Dissecting Nmap: Part 1
Welcome aboard my inquisitive comrades.
I am starting a new series that nobody expected coming. It may not seem very exciting at first, but await the last few parts as many startling discoveries will be made. This is a series which I plan to continue after the completion of Nmap, unless you have major objections.
In this first, let's call it episode, we will be going through what Nmap is, what it is not and we will go over some basic syntax to help those who are only starting off with command-line (CLI) tools. This series is directed at all technical levels, granted you are not familiar with Nmap like you are with the back of your hand.
But let me give you the good news. Nmap is a very easy script to use, and you are only obligated to learn the different options in order to use it productively. Hard work is a two-way street, you get exactly what you give. Let's commence.
Nmap – meaning Network Mapper – is a network scanner that aids in many tasks including, but not at all limited to:
• host discovery
• port scanning
• service detection
• and more…
This tool is probably the most used security auditing utility in the reconnaissance phase of hacking. That is why it is vital that we, as security novices and experts, know how to make the most of its diverse functionality.
However… Nmap is not an exploitation framework and it wasn't designed to function like one. You have other tools which do that job and Nmap is not a part of it.
I am not going to go through downloading and installing. You have Google to help you with that and it isn't very difficult. Now that we all have an understanding of what exactly I will be dissecting here, let us proceed to the following section.
Nmap has very elementary syntax grammar compared to many other tools. It has very few conditional arguments and is mostly orderless. Here is an example scan:
nmap -vv -sS -sV -T2 19-443 example.com
It looks pretty typical. For those of you who don't understand it yet, don't worry. By the end of this series you will know the ins and outs of Nmap. The basic syntax order doesn't matter for the most part, but is usually done in this way:
nmap [ option [ value ] ] [ --script=something ] < host | list | file >
Items in square brackets [ & ] are optional, < & > indicates a compulsory input. Today we are going to be looking at a specific set of options categorised as Target Specification. Here they are:
By default Nmap does not require you to specify any options, so you could just enter:
The target can be an IP address, a website in the above format or a subnet. For IP addresses you can specify ranges. For instance, if you are looking to scan 10.0.1.40 through to 10.0.1.255 you would specify 10.0.1.40-255 (ranges can be added to any part of the IP address).
We can even scan multiple targets like so:
nmap site1.com site2.co.cc 127.0.0.1
However, this might become exasperating if we have a lengthy list of targets to scan. In that case we would need some tweaking in order to allow the reading of hosts from a file, and Nmap has us covered with the -iL option, which you would use in this way:
nmap -iL /path/to/targets_file
The file can be of any format as long as it is text-readable, and each target must be either on a new line or separated by a space/tab. Now Nmap will scan every host in the file and return the results after it has completed all of them.
Then next option is -sL which allows to simply list hosts one after another. This is useful if you need to scan more than one target but still less than a long list. Here is how you use it:
nmap -sL somesite.org 188.8.131.52 192.168.1.0/20
But the catch here is that this doesn't scan ports for each host. Instead it checks for other hosts in the target's network and returns them back. So using this option on google.com will return the IP addresses of the nearest to you Google servers. This can be combined with other options to include port scanning, but we will get to that within the next couple of episodes.
So far so good. Onto the next option -iR which was probably added for those who can't get enough of scanning targets. This argument flag tells Nmap to come up with random IP addresses to scan. Use it in this way:
nmap -iR number
Replace number with the number of targets to generate or use 0 to make it infinite. I know, I know, this is a terrible idea and I do not condone it. Auditing a network without authorisation or permission of the owner is illegal and your IP is out in the open. That is just a word of caution.
Lastly, we have --exclude and --excludefile as supplementary options which tell Nmap to ignore certain targets even if they are specified in a file or IP range. Here is how to implement them:
nmap 10.0.0.1-255 --exclude 10.0.0.5,10.0.0.44,10.0.0.138
nmap 184.108.40.206 --excludefile ~/Desktop/exclude.txt
Awesome! We are done with Target Specification for now. I will use the options we covered today for all my subsequent episodes and I expect you to be able to follow along. If not, you are always free to refer back to this page.
Most of what I go over (actually, all of it) is in the man pages, but it is very stressful to navigate. This series is for the purpose of making everything easy to understand and beginner-friendly, and to create a gradual learning curve out of a steep one.
For those of you who knew this already, just hold on for a few more episodes until we get to the many different scripts that Nmap offers.
I apologise for not yet making my release public, which I was planning to do a couple of weeks ago. I guess there are a lot more errors to debug that I initially thought there would be. And I will try to post more often, but my schedule is very packed and when I'm usually online I only stick around for a few minutes before moving on with life. This should change soon.
I hope you enjoyed this short and simple episode and that you got something out of it. It is only the beginning; we have to start somewhere and I think we are going at a steady pace.
Let me know if I should keep the Dissection series going and suggest some other tools that you want me to crack open and hand over to you on a silver platter (yes, this is the one time I will do that). I appreciate any feedback so that I can enhance your reading experience for the next episode.
Stay alert my fellows, as we advance further along the maze of the hacking scene.