When it comes to attacking devices on a network, you can't hit what you can't see. Nmap gives you the ability to explore any devices connected to a network, finding information like the operating system a device is running and which applications are listening on open ports. This information lets a hacker design an attack that perfectly suits the target environment.
Network Reconnaissance for Beginners
After gaining access to a Wi-Fi, Ethernet, or remote network, the first step for most hackers is to conduct recon to explore the network and learn more about any available targets. You may be familiar with some devices that announce themselves on a network, like other computers advertising file sharing. While this is a useful way of discovering devices on the same network as you, most devices do not advertise their presence on the network in this obvious of a fashion.
The solution to the problem of exploring a network is network scanning, made possible by programs like Nmap and arp-scan. We're only interested in the former here, which allows for highly detailed exploration and mapping of local and remote networks, though we can use Nmap to perform an ARP scan as you'll see later on. With Nmap, you can see who is on the network, what applications or operating system a target is running, and what the available attack surface is.
Using Nmap for Local Networks
Running an Nmap scan is often the best way to discover the size of the network and the number of devices that are connected to it. Running a "fast" Nmap scan (-F) on a network range can produce a list of all of the IP addresses belonging to active hosts on the network, plus some extra information.
sudo nmap -F 192.168.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-10 22:55 PST
Nmap scan report for 192.168.0.1
Host is up (0.048s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5000/tcp open upnp
8081/tcp filtered blackice-icecap
MAC Address: AC:EC:80:00:EA:17 (Arris Group)
Nmap scan report for 192.168.0.35
Host is up (0.065s latency).
Not shown: 93 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
515/tcp open printer
631/tcp open ipp
9100/tcp open jetdirect
MAC Address: C4:8E:8F:38:61:93 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.0.232
Host is up (0.032s latency).
All 100 scanned ports on 192.168.0.232 are closed
MAC Address: 60:A3:7D:30:24:60 (Apple)
The data provided, combined with some basic information about services a device is running, can be used by itself as a list of targets for other hacking tools, but the capabilities of Nmap go far beyond simple host discovery.
The amount of info on a local network an Nmap scan can gather is impressive, including the MAC address and manufacturer of connected devices, the operating system a device is using, and the version of any services that are running on the device. Once you know how many devices are on the network and roughly what they are, the next step is to scan and examine devices of interest on the network.
Another key function of Nmap is to allow for port scanning of either individual devices or ranges of IP addresses including many devices. This allows an attacker to learn the minute details of a device they have discovered on a network, including information about ports open and services running. Ports are gateways that another device can connect through, so finding a bunch of services running on open ports can be a huge benefit to a hacker, especially if one of them has a version that is out of date and vulnerable.
Using Nmap for Remote Networks
In addition to scanning local networks, Nmap can also show information about remote networks as well. In fact, you can run Nmap against a website you want to examine, and it will parse it and retrieve the IP address associated with that web domain.
nmap -F wonderhowto.com
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-11 23:20 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is up (0.14s latency).
Not shown: 95 closed ports
PORT STATE SERVICE
53/tcp filtered domain
80/tcp open http
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds
After grabbing the IP address and taking note of the port numbers that are open, further Nmap scans can reveal the operating system (-O) being used to host a remote website.
sudo nmap -O 104.193.19.59
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-10 23:00 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is up (0.036s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Device type: load balancer
Running (JUST GUESSING): Citrix embedded (95%)
Aggressive OS guesses: Citrix NetScaler load balancer (95%), Citrix NetScaler VPX load balancer (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 17 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.69 seconds
Finally, we can even learn about the versions of software running on the ports we find open. If we see one that is vulnerable to a known attack, this could make our job on the network much easier. Using the IP address we discovered earlier, we can run another scan with -sV that reveals that httpd 2.0 is being used on the target machine.
sudo nmap -sV 104.193.19.59
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-10 23:02 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is up (0.053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.27 seconds
These details combined — the IP address of a remote website or server, the operating system running on the device, and the version of any application running on open ports we discover — is everything a hacker needs to get started attacking devices on a network.
What You'll Need
To use Nmap, you'll need a system that supports it. Fortunately, Nmap is cross-platform and works on Windows, Linux, and macOS, and comes preinstalled on many systems. If you don't have it, it's easy to install.
You'll also need a network to connect to and scan to try these techniques, but be aware that scanning is often seen as a prelude to an attack and may be met with increased scrutiny. What this means is that if you have a job that monitors suspicious behavior, scanning their entire network is a great way to gain attention.
