With ethical hacking and penetration testing becoming mainstream in corporate environments, trained personnel and appropriate equipment are in high demand. The proper software framework can be the tipping point in a hacking campaign dealing with intricate hardware. One such tool that has been a mainstay for decades is Nmap. When it comes to scanning machines for open ports and services, Nmap has always been the first choice for hackers. So today, you will get the answer to the question ‘what is Nmap’ and introduce budding ethical hackers to their first network mapping tutorial.
You will start by covering a few basics of ethical hacking. First, to understand what is nmap and where it is most beneficial, you must know the basic flow of penetration testers, which constitute the phases of ethical hacking.
Phases in Ethical Hacking
There are five distinct phases in an ethical hacking campaign.
- Reconnaissance: This phase gathers information about the target before initiating an assault. The hacker discovers useful information like old passwords and critical employee names, and necessary network data during this stage.
- Scanning: During this stage, hackers are likely looking for information such as hostnames, IP addresses, and login credentials. It uses dialers, port scanners, and network mappers to scan data.
- Gaining Access: After exposing vulnerabilities in the first and second hacking rounds, ethical hackers try to exploit them for administrator access. In the third phase, a malicious payload is sent to the application through the network, a subnetwork, or a connected device to gain system access.
- Maintaining Access: An ethical hacker keeps testing the system for new flaws and increasing access to see how much power attackers may get once beyond security clearance. One method of eliminating traces of an assault is to create a backdoor for future access.
- Clear Tracks: After gaining access and increasing privileges, the hacker tries to hide the modifications. This includes deleting sent emails, server logs, and temporary files. Also, the hacker would check for alerts from the email provider for probably unauthorized logins under their account.
According to the hacking flow, Nmap finds the most value in the first two stages, where reconnaissance and scanning gather information about the target.
Now that you understand where Nmap is most used, you will look at what is Nmap from a layman’s perspective.
What Is N-Map?
Nmap, the acronym for Network Mapper, is an open-source security auditing and network scanning software designed by Gordon Lyon. It is developed in such a way that it can quickly analyze massive networks as well as single hosts. Network administrators often use it to detect the devices that are presently working on the system, the port number to which the devices are attached, and the free ports that may be used.
Nmap becomes helpful while performing network penetration testing. It not only gives network information but also assists in discovering security issues in the system. Nmap is platform-agnostic and may be run on various standard operating systems, including Linux, Windows, macOS, and BSD. It is straightforward to use and includes both a command-line interface(CLI) and a graphical user interface(GUI).
Some of the tasks that nmap can carry out are-
- Discovering connected hosts on a network
- Analyzing free ports on a target host
- Detecting running services on a system along with version number
- Uncovering network vulnerabilities and system loopholes
Now that you have an idea about what is Nmap, understand how Nmap works during the penetration testing process.
How Does N-Map Work?
Scanning networks is a three-step process, with Nmap carrying out the first two and leaving the ethical hacker for the third. So, you will cover these phases sequentially.
- Sending Requests: Nmap sends raw IP packets to discover accessible hosts on a network system. According to network configurations, these packets need a response from the destination computer.
- Receiving Replies: Since these requests warrant a reply, the host sends back responses highlighting the ports that can communicate with other machines. Open ports will send some replies, while the closed ones can be filtered out since they will have no response.
- Analyzing Responses: Once the hackers have some information from the target's side, they must go through vulnerable services and open ports. After this step, one can move on to the third phase in ethical hacking, gaining access to the victim machine.
In our next section of this tutorial on what is Nmap, you will cover the variety of scans that can be run on Nmap, with each serving a distinct purpose.
Modes of Operation
- Ping sweep: A simple Nmap scan that pings all accessible IP addresses to see which ones reply to ICMP (Internet Control Message Protocol). This Ping Sweep is great for people that need to know the quantity of IP addresses.
- SYN Scan: It sends an SYN message through TCP to all target ports. If the system receives an acknowledgment back, a port has been opened. No answer indicates a closed or unavailable port.
- TCP Scan: Like SYN scan, it uses the TCP layer to send packets to all ports. The distinction is that the acknowledgment packets complete the connection. The logs may readily locate the TCP scan and use additional computing power.
