Ready to Start Your Career?
By: Mike Ship
May 4, 2018
Use Ports and Options to Identify Active Hosts and Vulnerable Services
By: Mike Ship
May 4, 2018
Nmap: Use the -sn, - -top-ports, and -sV options to Identify Active Hosts and Vulnerable ServicesIf you are just starting out in cybersecurity and considering the area of penetration testing (Red Teaming) you may be wondering how do pentesters (or attackers for that matter) know what ports are open on a system? Or how do they identify what services are running on a particular system? If you are considering a career in cybersecurity, particularly related to network security or penetration testing then there is a handy little tool that you should become familiar with. That tool is Nmap.
Nmap is a free and open source network scanning utility that has many uses that include basic network scanning, identifying what services a host is running, "fingerprinting" both the operating system and applications that are on a host, vulnerability scanning and much more. In this tutorial, I will cover at a high level some of the basics of using Nmap. Utilizing its command-line interface (CLI) (it does have a GUI) I will provide some examples that you can use quickly as a beginning security professional.One of the first and most basic scans you can do with Nmap is to execute a ping sweep (-sn) scan. This type of scan is used to attempt to identify active hosts that are up on the network.
Fig. 1 nmap -snAnother useful scanning technique is to utilize the --top-ports tag. From the Nmap website…“The –top-ports option lets you specify the number of ports you wish to scan in each protocol and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports get you roughly half of the open ports. The top 1,000 (out of 65,536) will find roughly 93% of the open TCP ports and more than 95% of open UDP ports.”93%...I’ll take that any day! But for this particular example, we are only going to look for the top 10 TCP ports and we will only scan a range of ten hosts. Notice in the output that we scanned a range of ten hosts but only three responded. This is not uncommon. Also, notice the otherwise very interesting output. There are several services running that should be making you want to follow up with our next example.
Fig. 2 nmap -sT --top-ports=10
Fig. 3 nmap -sT -sV --top-ports=10At this point as a security professional, depending on which team you are playing for you will either be extremely excited or extremely worried. If you are a RED TEAMER then you are so excited and should be rushing to launch your exploitation tool of choice. But, if you are a BLUE TEAMER then you are probably, picking yourself up off of the floor and transitioning into more of an Incident Response mindset.