One of the most popular tools in infosec would have to be Nmap. Nmap is a Swiss Army knife of a tool when it comes to networking and is used by many more than just the infosec crowd. Network and Systems Administrators have come to rely on this tool to gather information about their environments.
At its heart, Nmap is a port scanning tool but it’s capable of much more than just that. Since this tool has become such a staple in the industry, I thought it would be good to give a quick intro to the tool and even some tips on how to use it to improve security.
Installation of the tool is very straight forward for both Windows and Linux. For Windows users, simply go to https://nmap.org/download.html and download the setup.exe file. The current version as of writing is 7.80 which would make the file “nmap-7.80-setup.exe”. Once the download is finished you can run the executable and follow the prompts from there - the default options can generally be used without issue.
I will be primarily focusing on the Windows experience, but Linux users can simply use the appropriate package manager for your operating system to install Nmap. Windows users will now have a program called Zenmap. This is simply a graphical front end for Nmap but it accepts the same input that the command line uses. The generic usage of the command uses the format nmap <ip address or range/hostname>. The ip range should be presented in cidr notation such as 10.0.0.0/24 or alternatively hostnames can be used. There are more options possible for providing targets such as a file or list which can be found in the documentation https://nmap.org/book/man.html. The basic example that we will use will look like this:
So, now that we have Nmap, what can we use it for? One useful way to use it is for asset discovery. To do this we don’t want to use the default mode, which scans the 1000 most commonly used ports of each host discovered. While this may be informative - it will add a significant amount of time to the scan and with a large environment this amount can take several hours or even days to scan. Fortunately, Nmap has a switch for that. By adding a “-sn” to the command it will run a ping scan and return a list of live hosts on the provided target list. Running the command will look like this:
Another useful feature is the core port scanning functionality. This scan will show what ports are open and may have services running on them. This information can be used to identify or confirm the services that are running on a system. Beyond that, it can allow you to spot rogue or malicious activity on a host.
For instance, if you spot port 8333 open, there might be a bitcoin miner running. However, by default Nmap will scan the 100 most popular ports and we might want to scan more than that. Using the “-p” switch specific ports and port ranges can be specified. Adding “-p 1-65535” will scan all ports. The command would look like this:
Expanding on port scanning, an option that you can add is version checking. This can help you identify out of date software that needs to be patched. This is done with the “-sV” switch. Making the command:
The last option that I want to go over is the ability to do some basic vulnerability scanning. This command uses the switch “--script vuln”. This will do some basic tests to identify any known vulnerabilities on the target system. This scan is low impact and likely will not cause any problems, but still the possibility exists that it will cause issues and possibly disrupt services of the targets. That is why when doing this generic scan, you should specify an individual target and probably not an entire network. This command would look like:
There are more targeted vulnerability scans that can be used across an entire network. The last command I will leave you with is something that should be ran across every network possible. It will target a specific service running on port 445. This is the Windows SMB port used for things like Windows file sharing. This is the exploitation path used by an attack named Eternal Blue, an extremely potent exploit that caused the WannaCry ransomware outbreak of 2017. This vulnerability is commonly found unpatched and used to attack an entire network. This last command can identify a dangerous hole in security that is easily corrected by simple Windows updates. Go run in today.
Nmap can be a very useful tool and I hope this was a nice intro to the different ways you can use it to improve security at your organization.