Nmap Network Scanning

October 5, 2024

Overview

Using Nmap can be good for making sure no vulnerabilities are currently perceived on a network or device. It can of course also be used for malicious intent but in our case this is good ol red team work. Secure networks and devices are essential especially for companies. With the Network Mapper command we can asses various networks and systems.

Lets do a scan of some networks (that we own or have permission to check). We can get in the mindset of how to start looking for vulnerabilities and even add some automation to help us out with security auditing.

Tools And Requirements

  • Two devices
  • Network connection
  • Nmap
  • Python
  • Code or text editor

Download Nmap for Linux, Windows, or Mac if not already installed.

Linux

sudo apt-get update
sudo apt-get install nmap

macOS

brew install nmap

Windows

https://nmap.org/download.html#windows

Verify nmap installation

nmap --version

Setting Up Your Environment

We'll use any network enabled device and type its ip. You can get the ip by going to a site like whatismyip.com or ipconfig for Windows, hostname -I for Linux and macOS.

Basic Scanning with Nmap

Run a terminal command

nmap -sn <target-IP-or-Hostname>

We see that the host is up and responsive in this ping scan. Lets try another scan to gather more information.

Host is up (0.0020s latency).
Nmap done: 1 IP address (1 host up) scanned in 4.29 seconds

Next command nmap -sS

nmap -sS <target-IP>

This is a SYN Scan (stealthy scan). It sends SYN packets checking for open ports without completing a full TCP handshake. While it's a bit more discrete it can be detected still by an IDS (Intrusion Detection System) to monitor for half-open connections.

Starting Nmap 7.95 ( https://nmap.org ) at 2024-10
Nmap scan report for pool-00-00-00-IP.2ndlvl.sub.domain.tld (<target-IP>)
Host is up (0.0034s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
443/tcp  open  https
4567/tcp open  tram

Nmap done: 1 IP address (1 host up) scanned in 2.94 seconds

A full port scan, with "-sV" for version detection:

nmap -p- -sV <target-IP>

Which gives us a lot more information

C:\Program Files (x86)\Nmap>nmap -p- -sV <target-IP>
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10
WARNING: Service <target-IP>:37377 had already soft-matched upnp, but now soft-matched rtsp; ignoring second value
WARNING: Service <target-IP>:37377 had already soft-matched upnp, but now soft-matched sip; ignoring second value
Nmap scan report for pool-00-00-00-IP.2ndlvl.sub.domain.tld (<target-IP>)
Host is up (0.0028s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE    SERVICE     VERSION
53/tcp    open     tcpwrapped
80/tcp    open     http
443/tcp   open     ssl/https
4567/tcp  open     tram?
4577/tcp  open     ssl/unknown
4578/tcp  filtered unknown
22222/tcp filtered easyengine
37377/tcp open     upnp        MiniUPnP 2.2.0 (UPnP 1.1)
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7...

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7...


==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4567-TCP:V=7...

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port37377-TCP:V=7...
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.08 seconds

The full port scan gives a good overview of all open ports, services, and potential weaknesses.

We can also detect the OS of the target IP:

nmap -O <target-IP>

C:\Program Files (x86)\Nmap>nmap -O <target-IP>
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10
Nmap scan report for pool-00-00-00-IP.2ndlvl.sub.domain.tld (<target-IP>)
Host is up (0.0027s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
443/tcp  open  https
4567/tcp open  tram
Device type: general purpose|router
Running: Linux 5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds

C:\Program Files (x86)\Nmap>

The scan could give us insight into specific vulnerabilities or exploits discovered with the OS the target is running. This is one of the reasons companies come up with system updates, its not just about feature improvements and money all the time! We don’t know it all when it comes to the fast-paced world today so staying up to date with the latest tech news can help us stay ahead of the game.

Real-World Use Case

Lets implement a use-case right now. We're going to use Python to Automate with Nmap. Check to see if you have python installed and if not, install it.

python --version
Python 3.12.6

Then we'll install the python-nmap library to interact with Nmap through Python.

pip install python-nmap


Collecting python-nmap
  Downloading python-nmap-0.7.1.tar.gz (44 kB)
  Preparing metadata (setup.py) ... done
Building wheels for collected packages: python-nmap
  Building wheel for python-nmap (setup.py) ... done
  Created wheel for python-nmap: filename=python_nmap-0.7.1-py2.py3-none-any.whl size=20679 sha256=<sha256-hash>
  Stored in directory: <project-path>\wheels\06\fc\d4\7e1d92e69618820872ea0abf9
Successfully built python-nmap
Installing collected packages: python-nmap
Successfully installed python-nmap-0.7.1

Make a python file


import nmap

nm = nmap.PortScanner()

# Define the target
target = '<target-IP>' 


nm.scan(target, '1-100', '-sS')


for host in nm.all_hosts():
    print(f'Scanning host: {host}')
    for proto in nm[host].all_protocols():
        print(f'Protocol: {proto}')

        lport = nm[host][proto].keys()
        for port in lport:
            print(f'Port: {port}, State: {nm[host][proto][port]["state"]}')

Run the script

<file-path>Scripts>python nmap_scan.py
Scanning host: <target-IP>
Protocol: tcp
Port: 53, State: open
Port: 80, State: open

The script works and it gives us an avenue to scale up operations and even automate them if we would like. We can work much faster this way. Lets use something like a Raspberry Pi to host the automation of the scans. Perhaps we are doing some Red Teaming Ops.

