Kali tools: Nmap

The Nmap network mapper is an industry-standard network scanner that is over 20 years old. The Nmap is featured in numerous movies as the “hacking tool”. These movies include The Matrix, Die Hard 4, and The Girl With the Dragon Tattoo. Full list of the Nmap’s appearances you can find at the Nmap homepage (https://nmap.org/movies/).

You can use the Nmap in numerous systems and operating systems:

Many of the OS distributions have Nmap in their package repository – Check your OS package repository.

Nmap Kali installation

The default installation of the Kali should already contain the Nmap. In case you need to reinstall it, you can install it with the APT tool.

root@kali:/root# apt install Nmap

The Nmap basics

The Nmap is used as a security assessment tool and also as network management and troubleshooting tool. It is usually used in the information gathering phase by enumerating the IP addresses and finding the open ports in the hosts. The Nmap’s main features are port scanning, ping sweeping, OS Detection, and version detection. The Nmap is limited to IPv4 or IPv6 usage. There is no support for Layer 2 protocols or other L3 protocols than IP protocol. The main protocols where the Nmap is used are TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), and SCTP (Stream Control Transmission Protocol).

NSE – Nmap Scripting Engine

The Nmap use can be extended by utilizing its scripting engine (The Nmap Scripting Engine – NSE). There are plenty of scripts available at the Nmap website: NSE Scripts.

The NSE scripts are written in LUA -language, using version 5.3. Kali includes over 5000 scripts in /usr/share/nmap/scripts folder. NSE scripts can have category, ie. vuln for vulnerabilities, discovery for additional network discovery, etc. If you run nmap with -sC or -A parameter, Nmap will execute scripts in /usr/share/nmap/scripts forlder which have category set as default.

You can also run scripts based on filename, category, directory, or search expression against the target.

root@kali:~# #nmap --script filename|category|directory|expression,...   target
root@kali:~# nmap --script vuln scanme.nmap.org #run the vuln-category scans against the target

We can also run custom scripts. In example, we can detect DHCP servers in the network by running the DHCP Discover-script.

root@kali:~# wget https://svn.nmap.org/nmap/scripts/broadcast-dhcp-discover.nse
--2020-11-14 01:28:43--  https://svn.nmap.org/nmap/scripts/broadcast-dhcp-discover.nse
Resolving svn.nmap.org (svn.nmap.org)..., 2600:3c01:e000:3e6::6d4e:7061
Connecting to svn.nmap.org (svn.nmap.org)||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7688 (7.5K) [text/plain]
Saving to: ‘broadcast-dhcp-discover.nse’

100%[=====================================================================================>]   7.51K  --.-KB/s    in 0s      

2020-11-14 01:28:45 (77.2 MB/s) - ‘broadcast-dhcp-discover.nse’ saved [7688/7688]

root@kali:~# nmap --script broadcast-dhcp-discover.nse
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 01:29 EET
Pre-scan script results:
| broadcast-DHCP-discover:
|   Response 1 of 1:
|     Interface: eth0
|     IP Offered:
|     DHCP Message Type: DHCPOFFER
|     Server Identifier:
|     IP Address Lease Time: 2m00s
|     Renewal Time Value: 1m00s
|     Rebinding Time Value: 1m45s
|     Subnet Mask:
|     Broadcast Address:
|     Router:
|     Domain Name Server:
|_    Domain Name: WLAN
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.38 seconds

Scan types

The Nmap has numerous ways to scan the IP addresses. With the default settings, the Nmap scans the top 1000 most used ports and it uses an SYN scan if run as root or TCP Connect when run as an unprivileged user. You can modify which ports are scanned by using the “-p” -parameter. For example, “-p 80,443,8080,8443” will only scan ports 80, 443, 8080, and 8443. You can also define a port range to scan, for example “-p 1-65535” will scan the whole port range.

You can adjust the Nmap scanning performance by adjusting the timing template. The Nmap has six timing templates to choose from. The timing templates are named as “Paranoid”, “Sneaky”, “Polite”, “Normal” – which the default setting, “Aggressive”, and “Insane”. The values which are modified by the timing template can be checked from the following table:

 	                      T0	T1	T2	T3	T4	T5
Name	                      Paranoid	Sneaky	Polite	Normal	Aggres.	Insane
min-rtt-timeout	              100	100	100	100	100	50
max-rtt-timeout	              300,000	15,000	10,000	10,000	1,250	300
initial-rtt-timeout           300,000	15,000	1,000	1,000	500	250
max-retries	              10	10	10	10	6	2
Initial scan delay            300,000	15,000	400	0	0	0
Maximum TCP scan delay	      300,000	15,000	1,000	1,000	10	5
Maximum UDP scan delay	      300,000	15,000	1,000	1,000	1,000	1,000
host-timeout	              0	        0	0	0	0	900,000

TCP Connect (-sT) scan

The TCP Connect scan needs to process 3 packets for each scanned port. At first, the scanner sends a TCP SYN packet requesting opening the connection to the scanned port. Next, the server responds with an SYN / ACK packet indicating that the port is open and it is on standby to process the connection. Finally, the scanner (or connection initiator) sends the ACK packet and acknowledging that it has opened the connection, and is ready to send the data.

The TCP Connect scan type is the default scan mode if the Nmap is executed under an unprivileged user account.

Below is an example scan of port 135.
Nmap tcp scan of port 135

Below are the contents of the previous TCP Connect scan.

The Nmap detects open ports by receiving an SYN / ACK packet from the server. Finally, the client (scanner) closes the connection to the server by sending an RST (Reset) packet to the server.

Instead, if the port is closed and there is no service listening on it, the server sends a RESET (RST)-packet to the client.

Below is the screenshot of the Wireshark capture of the closed port scan. The capture shows the server reply of RST, ACK -packet to the client scan attempt (SYN -packet).

Wireshark shows packets of scan of the closed port

If the port is blocked by a firewall, like an iptables, the client doesn’t receive any response from the server. Nmap reports these ports as “filtered”.
Results of a filtered / firewalled nmap scan

Filtered nmap scan packets

SYN (-sS) scan

Because the TCP Connect scan establishes a full TCP connection to the server, the control flow is released to the server application. Since the scan does not send any data to the server and instead just disconnects the connection, scans are (in some cases) logged in to the application or may cause crashes in poorly written applications. The TCP Connect scan is noisy and therefore scanners prefer Nmap’s SYN scan. The only downside is that, since the Nmap SYN scan requires direct manipulation of the network traffic, it requires admin/root privileges in the scanning system.

The SYN scan is the default scan mode if the Nmap is run under a privileged user account.

Instead of establishing the full connection, SYN cans terminates the connection after receiving the SYN/ACK packet from the server.
TCPDump results of nmap SYN scan

UDP scans

The Nmap UDP scan works by sending a UDP packet to the required port. If there is NOT a service listening to it, the destination host will reply with an ICMP message to the scanner. In this case, the Nmap will mark the port as closed. If there is a service listening, the Nmap usually doesn’t receive a reply from the host and the Nmap will mark the port as open|filtered. In the case of some services, the Nmap will understand the service/port and it will send a correctly crafted UDP packet to the host. In these cases, the destination service will reply with a UDP packet and the Nmap will mark the service as open.

Leave a Reply

Your email address will not be published. Required fields are marked *