Step 1: Configure Nmap to Scan a Single Target
To run a basic scan, we can identify an IP address of interest to run the scan against. One of the most basic but informative scans is to run Nmap, specify a target IP address, and then type -A to enable OS detection, version detection, script scanning, and traceroute.
sudo nmap 104.193.19.59 -A
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-10 23:12 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is up (0.038s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: WonderHowTo
|_http-title: Did not follow redirect to https://wonderhowto.com/
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: WonderHowTo
|_http-title: Did not follow redirect to https://www.wonderhowto.com/
| ssl-cert: Subject: commonName=wonderhowto.com
| Subject Alternative Name: DNS:wonderhowto.com, DNS:*.driverless.id, DNS:*.gadgethacks.com, DNS:*.invisiverse.com, DNS:*.null-byte.com, DNS:*.reality.news, DNS:*.wonderhowto.com, DNS:driverless.id, DNS:gadgethacks.com, DNS:invisiverse.com, DNS:null-byte.com, DNS:reality.news
| Not valid before: 2017-01-25T00:00:00
|_Not valid after: 2019-01-25T23:59:59
|_ssl-date: 2018-11-11T07:12:53+00:00; 0s from scanner time.
Device type: load balancer
Running (JUST GUESSING): Citrix embedded (90%)
Aggressive OS guesses: Citrix NetScaler load balancer (90%), Citrix NetScaler VPX load balancer (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 17 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 31.75 ms 192.168.0.1
2 26.02 ms 142.254.236.193
3 35.17 ms agg60.lsaicaev01h.socal.rr.com (24.30.168.25)
4 30.78 ms agg11.lsaicaev01r.socal.rr.com (72.129.18.192)
5 26.19 ms agg26.lsancarc01r.socal.rr.com (72.129.17.0)
6 34.58 ms bu-ether16.atlngamq46w-bcr00.tbone.rr.com (66.109.6.92)
7 30.20 ms ae2.lsancarc0yw-bpr01.tbone.rr.com (66.109.1.41)
8 35.04 ms ix-ae-24-0.tcore1.lvw-los-angeles.as6453.net (66.110.59.81)
9 35.01 ms if-ae-8-2.tcore1.sv1-santa-clara.as6453.net (66.110.59.9)
10 35.11 ms if-ae-0-2.tcore2.sv1-santa-clara.as6453.net (63.243.251.2)
11 38.80 ms if-ae-18-2.tcore1.sqn-san-jose.as6453.net (63.243.205.12)
12 34.39 ms if-ae-1-2.tcore2.sqn-san-jose.as6453.net (63.243.205.2)
13 34.05 ms 64.86.21.62
14 31.16 ms xe-0-0-3.cr6-lax2.ip4.gtt.net (89.149.180.253)
15 63.54 ms 72.37.158.50
16 ...
17 34.34 ms wonderhowto.com (104.193.19.59)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.60 seconds
Even against a single target, a basic scan can yield a lot of information. Here, we simply ran the scan on the IP address for WonderHowTo.com. This can be run against a device on your local network, like a router, or a remote server, like the one hosting WonderHowTo.com.
Step 2: Calculate the Subnet & Scan a Range to Discover Devices
In order to identify other devices on a local network, it's useful to calculate the subnet range. This is the range of possible IP addresses given out to devices on a network, and knowing it allows you to scan through all the possible IP addresses a device on the network could have.
A handy tool to do this for you is IPcalc. This tool will take your IP address (which is easy to find by typing ifconfig or ip a in a terminal window) and calculate the subnet range based on it. Doing so will give you a number like "192.168.0.0/24," which specifies a range of IP addresses. In the example below, the subnet is calculated as 127.0.0.0/24.
ipcalc 127.0.0.1
Address: 127.0.0.1 01111111.00000000.00000000. 00000001
Netmark: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 127.0.0.0/24 01111111.00000000.00000000. 00000000
HostMin: 127.0.0.1 01111111.00000000.00000000. 00000001
HostMax: 127.0.0.254 01111111.00000000.00000000. 11111110
Broadcast: 127.0.0.255 01111111.00000000.00000000. 11111111
Hosts/Net: 254 Class A, Loopback
In order to run a scan including information about the services running on devices we find, we can open a terminal window and type the following command, adding in your network range where I use "172.16.42.0/24" as an example. The scan is a little slow, so you can also use an -F flag instead of the -A to do a faster scan of the most common ports.
nmap 172.16.42.0/24 -A
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-11 23:26 PST
Nmap scan report for 172.16.42.1
Host is up (0.0029s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
Nmap scan report for 172.16.42.20
Host is up (0.0053s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078/tcp open tcpwrapped
Nmap scan report for 172.16.42.32
Host is up (0.0057s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078/tcp open tcpwrapped
Nmap scan report for 172.16.42.36
Host is up (0.011s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078/tcp open tcpwrapped
Nmap scan report for 172.16.42.49
Host is up (0.0063s latency).
