine acts as an exercise for your pentest skills in a safe, legal, controlled environment.

For this article and Stapler, go ahead and download the image and fire it up in your favorite virtualization platform along with Kali to follow along. Follow the same flow as the last article to find Stapler’s IP on your virtual network with (suprise suprise) Nmap and the -sn flag to ping the entire subnet for live hosts.

Stapler has lots of open ports, so therefore lots of services that we can enumerate with Nmap.  With any pentest engagement or exercise, enumeration is key. You cannot simply start beating down the door on the first interesting looking service you come across, many hours have been wasted with insufficient enumeration.

You must explore every open port first, understanding the services running on each before forming a plan of attack.

1. Basic Nmap scan

The basic Nmap is just running it with no flags, just the IP of the machine you are testing:

root@Kali:~# nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 17:11 EST
Nmap scan report for
Host is up (0.00030s latency).
Not shown: 992 filtered ports
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
139/tcp  open   netbios-ssn
666/tcp  open   doom
3306/tcp open   mysql

This will scan your IP on a set of around 1,000 of the most common ports, determine if any are open or not, and then list the open ports. Nothing fancy, no determining what the application is, nothing interesting about the host — just a quick check for open ports.

2. OS Enumeration

Add an -O flag on the end to tell Nmap to try to figure out the server’s operating system:

root@Kali:~# nmap -O
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9

By the way, some output is going to be trimmed out from these examples to save space, this will be indicated by the ellipses.

It found a Linux machine but couldn’t really narrow down on the kernel version. Nmap does this by looking at certain characteristics of the reply and compares it to known replies from specific OSes.

Other machines might return something more specific, like Windows 2008 R2 or Sun Solaris 11.1, but for Stapler we don’t learn much beyond that it’s a Linux box.

3. Scan all TCP ports

The -p flag is typically used to define a range of ports to scan (for example -p 100-200 would scan ports 100 through 200).  -p- however scans all 65535 TCP ports, helpful for finding services listening on weird, high ports like 12380 in this case.

root@Kali:~# nmap -p-
12380/tcp open   unknown

It might be nothing, or it might be a sysadmin thinking he’s clever by hiding something on an odd port.

4. Default scripts

This is where the power of Nmap really starts to show. The Nmap Scripting Engine (NSE) allows anyone to add functionality to Nmap by means of scripts which can super charge Nmap to identify specific applications listening on ports, scan for known exploits against those applications, scan for common misconfigurations of services, and much more.

The -sC flag runs a set list of default scripts against your target. This can be a gold mine for a poorly configured server:

root@Kali:~# nmap -sC
21/tcp   open   ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to
|      Logged in as ftp
|      vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp   open   ssh
| ssh-hostkey:
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp   open   domain
| dns-nsid:
|   id.server: ATL
|_  bind.version: dnsmasq-2.75
80/tcp   open   http
|_http-title: 404 Not Found
3306/tcp open   mysql
| mysql-info:
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1

The complete output from Stapler is much longer, we just wanted to highlight a few juicy things it found. For example, the FTP server allows for anonymous connections, meaning you can connect without needing to login. Definitely make a note of that as something to check out later.  There’s also the FTP server application’s name and version. Note those so you can check for known exploits.

SSH is open and we get a public key, nothing too useful yet, but maybe we’ll find some credentials later or get desperate and try to brute force a login. Dnsmasq and its version are worth checking for exploits. There’s a web server running, definitely note that so we can do some further file and directory enumeration with Gobuster. Finally, we have a MySQL instance.  Put that in your notes, finding a credential could lead to later exfiltrating some interesting data.

That was a ton of information from just a single Nmap flag!  Again, good enumeration means you are in it for the log game, don’t just immediately connect to FTP and see what files are in there. There’s no better time waster than going down rabbit holes.

Speaking of enumeration, a pro tip is to use -o to output your scan results to a file, handy to get something to reference later without waiting on scans to rerun.

5. The All flag

Now what if you could combine those three flags into one all powerful flag? Well, that’s as simple as using the -A flag.  That will run OS detection and defaults scripts while scanning all TCP ports, making it a nice time saver.

6. More scripts

The default scripts are great, but what if you wanted to attack the machine a little more brazenly? Along with default, there’s a whole set of script categories you can throw against a machine with this flag: –script default,discovery,exploit,vuln.

It won’t reveal much on Stapler as there aren’t any vulnerabilities on the exposed services, but keep this flag in the back of your head.

7.  UDP scans

If you remember your Net+ training, you should remember that along with TCP, some network services also run on UDP. It’s not near as common, but thorough enumeration always includes a check on that protocol as well.

UDP scanning is a lot slower than TCP, so it’s recommended you use a flag like this, which will only scan the 250 most common UDP ports:

root@Kali:~# nmap -sU –top-ports 250
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 18:00 EST
53/udp  open|filtered domain
68/udp  open|filtered dhcpc
69/udp  open|filtered tftp
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm 

In this case, scanning UDP revealed something potentially very interesting in the form of a TFTP server. Spoiler alert, connecting to the TFTP server gets you write access into the same directory as the root of the web server. Upload a PHP reverse shell file, set up a listener on Kali, connect to the file on the web site, and *BOOM* instant shell on the server as an unprivileged user. Good thing you scanned UDP ports, right?

Enumeration is super important in pentesting, and Nmap is always the first stop when doing enumeration. A simple port scan gives you the most basic information when pentesting any machine. Think about it, without knowing what ports are open, how else could you start poking and prying at a server?

There are many more ways to use Nmap, both powerful and nuanced, but these basics you’ll come back to again and again. Get practicing on machines in Vulnhub or HackTheBox and don’t ever forget: ENUMERATE, ENUMERATE, ENUMERATE!



Ultimate Security Cert Guide

I have read and understood the privacy policy, and am able to consent to it.