Automating Scans

Enable ssh on your device if it isn’t already enabled. I enabled mine for this demo:

sudo raspi-config

Option.3 Interface Options

I1 SSH

sudo systemctl enable ssh
sudo systemctl start ssh

Now connect to the IP. If you forgot the IP run: ipconfig or ifconfig. The nexr command is to copy the path to your script from your computer and send it to your device via ssh.


ssh <your-username>@<raspberry-pi-ip>

scp /path/to/nmap_scan.py <your-username>@<raspberry-pi-ip>:~/

Check for the file on your device after the transfer.

ls

Next we'll make sure our pi device is up-to-date while making sure both Python and python-nmap are installed and updated as well.

sudo apt-get update

sudo apt-get install python3

pip3 install python-nmap

I've encountered an error when trying to pip3 install python-nmap on my device about externally-managed-environment. My Pi device is a Raspberry Pi OS for this demo and the environment is managed by a package manager. I'm going to use a virtual environment to solve this.

In my home directory I enter the following commands to create a virtual environment, activate it, and finally installing packages inside:

python3 -m venv myenv

source myenv/bin/activate

pip install python-nmap

It ran for me with no problems now. It's now installed inside the virtual environment I've created which is isolated from the system-wide environment. Before we run the script, we need to make sure nmap is installed on this second device of ours.


sudo apt-get install nmap

nmap --version

Now on to running it on the pi device. I got an error due to privilege requirements. If you encounter this, run the script with root privileges and use the full path to the Python install if using a virtual environment.

sudo ~/myenv/bin/python3 nmap_scan.py


Scanning host: <target-IP>
Protocol: tcp
Port: 53, State: open
Port: 80, State: open

Next up is automating this task. Open up the cron editor. I'm going to use the nano editor to schedule the script to run every top hour. Additionally I'll log the cron job.

sudo crontab -e

0 * * * * /home/<your-username>/myenv/bin/python3 /home/<your-username>/nmap_scan.py >> /home/<your-username>/logs/nmap_scan.log 2>&1

Save and exit the file. Make the log directory if it doesn’t exist yet. To see results instantly instead of waiting for the cron job to run on schedule, you can run the script now and check out the logs. I'll run it a couple of times.

sudo /home/<your-username>/myenv/bin/python3 /home/<your-username>/nmap_scan.py >> /home/<your-username>/logs/nmap_scan.log 2>&1

cat /home/<your-username>/logs/nmap_scan.log

It stored both runs in the log but I would like to add more information to differentiate each run. I'll add a time stamp for each entry.

sudo nano /home/<your-username>/logs_nmap_scan.sh

Put this in for the script:

#!/bin/bash
echo "----- $(date) -----" >> /home/<your-username>/logs/nmap_scan.log
/home/<your-username>/myenv/bin/python3 /home/<your-username>/nmap_scan.py >> /home/<your-username>/logs/nmap_scan.log 2>&1

Make the script executable, run it, and test it out:

sudo chmod +x /home/<your-username>/log_nmap_scan.sh

sudo /home/<your-username>/logs_nmap_scan.sh

cat /home/<your-username>/logs/nmap_scan.log

Now we edit the crontab:

0 * * * * /home/<your-username>/logs_nmap_scan.sh

Test the cron job again

sudo /home/<your-username>/logs_nmap_scan.sh

cat /home/<your-username>/logs/nmap_scan.log

We have the timestamp function and we can monitor the periodic cron jub runs! You can see the first automated scan running in the log below:

----- Sat  Oct 14:45:48 EDT 2024 -----
Scanning host: <target-IP>
Protocol: tcp
Port: 53, State: open
Port: 80, State: open
----- Sat  Oct 14:46:17 EDT 2024 -----
Scanning host: <target-IP>
Protocol: tcp
Port: 53, State: open
Port: 80, State: open
----- Sat  Oct 15:00:01 EDT 2024 -----
Scanning host: <target-IP>
Protocol: tcp
Port: 53, State: open
Port: 80, State: open
----- Sat  Oct 15:16:36 EDT 2024 -----
Scanning host: <target-IP>
Protocol: tcp
Port: 53, State: open
Port: 80, State: open

Summary

Whichever methods or solutions you want to implement can depend on your environment. We can get as detailed and meticulous as needed. If there are multiple networks an office is using then we would obviously scale this up further in that scenario. Furthermore, automated logging can help with compliance, incident investigation and identifying any anomalies in the typical day by day. This is the groundwork for monitoring network traffic for defense or even offense.

Future Goals

I'd like to return to this same project and make it more user friendly to start up for someone unfamiliar with terminal and is commands, possibly with some visuals. An easy to read export of the logs for a CSV file can be useful to add too.