To identify accessible servers in a network range, nmap can perform a ping sweep using the ICMP protocol. In this process, the ICMP packet echo request is sent to each IP address in the network, while then waiting for the server’s echo reply. It goes without saying that all servers that have ping disabled will go undetected. Using the following command line, a network range can be scanned for accessible hosts, for example:
nmap -sn ${network range}
The IP addresses can then be scanned for accessible services by using a port scan. With TCP, a connection is successfully established in three steps: the three-way handshake. In this process, the client first sends a syn packet to the open port of the server as an initial connection request, and the server confirms the request with a syn/ack packet. In the final third step, the client only has to answer with an ack packet again in order to successfully establish a connection. Using the -sT option, we can tell nmap to run through the three-way handshake for a certain port.
Of course, not all ports on a target system will be open, so that nmap will normally only show one of the three states open, closed or filtered. Each of these states can be explained based on the TCP three-way handshake example:
Unlike TCP, UDP is connectionless, which makes a port scan of UDP ports difficult. With UDP, a send datagram will only get a response when a service is listening on the port, the datagram has reached its destination and was understood on the receiving end, and an answer is provided for it. Results for UDP scans are thus generally less reliable. But if we have not received an answer from the server, we may be able to use possibly present ICMP messages from the server. In case of a closed UDP port, the server will answer with the ICMP message port unreachable, for example. We can then initiate a UDP port scan with nmap by means of the -sU option.
Generally speaking, nmap offers numerous scanning techniques, which can be controlled via the options. Detailed information about the scope of functions of nmap is provided on its man page (→man nmap). For example, the nmap command nmap -p22 -sTV 10.13.53.32 attempts to establish a full TCP connection to the target system 10.13.53.32 and port 22. If this was successful and a service answers, nmap is tasked with identifying the software version of the listening service by means of its version detection feature.
The following nmap command for example scans the specified host for all UDP ports as fast as possible. Beside the official explanation of used parameters, the most useful ones are also listed below:
nmap -Pn -sU -p- --open --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 api.dubius-payment.com
-Pn: Treat all hosts as online -- skip host discovery
-T5 <0-5>: Set timing template (higher is faster)
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-p- scan all ports (1 - 65535) or e.g. -p 80,443
--script=${Lua scripts}: Enable script scanning
-sV: Probe open ports to determine service/version info
-O: Enable OS detection
-6: Enable IPv6 scanning
In principle, ping can be deactivated on the target systems, which is why a port scan should be carried out against each IP address. As a result, the nmap option '-Pn' should always be set. In addition, it is advisable to carry out individual port scans of IP addresses, since it is not time-efficient to wait for the output of a port scan against a network area. One approach would be to write all IP addresses of a network range to a file using the following command:
nmap -sL -n ${network}> | grep "Nmap scan" | cut -d" " -f5 > targets.txt
The port scans could then be iterated against the target systems as follows:
for ip in $(cat targets.txt); do ${nmap command} >> $ip-[slow|fast]-[default|full]-[tcp|udp].txt; done
In the example above, the target systems are read from a list. Accordingly, several port scans from different IT systems could be carried out in parallel if the nmap commands obtain the IP addresses from different files. For example, the following command breaks a list into packets of 10:
split -l 10 -d targets.txt segment
Last modified: Dec. 15, 2022
Take a look at the pentest training chapters and learn penetration testing:
Discover the world of penetration testing. Learn how to infiltrate networks and successfully penetrate systems and applications. Acquire the necessary hacking skills and use them when conducting professional penetration tests. Become a real penetration tester. Here you will find the free documents for the Pentest Training of binsec academy GmbH. The binsec academy GmbH offers the corresponding security training lab environments and certifications. However, the knowledge and wiki articles on hacking and penetration testing is universal.
binsec academy GmbH is the European provider of online security training with virtual laboratory environments. The core component of all security training is the focus on practice, practice and more practice. In the wiki here you will find the public and freely available course materials. You can put the theory into practice at binsec-academy.com.