All 1000 scanned ports on 172.16.42.49 are closed
Nmap scan report for 172.16.42.53
Host is up (0.0059s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078/tcp open iphone-sync?
Nmap scan report for 172.16.42.57
Host is up (0.013s latency).
All 1000 scanned ports on 172.16.42.57 are closed
Nmap scan report for 172.16.42.63
Host is up (0.00020s latency).
All 1000 scanned ports on 172.16.42.63 are closed
Nmap scan report for 172.16.42.65
Host is up (0.0077s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
631/tcp open ipp CUPS 2.2
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Home - CUPS 2.2.0
Nmap scan report for 172.16.42.119
Host is up (0.012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
898/tcp filtered sun-manageconsole
1862/tcp filtered mysql-cm-agent
1971/tcp filtered netop-school
62078/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (10 hosts up) scanned in 219.68 seconds
We're basically running Nmap with no arguments except the -A flag. We should expect to see an output like above, showing discovered devices and the services running on them.
Another handy tool for network discovery is arp-scan, which can sometimes show devices that Nmap misses. We can use Nmap to conduct an ARP scan with the -PR request, which is quite fast and aggressive at bringing back online hosts.
nmap -PR 192.168.0.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-12 06:10 PST
Nmap scan report for 192.168.0.1
Host is up (0.019s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp filtered domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
8081/tcp filtered blackice-icecap
8082/tcp filtered blackice-alerts
Step 3: Create a Target List of Active Hosts
Now we can calculate all the possible IP addresses on the local network and discover them either with a -F (fast) scan, by running Nmap with no arguments but the -A flag for a slower scan with more info, or with a -PR scan capable of quickly sweeping a local network for active hosts.
Finally, if you want to create a TXT file of hosts you discovered, you can use the command seen below to build a list to avoid needing to scan the entire network each time we run a subsequent scan. For instance, to scan for devices with a port 80 open and save them to a list, we can use some Linux tools and the -oG "greppable output" flag to help us cut through the output Nmap provides.
By running nmap -p 80 -oG - 192.168.0.0/24 — with the network range substituted for yours — you can add | awk '/80\/open/ {print $2}' >> port80.txt to output the IP addresses belonging to discovered devices to a TXT file called "port80.txt."
nmap -p 80 -oG - 192.168.0.1 | awk '/80\/open/ {print $2}' >> port80.txt
cat port80.txt
Here, the awk command is looking for lines containing the port number and the result "open," with the second string in each line (in this case, the IP address) saved by the cat command to a new file called port80.txt
Step 4: Identify the Operating System on Discovered Devices
One of the most helpful things to know about a device we discover on a network is the operating system it's running. Here, we can take the TXT target list we populated in the previous step and run an operating system scan, which requires root privileges. We can use the -O flag to run an operating system scan, and the -iL flag to tell Nmap we want to read from a TXT file of target hosts.
sudo nmap -O -iL port80.txt
Password:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-12 07:07 PST
Nmap scan report for 192.168.0.1
Host is up (0.033s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp filtered domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
8081/tcp filtered blackice-icecap
8082/tcp filtered blackice-alerts
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=11/12%OT=80%CT=1%CU=33278%PV=Y%DS=1%DC=D%G=Y%M=407009%
OS:TM=5BE99771%P=x86_64-apple-darwin17.3.0)SEQ(SP=CB%GCD=1%ISR=CD%TI=Z%CI=Z
OS:%II=I%TS=7)SEQ(SP=CE%GCD=1%ISR=CE%TI=Z%CI=Z%TS=7)OPS(O1=M5B4ST11NW2%O2=M
OS:5B4ST11NW2%O3=M5B4NNT11NW2%O4=M5B4ST11NW2%O5=M5B4ST11NW2%O6=M5B4ST11)WIN
OS:(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=390
OS:8%O=M5B4NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(
OS:R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11NW2%RD=0%Q=)T4(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Nmap scan report for 192.168.0.2
Host is up (0.019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp filtered domain
80/tcp open http
8888/tcp open sun-answerbook
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Nmap scan report for 192.168.0.5
Host is up (0.064s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
80/tcp open http
8080/tcp open http-proxy
8085/tcp open unknown
8086/tcp open d-s-n
8087/tcp open simplifymedia
8088/tcp open radan-http
8089/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.8
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 67.32 seconds
This tactic allows us to get as much information as possible about the operating system from whatever list of targets we want to run it against, whether internal network targets or a list of website IP addresses.
