Networks Training

You are here: Home / Network Security / How I Use NMAP in Penetration Testing Engagements

How I Use NMAP in Penetration Testing Engagements

Written By

As a network security engineer, among tens of other tasks, I run also security assessment and penetration testing projects.

nmap host discovery and penetration testing

One of the most popular and widely used network scanning tool is NMAP. This is one of the tools that I use at the beginning of a penetration testing engagement and helps tremendously in identifying targets, live hosts, open ports, services (and their version) running on these live hosts, possible vulnerabilities on these hosts (e.g by running various NSE scripts) etc.

When doing network penetration testing, knowing what ports are open and what services are running on the target network is very important as it helps to focus your attack scenarios. After all, if a host or network service is not even “visible” through the network there is not much you can do in terms of remote attacks (of course client-side attacks is another story).

In this post I will describe a methodology (along with some useful NMAP commands) that I use at the beginning stages of a penetration testing project in order to discover targets and then proceed further in the ethical hacking engagement.

This is not a fixed approach by me as it depends on the specific task, what information is known beforehand, if the network under test is internal or external (i.e if the security test is performed from the Internet to public servers or from a LAN inside the corporate network) etc. I’m sure that every professional working in Infosec and security testing will have a different approach but this one has served me well in many engagements.

Host Discovery with NMAP

If the target network is unknown and fairly large (for example several Class C IP subnets), you will need to focus your efforts in discovering live hosts, open ports etc.

The most thorough and comprehensive approach to find all live hosts and all available open ports on the target network is to scan ALL IP addresses and ALL possible ports (65535 ports, both TCP and UDP).

However, the above approach will take considerable amount of time and if you don’t have the luxury to wait for hours or days for the scan to complete then you must execute more efficient host identification scans. Moreover, the approach of scanning everything is not a good idea if you want to be as stealthy as possible. Massive scans usually get blocked by IPS devices, generate lots of alarms and logs etc.

MORE READING:  7 Types of Firewalls Technologies (Software/Hardware) Explained

Default Host Discovery with NMAP (not very accurate)

Before talking about how I do host discovery in my own projects, let’s first discuss the default host discovery mechanism used by NMAP.

This uses a “Ping Sweep” with the -sn switch.

Example:

nmap -sn 192.168.10.0/24

The above is the default host discovery by NMAP which sends the following packets to the targets (assuming you are running the tool with administrator or root privileges):

  • ICMP echo request (ping)
  • TCP Ping (SYN packet) to port 443
  • TCP Ping (ACK packet) to port 80
  • ICMP timestamp request.

The default host discovery method above might be good in internal networks where there are no firewalls etc. However, it’s very inaccurate in other scenarios (e.g scanning from the Internet to public systems protected by a firewall).

Assume for example there is an SMTP server listening on port 25 and located in a DMZ behind a firewall which allows only port 25 to that server and blocks everything else (whitelist approach).

The above default host discovery by nmap will not identify this server because ICMP packets and ports 80 and 443 are blocked by the firewall. Therefore we will miss an important live server on the target network.

How I perform Host Discovery with NMAP

This is my approach which balances speed and accuracy.

I use the -PS switch which customizes the TCP pings send by nmap. Then I select a range of popular ports which are usually open on remote hosts.

Let’s see an example with Target network range of 100.100.100.0/24 :

nmap -PS21-25,80,110,443,3306,3389,8000,8080,445,139 100.100.100.0/24

The above command will do host discovery by sending TCP SYN packets to ports 21 through 25, 80, 110, 443, 3306, 3389, 8000, 8080, 445, 139

The above covers the most popular services running on machines such as FTP, Telnet, Email services, Databases, Remote Desktop, Web services, Windows SMB services etc.

I always send the results of the scan to a file as shown next:

nmap -PS21-25,80,110,443,3306,3389,8000,8080,445,139 -oA discoveredhosts 100.100.100.0/24

The above will create 3 files (with name “discoveredhosts) in TEXT format, XML format and GNMAP (Grepable) format.

The GNMAP file above will be used to create a list of live hosts as shown below.

MORE READING:  How to Scan your Network for MS17-010 SMB Eternalblue Vulnerability

Create a list of Live Hosts

Next I use a powerful linux command (awk) to create a clean list of live IP addresses from the gnmap file created above.

# awk ‘/open/{print $2}’ discoveredhosts.gnmap > liveIPaddresses.txt

The above command will search through the gnmap file for “open” ports (which means the host is alive) and send the IP address of each live host to the text file “liveIPaddresses.txt”. The switch {print $2} sends the 2nd field in the gnmap file which is the IP address of the live host.

The result is a list of live IP addresses (one per line).

Then we will use the list above to perform full port and service scanning.

Perform Full Scan on Live Hosts

Assume that for the Class-C network range 100.100.100.0/24 that we performed host discovery there are 20 live IP addresses. These IPs are stored in the text file liveIPaddresses.txt one by one.

Out next task is to execute full port scan and service scan to the live hosts. The full scan now will run on ALL ports of the hosts so that we’ll discover additional services running on the targets.

Let’s see the complete command below:

nmap -p- -Pn -sS -A -iL liveIPaddresses.txt -oX fullscan.xml -oN fullscan.txt

  • -p- = This switch scans all 65535 ports.
  • -Pn = Disable host discovery. Port scan only.
  • -sS = TCP SYN port scan.
  • -A = Detect both Operating Systems and Services.
  • -iL = Scan from the list of IP addresses in the text file.
  • -oX = write results of scan to XML file (useful for importing into NESSUS).
  • -oN = write results of scan to normal TXT file.

Further Analysis

Up to here we will have a good idea of the target network, services running, operating systems etc. Depending on the results I might perform further analysis using NMAP scripts but from now on we are mostly done with nmap.

The XML file of the scan results above (-oX) can be imported into NESSUS which is another excellent tool for vulnerability analysis and much more.

Although NESSUS has its own port scanning functionality, importing NMAP results might be better since nmap is dedicated to port scanning and does a better job in this area in my opinion.

So the above are the beginning stages of a penetration testing engagement. The exciting part starts after that with vulnerability identification, exploitation, gaining access etc, which I will leave for another post.

Related Posts

Filed Under: Network Security

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Ron Gilmore says

    I’m in the process of upgrading our ASA v9.7 and Anyconnect V4.3 to MFA using SecureAuth. Do you have any documentation that would aid in the endeavor? We currently are using DUO prior to switching to SecureAuth. Any docs on DUO implementaion would be appreciated also.

  2. Harris Andrea says

    Ron,

    Unfortunately I don’t have any documentation on that. Never used SecureAuth or DUO. Sorry about that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx