Nmap

Nmap is a useful tool for mapping your target

1. Enumerate targets
2. Disover live hosts
3. Reverse-DNS lookup
4. Scan ports
5. Detect version
6. Detect OS
7. Traceroute
8. Scripts
9. Write output

Enumerate Targets

This first phase inolves scanning the entire network to see what devices are reachable.

NMAP can be supplied with:

• a list (example: nmap IP_ADDRESS_1 URL_2 IP_ADDRESS_3)
• a range (example: nmap 10.11.12.13-22)
• a subnet (example: nmap 10.11.12.13/24)
• an input file (example: nmap -iL list_of_targets.txt)

Host Discovery

For a local network nmap uses ARP requests (privleged user).

For an outside network nmap uses ICMP echo requests, TCP ACK on port 80, TCP SYN to port 443 (priveleged user).

For an outside network nmap uses TCP 3-Way Handshake to ports 80 and 443 (unpriveleged user).

By default nmap will use a ping scan to find live targets from the list and then will only scan those.

Important Flags for this Stage

• -sN: live host discovery without port scanning
• -PR: ARP scan only
• -PE: ICMP Echo (not always reliable as many firewalls block this)
• -PP: ICMP Timestamp request (live hosts will reply)
• -PM: ICMP Address Mask query (live hosts will reply)
• -PS: TCP/SYN Ping, sends SYN request to port 80 (or user specified) and initaties 3-Way handshake
• -PA: TCP/ACK Ping, sends ACK request to port 80 (or user specified) expecting a RST from open ports
• -PU: UDP Ping, will only get error message from CLOSED ports

Reverse-DNS Lookup

Not entirely sure.

Scan Ports