Nmap: Use the -sn, - -top-ports, and -sV options to Identify Active Hosts and Vulnerable Services
If you are just starting out in cybersecurity and considering the area of penetration testing (Red Teaming) you may be wondering how do pentesters (or attackers for that matter) know what ports are open on a system? Or how do they identify what services are running on a particular system? If you are considering a career in cybersecurity, particularly related to network security or penetration testing then there is a handy little tool that you should become familiar with. That tool is Nmap.
Nmap is a free and open source network scanning utility that has many uses that include basic network scanning, identifying what services a host is running, "fingerprinting" both the operating system and applications that are on a host, vulnerability scanning and much more. In this tutorial, I will cover at a high level some of the basics of using Nmap. Utilizing its command-line interface (CLI) (it does have a GUI) I will provide some examples that you can use quickly as a beginning security professional.One of the first and most basic scans you can do with Nmap is to execute a ping sweep (-sn) scan. This type of scan is used to attempt to identify active hosts that are up on the network.
Fig. 1 nmap -sn
Another useful scanning technique is to utilize the --top-ports tag. From the Nmap website…“The –top-ports option lets you specify the number of ports you wish to scan in each protocol and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports get you roughly half of the open ports. The top 1,000 (out of 65,536) will find roughly 93% of the open TCP ports and more than 95% of open UDP ports.”93%...I’ll take that any day! But for this particular example, we are only going to look for the top 10 TCP ports and we will only scan a range of ten hosts. Notice in the output that we scanned a range of ten hosts but only three responded. This is not uncommon. Also, notice the otherwise very interesting output. There are several services running that should be making you want to follow up with our next example.
Fig. 2 nmap -sT --top-ports=10
The last scan identified a hand full of services running on the three systems and a couple of them should look very interesting if you are a security professional. With that said, the last scan we will go over in this post will show you how to follow up on the previous scan. This next scan will attempt to identify the service versions (-sV) running on the hosts identified previously.
Fig. 3 nmap -sT -sV --top-ports=10
At this point as a security professional, depending on which team you are playing for you will either be extremely excited or extremely worried. If you are a RED TEAMER then you are so excited and should be rushing to launch your exploitation tool of choice. But, if you are a BLUE TEAMER then you are probably, picking yourself up off of the floor and transitioning into more of an Incident Response mindset.