The next step is discovering the versions of the applications running on open ports. This may show us a port that is running software that is out of date and has a known vulnerability. To run this scan, you can use the -sV flag against a target.
sudo nmap -sV 192.168.0.2 -D 192.168.0.1,192.168.0.2,192.168.0.3
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-12 07:29 PST
Nmap scan report for 192.168.0.2
Host is up (0.030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
53/tcp filtered domain
80/tcp open http?
8888/tcp open upnp MiniUPnP 1.6 (Linksys/Belkin WiFi range extender; SDK 4.1.2.0; UPnP 1.0; MTK 2.001)
MAC Address: 83:23:98:43:23:3D (Dobus International)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.24 seconds
Here, we've found some very specific information about our host, allowing us to potentially identify an attack against the software listening behind the port.
Step 5: Advanced Scans & Workarounds
There may be some circumstances where you're having a difficult time scanning a network because the ping sent by Nmap are dropped by a firewall on the router. This can make it look like no devices are up, when you know they are. To avoid this, you can include the -Pn flag, which will drop the ping and sometimes allow you to connect directly to devices and get a response.
If you're scanning on a network you don't want to be detected on, you can perform a decoy scan with the -D flag to make it more difficult to detect who is conducting the scan on the network. An example would look like the command below, and requires root privileges.
sudo nmap -sS 192.168.0.2 -D 192.168.0.1,192.168.0.2,192.168.0.3
Password:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-12 07:26 PST
Nmap scan report for 192.168.0.2
Host is up (0.036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp filtered domain
80/tcp open http
8888/tcp open sun-answerbook
MAC Address: 83:23:98:43:23:3D (Dobus International)
Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds
If you need more information about what's happening, you can strike a key while the scan is progressing to get some information about how it's proceeding or add a -v to increase the verbosity (how much information the script gives). Generally, you can keep adding more v's to the -v according to how frustrated or angry you get to learn more information about what's happening.
Initiating ARP Ping Scan at 07:18
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 07:18, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:18
Completed Parallel DNS resolution of 1 host. at 07:18, 0.09s elapsed
DNS resolution of 1 IPs took 0.10s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 07:18
Scanning 192.168.0.1 [1 port]
Discovered open port 80/tcp on 192.168.0.1
Completed SYN Stealth Scan at 07:18, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.0.1
Host is up, received arp-response (0.11s latency).
Scanned at 2018-11-12 07:18:34 PST for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
MAC Address: 23:78:32:76:34:90 (Dobis Group)
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
Here, we can see the reason reported for the port 80 being up, allowing us to delve deeper into what parts of a scan a device may be replying to or ignoring. Be warned, you will see everything the scan is doing, and this can produce a lot of output on a complicated scan.
Nmap Lights Up the Dark
Finding your way around a network for the first time can be a harrowing experience for a beginner, whether you're learning about network exploitation for the first time or simply trying to find your router.
Keep in mind, while networks scans are fine (and a great idea) to run on your own network to see what's connected, this kind of scan may not be welcome on your work network or another network you don't own. If your employer looks for suspicious behavior on their networks, extensively scanning can be easily interpreted as the threatening behavior if you have no good reason to be performing the scan.
One of the most powerful things about Nmap is that it's scriptable with options like -oG and can be used to feed into other tools, so if you've ever imagined building a tool that needs to be aware of other devices on the same network, Nmap might be just what you're looking for.
I hope you enjoyed this guide to using Nmap to map and explore devices on a network! If you have any questions about this tutorial on network scanning or you have a comment, feel free to reach me on Twitter @KodyKinzie.
- Follow Null Byte on Twitter, Flipboard, and YouTube
- Sign up for Null Byte's weekly newsletter
- Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard
Cover image by Kody/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!