Scanning and identifying services with Nmap

Nmap is probably the most used port scanner in the world. It can be used to identify live hosts, scan TCP and UDP open ports, detect firewalls, get versions of services running in remote hosts, and even, with the use of scripts, find and exploit vulnerabilities.

In this recipe, we will use Nmap to identify all the services running on our target application's server and their versions. We will do this in several calls to Nmap for learning purposes, but it can be done using a single command.

Getting ready

All we need is to have our vulnerable_vm running.

How to do it...

1. First, we want to see if the server is answering to a ping or if the host is up:

   nmap -sn 192.168.56.102
   

   
2. Now that we know that it's up, let's see which ports are open:

   nmap 192.168.56.102
   

   
3. Now, we will tell Nmap to ask the server for the versions of services it is running and to guess the operating system based on that.

   nmap -sV -O 192.168.56.102
   

   
4. We can see that our vulnerable_vm has Linux with kernel 2.6 with an Apache 2.2.14 web server, PHP 5.3.2, and so on.

How it works...

Nmap is a port scanner, this means that it sends packets to a number of TCP or UDP ports on the indicated IP address and checks if there is a response. If there is, it means the port is open; hence, a service is running on that port.

In the first command, with the -sn parameter, we instructed Nmap to only check if the server was responding to the ICMP requests (or pings). Our server responded, so it is alive.

The second command is the simplest way to call Nmap; it only specifies the target IP address. What this does is ping the server; if it responds then Nmap sends probes to a list of 1,000 TCP ports to see which one responds and then reports the results with the ones that responded.

The third command adds the following two tasks to the second one:

• -sV asks for the banner—header or self identification—of each open port found, which is what it uses as the version
• -O tells Nmap to try to guess the operating system running on the target using the information collected from open ports and versions

There's more...

Other useful parameters when using Nmap are:

• -sT: By default, when it is run as a root user, Nmap uses a type of scan known as the SYN scan. Using this parameter we force the scanner to perform a full connect scan. It is slower and will leave a record in the server's logs but it is less likely to be detected by an intrusion detection system.
• -Pn: If we already know that the host is alive or is not responding to pings, we can use this parameter to tell Nmap to skip the ping test and scan all the specified targets, assuming they are up.
• -v: This is the verbose mode. Nmap will show more information about what it is doing and the responses it gets. This parameter can be used multiple times in the same command: the more it's used, the more verbose it gets (that is, -vv or -v -v -v -v).
• -p N1,N2,…,Nn: We might want to use this parameter if we want to test specific ports or some non-standard ports, where N1 to Nn are the port numbers that we want Nmap to scan. For example, to scan ports 21, 80 to 90, and 137, the parameters will be: -p 21,80-90,137.
• --script=script_name: Nmap includes a lot of useful scripts for vulnerability checking, scanning or identification, login test, command execution, user enumeration, and so on. Use this parameter to tell Nmap to run scripts over the target's open ports. You may want to check the use of some Nmap scripts at: https://nmap.org/nsedoc/scripts/.

See also

Although it's the most popular, Nmap is not the only port scanner available and, depending on varying tastes, maybe not the best either. There are some other alternatives included in Kali Linux, such as:

• unicornscan
• hping3
• masscan
• amap
• Metasploit scanning modules