Penetration Testing Using Nmap: An In-Depth Guide
Nmap, PentestingIntroduction To Pentesting Using Nmap
Penetration testing (pentesting) is a critical aspect of cybersecurity, involving the simulation of cyber-attacks to identify vulnerabilities in networks, systems, and applications. One of the most widely-used tools for pentesting is Nmap (Network Mapper), an open-source utility for network discovery and security auditing. Developed by Gordon Lyon, Nmap is renowned for its versatility and extensive capabilities, including host discovery, service detection, operating system fingerprinting, and the powerful Nmap Scripting Engine (NSE) for automated vulnerability detection.
This article provides a comprehensive guide to using Nmap for penetration testing, detailing its features, techniques, and practical applications. We will explore various Nmap commands, delve into the Nmap Scripting Engine, and present real-world scenarios to illustrate how Nmap can be effectively used in modern pentesting efforts.
Overview of Nmap
Nmap is a powerful network scanning tool that provides detailed information about hosts and services on a network. It is capable of:
- Host discovery
- Port scanning
- Service enumeration
- OS detection
- Scriptable interaction with the target
Nmap’s versatility makes it suitable for a wide range of tasks, from simple network inventory to sophisticated pentesting operations.
Basic Nmap Commands
Before diving into advanced techniques, it’s essential to understand the basic Nmap commands that form the foundation of any pentesting activity.
Host Discovery
Host discovery is the process of identifying active hosts on a network. Nmap provides several options for host discovery:
-sn
(Ping Scan): Used to quickly identify which hosts are up.nmap -sn 192.168.1.0/24
-Pn
(No Ping): Assumes the host is up and skips the host discovery phase.nmap -Pn 192.168.1.100
Port Scanning
Port scanning is used to identify open ports and services on a target host. Common options include:
-sS
(TCP SYN Scan): A fast and stealthy scan type.nmap -sS 192.168.1.100
-sT
(TCP Connect Scan): A comprehensive scan that completes the TCP handshake.nmap -sT 192.168.1.100
-sU
(UDP Scan): Scans for open UDP ports.nmap -sU 192.168.1.100
Service Enumeration
Nmap can determine the services running on open ports using version detection:
-sV
: Detects service versions.nmap -sV 192.168.1.100
OS Detection
OS detection helps identify the operating system of the target:
-O
: Enables OS detection.nmap -O 192.168.1.100
Combining these options can provide a comprehensive overview of the target:
nmap -sS -sV -O 192.168.1.100
Advanced Nmap Techniques
Once the basics are mastered, pentesters can leverage Nmap’s advanced features to conduct more sophisticated assessments.
Timing and Performance
Adjusting the timing options can improve the efficiency of scans:
-T0
to-T5
: Specifies the timing template, with-T0
being the slowest and-T5
the fastest.nmap -sS -T4 192.168.1.100
Stealth Scanning
Stealth scanning techniques help avoid detection by intrusion detection systems (IDS) and firewalls:
-sA
(ACK Scan): Used to map out firewall rules.nmap -sA 192.168.1.100
-sN
(Null Scan),-sF
(FIN Scan), and-sX
(Xmas Scan): Scan techniques that send unusual TCP packets to elicit responses from the target.nmap -sN 192.168.1.100 nmap -sF 192.168.1.100 nmap -sX 192.168.1.100
Evading Firewalls and IDS
Nmap offers options to evade detection:
-D
(Decoy Scan): Uses decoy addresses to obscure the source of the scan.nmap -D RND:10 192.168.1.100
--data-length
: Appends random data to packets to evade detection.nmap --data-length 16 192.168.1.100
-S
(Spoof Source Address): Spoofs the source address.nmap -S 192.168.1.200 192.168.1.100
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is a powerful feature that allows users to write and execute scripts to automate various networking tasks, including vulnerability detection, exploitation, and information gathering.
Using NSE Scripts
Nmap includes a large collection of scripts categorized into different groups:
auth
: Scripts related to authentication.broadcast
: Scripts for network broadcast discovery.default
: Basic scripts run by default.discovery
: Network discovery scripts.dos
: Denial of Service testing scripts.exploit
: Scripts that exploit vulnerabilities.external
: Scripts that interact with third-party services.fuzzer
: Scripts for fuzzing.intrusive
: Potentially disruptive scripts.malware
: Scripts for detecting malware.safe
: Non-intrusive scripts.version
: Service version detection scripts.vuln
: Vulnerability detection scripts.
To run specific NSE scripts, use the --script
option:
nmap --script vuln 192.168.1.100
Writing Custom NSE Scripts
Writing custom NSE scripts requires knowledge of the Lua programming language. Here’s a simple example of a custom NSE script:
luaCopy code-- Custom NSE Script: http-hello-world.nse
description = [[
A simple script that connects to an HTTP server and prints "Hello, World!".
