Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

Finding Vulnerabilities in Your Target Using Nmap

Remember that scene in The Matrix when Trinity uses a realistic Nmap port scan, followed by an actual SSH exploit (long since patched) to break into a power company? Well, believe it or not, but that scene is not far fetched at all.

If you want to exploit vulnerabilities and root boxes, you'll need to learn how to perform the necessary reconnaissance first. In fact, you will spend far more time researching your target then you will exploiting it. In this article, I am going to show you the first step in doing just that... a security scanner called Nmap.

Port Mapping

Any service running on a server, from HTTP to SSH, runs on ports. Think of a port as a door into and out of the computer, that only answers requests relevant to it. An example would be a web server running on port 80 (HTTP), which would have no idea how to handle an FTP connection request sent to it.

Nmap (Network Mapper) scans over those ports telling you everything from what software is running to what version it is. There is even an option to determine the operating system.

Before we get started, I do want to point out something critical. Port mapping, while not illegal on its own, will show up all over the place in targets' server logs. Using a (non-free) VPN or a anonymous network like I2P can help keep you safe and hidden.

Getting Started with Nmap

If you are running Backtrack, you already have Nmap installed, along with its GUI version, Zenmap. Zenmap is nice, but we will be focusing on the command line options for Nmap in this article. On Debian/Ubuntu, simply use:

$ sudo apt-get install nmap

Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

Any other distributions that do not already include Nmap may download it here.

To get a feel for the software, let's run it with zero options, to see what we can do.

$ nmap

As you can see, there's a lot of options:

Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

While you could write entire books on the full functionality of Nmap (and they have), much of this is beyond the scope of this article. Instead, I will go over some of the more commonly used options. Hopefully this will serve to get your foot in the door with port scanning.

Options, Flags and Settings: Oh My

There is no doubting the sheer size of options here. Let's break it down with what scan techniques are the most useful for us right away.

-sU: UDP scan. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. UDP tends to be slower then TCP scans, but some services are only listening for UDP requests.

-sS: This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet. A SYN/ACK indicates the port is listening (open), while a RST (reset) means it is not listening on that port.

-O: This technique crafts raw packets attempting to determine the operating system.

-A: This technique tells Nmap to probe for software versions on the target ports AND operating systems.

Nmap in Action

Here we will run a series of port scans on a target web server, making note of the versions and operating systems. Remember, reconnaissance and patience is key to hacking. Let's take a look at Nmap in action as we port scan a web server configured just for this article.

$ nmap -sS -O

Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

Oops! What happened? The -O switch tells Nmap you wish to perform an operating system fingerprint on the target. In order to do that, Nmap needs to be ran with root privileges in order to craft the raw packets needed for the task. In fact, many scan types require it.

$ sudo nmap -sS -O

Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

Here we can easily see this looks like a normal web server so far. Notice how Nmap attempts to guess the operating system? That's useful when you are looking for an attack vector to exploit.

Open ports - This server is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.

Closed ports - A closed port is accessible, but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up.

Let's try another scan, but this time we want to find out what software is running behind those open ports.

$ sudo nmap -sS -A

Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap

Here you can see what software is running and what version. For an example, my web server here is running OpenSSH 4.3 on port 22. If I knew of a vulnerability in that version, I would know this server is exploitable.

Final Thoughts

This is by no means an all inclusive listing of everything Nmap has to offer. I tried to pick and choose the highly relevant portions to give you a feel for its capabilities. You can now add another tool to your ever growing arsenal. 

Questions? Comments? Concerns? Let's hear 'em!

Images by Nmap


Nice one, I would recomend adding in some Arch linux commands in for some of us that use Arch =)

How to know what is the highest vulnerability?


Welcome to Null Byte!

Finding the system's greatest vulnerability is tricky. First, you need to know as much about the system as possible. This includes the OS, the applications, the ports, the services, etc. Then, you can look into various databases for vulnerabilities. Check out this tutorial.


I noticed that most of your recon tutorials are for web servers. Would i be able to do this with the ip of a computer? Also if the computer wasn't on my network could I use the public IP?


You can use nmap on any system you can reach with a ping. That includes on your local LAN or a public IP. The reason that these tutorials are for web servers is that the web server has a public facing access. This can provide an entry point to the network.


Thanks, so how would I scan for ip's and ports open on those ip's, when they connected to a different network than mine?

That is problematic. One thing you can do is to get a foothold inside the network. In other words, compromise one system and then scan. If there is a wireless network, you can use netdiscover to scan inside the network.

oh, so the only way to scan a remote network is socially engineering someone into downloading and running a payload, then running a scan from the meterpreter?

Thanks for all your help.

Its not the only way, but probably the simplest way. You could also compromise any of the public facing systems such as the web server, dns server, etc without social engineering.

okay, thanks for all these tutorials. there very helpful and informative. it's also much easier than browsing the web for an hour looking for something helpful.

You are very welcome.

I hope you will join Null Byte and follow me as there is so much to learn that I still have not put on here yet.

hello can somebody tell me what is the '' is it the ip of the web server? if yes how can we get the name of the web server first in order to get the ip later by pinging it?

thanks in advance

After I do a vuln scan (--script vuln) I always get "Hosts are all up (not vulnerable)"
What would be the next step to get into the system?
Or how do I know what part is vulnerable and what exploit to use (or how to write one)
Anyone got a tutorial on that?

Share Your Thoughts

  • Hot
  • Latest