Key Nmap Commands and Basic Concepts

1. The fun in consistent learning is depriving me of writing down all I wish to share about my current engagements. It has been a week of intensive learning for me. Taking Nmap lessons from TryHackMe sponsored by VTF University? and Network Enumeration with Nmap from HackTheBox - Dr. AITH sponsored by CyberSafe Foundation .

This week I learned the use of Nmap, Hydra, Nessus, and Metasploit. I hope to write about each of these.

Shortly, I will be sharing a few key commands in Nmap.?

• nmap target // default nmap scan
• nmap -sn targets // just tell me if the hosts are alive but don't try to scan their ports
• nmap -PR -sn targets // ARP scanning method to check live hosts but don't scan port. I think the -sn means scan no ports and the -PR means ARP scanning method

• nmap -PP -sn target //-pp means scanning with ICMP timestand
• nmap -PM target // check live host with ICMP address mask
• nmap -PE target // ICMP echo to discover live host
• nmap -sU target // UDP scan. This will send UDP packets to check if the host will take it
• nmap -PU target // ping UDP on the target
• nmap -iL list_of_hosts.txt. //Imagine you already have a list of IP addresses saved in a file, you might like to scan them.
• nmap -sT target //TCP port scan
• nmap -sU -F -v target // conduct a -F fast scan on the first 100 ports -v verbosely. Tell us how each one is going along the scanning process.?
• nmap -p22,80,443 target //scan those ports in the targeted address
• nmap -p- target //scan all the ports
• nmap -sS --traceroute // scan routers between you and the targets.
• nmap -O target //scan the OS of the target
• sudo nmap -sV target //gives the version of the service in the target's system.
• nmap -sS -sC target //to use script stealthily for the scan. You can either use a script to brute-force, exploit vulnerabilities discover hosts, use default script etc.

Let me stop here. Don't hesitate to add your own in the comment section.?

Nmap short for Network Mapper is a vital scanning tool for pentesters. Just from the syntax, you could guess almost immediately what the commands will do. My week's learning on Tryhackme includes:

Nmap Live Host Discovery

Nmap Basic Port Scans

Nmap Advanced Port Scans

Nmap Post Port Scans

Just the way you can't just carry your hooks to just any stream and start fishing, you can't just start scanning for ports on the network.

First, check which system is up and which is down. This will prevent you from wasting your time.?Then, go further to check the services running on the system. By services here I mean if we could log in to the target system using SSH, transfer files using FTP, be connected via telnet, or even browse on the target's web by connecting to HTTP. Now I know what it means when I hear 'ports'.?

Take for instance, we have a big house (system) with doors (FTP) and windows (HTTP) and ceilings (SSH) and floors (telnet) and fences (firewalls) and there are fierce masquerades outside. Ideally, everywhere should be locked. The features of our house are the various 'ports'. The masquerades are the hackers and threat actors out there. Imagine you forgot to lock one of the windows. That simply means the port is up!??

This is what port scanning does. Checking whether the house is locked or not. Which side is open? Is the key to the house a good one? (Was a strong password used?). But in this case, it is referred to as discovering live hosts.

There are different methods to scan for these ports.

ARP scan

ICMP scan

TCP/UDP scan

ARP refers to Address Resolution Protocol. Each system in a network has two id numbers: IP/Logical address and MAC/Hardware address. Imagine you have two names. One is a nickname (IP address) and the other is your baptismal /birth name (MAC address).

You like using your nickname everywhere but once you want to collect a special gift, to avoid any missed-up, you asked that it should be directed to you in particular using your birthname. This is simply what IP address and MAC address do.?In a network, once there is a packet to the IP address of a particular system, the system responds quickly with its MAC address to claim the packet.?

But what if a kidnapper pretends to have a gift for you and he calls you by your nickname and you, innocently and quickly, shout out your original name so that the rest friends won't drag the gift from you??

This is part of what ARP Scan does.?

As a penetration tester, you can use Nmap to carry out an ARP scan to detect all those hidden IP addresses on your network.?

ICMP scan: ICMP refers to Internet Control Message Protocol. This is a method of checking if the systems in the network can communicate and also check how fast they can communicate.?Scanning with this protocol means depending on the ping request and reply to detect live hosts. If you ping a system in a network using an echo request, if the network replies, it means the host is up

Echo request in this sense is the same as calling someone's name to know if they are dead, asleep, alive, or irresponsive. If the host is up, it replies with an echo reply. However, these request and reply methods are sometimes blocked by firewalls.

Another type of Nmap scan is the TCP/UDP scan

The TCP scan is also seen as the SYN scan. A pentester using Nmap can establish a connection to a target system by conducting a three-way handshake.?You can have an idea of the three-way handshake by reading my previous article

Note that your scanning can be loud and easily detected based on the timing. Hence, you can make the scanning go slow by scanning stealthily or go very aggressive and intrusive by using the 'insane' timing. The timing goes from 0 - 5

paranoid 0

sneaky 1

polite 2

normal 3

aggressive 4

insane 5

Here is a pinch of what I have been up to.

Lots of thanks to Confidence Staveley and Dr. Victor Monga for these privileges and for giving me the space to become wiser.

#tryhackme #hackthebox #nmap #traceroute #cybersecurity #pentesting #penetrationtesting #redteaming #networkscanning #networksecurity #tcp #udp #icmp #cl #virtuallytestingfoundation #cybersafe