Nmap is a very helpful tool for scanning and mapping network, finding active hosts and services. But it also is used for discover hosts in a network and find relatives OS. Another feature of Nmap is that it can do a vulnerability scan. For these reasons it is used in the Information Gathering phase of a pentest.
The Nmap guide can be found in the official nmap’s page.
Its basics options are:
in which IP means or exact IP of victim machine to scan for find open ports, or an entire network (even represented in CIDR notation). For example:
for single IP.
for entire network.
The principals nmap’s options are:
List Scan – simply list targets to scan.
Ping Scan – disable port scan.
Treat all hosts as online — skip host discover.
TCP SYN (Stealth).
TCP Null scan.
IP protocol scan.
Probe open ports to determine service/version info.
Enable OS Detection.
Guess OS more aggressively.
Specify ports, for example -p80,443 (only port 80 and port 443) or -p0-65535 (ports from 0 to 65535).
But Nmap also has powerful features such as NSE (Nmap Scripting Engine). It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. NSE is activated with -SC option (or – -script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output. Some scripts, for example, concern:
- Network discovery
- More sophisticated version detection
- Vulnerability detection
- Backdoor detection
- Vulnerability exploitation
Scripts are written in the embedded Lua programming Language. An example of “Vulnerability detection” script is smb-vuln-ms17-010 which detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The relative Nmap command could be:
nmap -p445 - -script smb-vuln-ms17-010 <IP>
The list of all “Vulnerability detection” can be found in the official nmap’s page.
Another script used for enum SMB Shares is smb-enum-shares. It use “srvsvc.NetShareEnumAll MSRPC” function and retrieve more information about them using “srvsvc.NetShareGetInfo”. If access to those functions is denied, a list of common share names are checked. An basic example of this script is:
nmap --script smb-enum-shares.nse -p445 <IP>
Finding open shares is useful in a pentest as it may be possible to access them (or some of them). In fact, after a list of shares is found, the script attempts to connect to each of them anonymously, which divides them into “anonymous”, for shares that the NULL user can connect to, or “restricted”, for shares that require a user account.
For complete informations see the NSE list categories in the official nmap’s page.
The above Nmap’s options are just small examples of Nmap’s potential and if you want to deepen the argument see the official Nmap documentation.