]]
author = "Your Name"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
portrule = function(host, port)
return port.protocol == "tcp" and port.number == 80
end
action = function(host, port)
local socket = nmap.new_socket()
socket:connect(host.ip, port.number)
socket:send("GET / HTTP/1.1\r\nHost: " .. host.ip .. "\r\n\r\n")
local status, result = socket:receive_lines(1)
socket:close()
return "Hello, World! Received: " .. result
end
Save this script to the scripts
directory and run it with Nmap:
nmap --script http-hello-world 192.168.1.100
Real-World Scenario: Pentesting with Nmap
To illustrate the practical use of Nmap in penetration testing, let’s consider a real-world scenario involving a fictional company, “ExampleCorp.” Our goal is to perform an external pentest on ExampleCorp’s network to identify potential vulnerabilities.
Step 1: Reconnaissance and Host Discovery
First, we need to identify active hosts in the target network. We’ll perform a ping scan on the company’s IP range:
nmap -sn 203.0.113.0/24
Output:
Nmap scan report for 203.0.113.1
Host is up (0.0010s latency).
Nmap scan report for 203.0.113.5
Host is up (0.0020s latency).
Nmap scan report for 203.0.113.10
Host is up (0.0015s latency).
...
From the output, we identify several active hosts.
Step 2: Port Scanning and Service Enumeration
Next, we’ll perform a TCP SYN scan to identify open ports on one of the active hosts (203.0.113.10):
nmap -sS -sV 203.0.113.10
Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
443/tcp open ssl/https OpenSSL 1.1.1
3306/tcp open mysql MySQL 5.7.33-0ubuntu0.18.04.1
The output shows several open ports and their associated services. We’ll focus on the web server (port 80) and the database server (port 3306).
Step 3: Vulnerability Detection with NSE
Using NSE scripts, we can check for known vulnerabilities. Let’s start with the HTTP server:
nmap --script http-vuln* 203.0.113.10 -p 80
Output:
PORT STATE SERVICE
80/tcp open http
| http-vuln-cve2017-5638:
| VULNERABLE:
| Apache Struts < 2.3.32 / < 2.5.10.1 Remote Code Execution Vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2017-5638
| Description:
| Apache Struts versions < 2.3.32 / < 2.5.10.1 suffer from a remote code execution vulnerability.
| Disclosure date: 2017-03-06
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
The scan reveals a critical remote code execution vulnerability in the Apache Struts framework.
Next, we’ll check the MySQL server for vulnerabilities:
nmap --script mysql-vuln* 203.0.113.10 -p 3306
Output:
PORT STATE SERVICE
3306/tcp open mysql
| mysql-vuln-cve2016-6662:
| VULNERABLE:
| MySQL 5.7.15 and earlier Privilege Escalation Vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2016-6662
| Disclosure date: 2016-09-12
| Description:
| MySQL before 5.7.15 allows remote authenticated users to execute arbitrary code or cause a denial of service via a crafted request.
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
The MySQL server is also vulnerable to a privilege escalation exploit.
Step 4: Exploitation
With vulnerabilities identified, the next step in a pentest would typically involve exploiting these weaknesses to gain access or escalate privileges. For ethical and legal reasons, we will not demonstrate actual exploitation, but tools like Metasploit can be used for this purpose in controlled environments where proper authorization has been obtained.
Modern Examples of Real-World Attacks
Heartbleed Vulnerability (CVE-2014-0160)
The Heartbleed vulnerability in OpenSSL was one of the most critical security flaws discovered in recent years. An attacker could exploit Heartbleed to read sensitive data from the memory of vulnerable systems.
To scan for Heartbleed using Nmap, we can use the ssl-heartbleed
NSE script:
nmap -sV --script=ssl-heartbleed 203.0.113.10
Output:
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
| References:
| http://cvedetails.com/cve/2014-0160/
|_ http://www.openssl.org/news/vulnerabilities.html#2014-0160
EternalBlue Exploit (CVE-2017-0144)
EternalBlue is an exploit developed by the NSA and later leaked by the Shadow Brokers. It targets a vulnerability in Microsoft’s SMB protocol and was famously used in the WannaCry ransomware attack.
To detect systems vulnerable to EternalBlue, we can use the smb-vuln-ms17-010
script:
nmap -p445 --script smb-vuln-ms17-010 203.0.113.10
Output:
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (MS17-010).
| State: VULNERABLE
| IDs: CVE:CVE-2017-0144
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1 servers (ms17-010). Affected systems are vulnerable to the EternalBlue exploit, which was publicly released by the Shadow Brokers in April 2017.
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144
Conclusion
Nmap is an indispensable tool for penetration testers, providing a comprehensive suite of capabilities for network discovery, service enumeration, and vulnerability detection. By mastering basic and advanced Nmap commands, leveraging the powerful Nmap Scripting Engine, and understanding real-world attack scenarios, pentesters can effectively identify and mitigate security risks.
Whether you are conducting a simple network inventory or a sophisticated penetration test, Nmap’s versatility, coupled with its extensive community support and continuous updates, ensures that it remains a cornerstone in the arsenal of cybersecurity professionals. As the landscape of cybersecurity threats evolves, tools like Nmap will continue to play a critical role in safeguarding networks and systems against emerging vulnerabilities.