- Idle Scan: This scan is used to see whether any malicious assaults are planned on a network. Nmap scans are relocated away from a port to look for malware. However, the external host should be assigned an IP address and a port.
- RPC Scan: Hackers use Remote Procedure Calls (RPC) to render systems vulnerable to viral assaults. It is recommended to periodically scan a network for RPC commands, as these procedures may run on the system and gather data.
- Windows Scan: When SYN packets are issued, the program searches the ports for acknowledgment packets. This scan detects any irregularities in the received ACK packets and helps identify which ports are malfunctioning.
- Bounce Scan: This scan checks the File Transfer Protocol layer's security. FTP levels seldom accept packets, and if they do, they may be forwarded to an internal layer to access inside computers. Bounce scan evaluates the same flaw and determines if your FTP layer is vulnerable.
- UDP Scan: This scan is mainly effective in Windows to see if the UDP layer is vulnerable. It is not always crucial to acquire a response from the UDP layer, but it is helpful to know whether any Trojan assaults are active.
- FIN Scan: Like SYN Scan, the system that sends the packets receives a largely TCP FIN packet response. The system sending an RST packet is a false alarm, and users should not be concerned.
- NULL Scan: This scan is beneficial for systems other than Windows that can readily detect packet types and react with TCP or NULL answers. Windows can't utilize NULL scans since they don't always work.
Alternatives to N-Map
Network administrators and security investigators can use various free network monitoring tools and open-source vulnerability scanners. Nmap's versatility and capability make it a must-know tool for IT and network management.
Others exist, although most focus on delivering specific features that the typical system administrator does not need. MASSCAN, for example, is quicker than Nmap but less detailed. Nmap has all the features and speed that the ordinary user needs, especially when paired with other popular programs like NetCat (for network traffic management) and ZenMap (a GUI for Nmap). Nmap is still the best all-around network scanning option for ethical hackers.
With the theoretical parts covered, go through a demonstration of Nmap scans and the results you receive from such scenarios.
Demonstration of N-Map Scans
- In our demo for what is nmap, you will use parrot security os, an operating system designed specifically for penetration testers. It comes with all essential hacking tools pre-installed. However, should you need to reinstall the software, you can use the command 'sudo apt install nmap' to install Nmap on Debian-based Linux distributions.
- Once the tool's installation is complete, you can start with a basic host scan. It will check for available IP addresses on a single subnet. As shown below, you find the IP subnet using the 'ifconfig' command and carry out a host scan using the '-sP' flag with Nmap.
- A simple port scan to detect services being run can be carried out using the command 'nmap <target IP address>.
- The operating system of the operating system can also be detected using the '-O' flag. However, this performs TCP/IP fingerprinting, which requires root or sudo privileges when running the command.
- To gather the version number of the services being run on the target, you must use the '-sV' flag. Specific older versions of some software often have vulnerabilities that can be exploited when detected.
- You can scan for particular ports on the target machine using the '-p <port number>' flag with the standard Nmap command. One can also scan multiple ports by separating them using commas like '-p 80,443'.
- In the next stage, you must connect to a vulnerable network and scan your target machine using a standard version scan. On seeing ports 139 and 445 open, you can test for a well-known vulnerability on windows machines that run on these ports, known as eternalblue.
- You use Metasploit to run this exploit, and as you can see below, the shell access of your target machine has been achieved. This was only possible because you found the vulnerable ports to be open.
With this, you have reached the end of the tutorial on what is Nmap.
Build your network security skill-set and beat hackers at their own game with the Certified Ethical Hacking Course. Check out the course preview now!
In this tutorial on what is Nmap, you learn how network mappers work and their various applications in the penetration testing industry. You covered the variety of scans that can be performed while ensuring viable alternatives and live demonstrations are accounted for before ending our tutorial. However, Nmap is just a single tool, with many such concepts being the backbone of ethical hacking communities.
Simplilearn provides a Post Graduate Program in Cyber Security that includes all of the topics essential for new and seasoned ethical hackers to become proficient. To prepare students for interviews and potential corporate careers, where they teach topics like network sniffing, enumeration, and risk evaluation. Because the information technology sector needs experienced cybersecurity workers, now is the time to begin learning about ethical hacking.
Do you have any queries or doubts regarding what is Nmap? Kindly share your thoughts and questions in the comment space provided below, and we will answer with solutions.