Nmap is one of the most used tools for network scanning. Its ease of use and effective installation with exceptional scanning options makes it popular in the IT industry. This article will give you a comprehensive understanding of the tool and let IT professionals, IT administrators and network administrators scan networks with ease to discover vulnerabilities.
What is Nmap?
Nmap is short for Network Mapper. This is a network discovery, network scanning and security auditing tool. It’s known for its simplicity and easy-to-remember flags that offer effective scanning tools. Nmap is widely used by network administrators to:
- Discover services along with their versions.
- Locate open ports and services.
- Monitor hosts.
- Get accurate packet routes to the target machine.
- Guess the operating system running on a target machine.
Nmap is a tool that can discover or diagnose services that are running on an Internet-connected system. Network administrators use it to identify potential security weaknesses and automate redundant tasks, such as monitoring the service.
Nmap is suitable for penetration testing of networked systems. Nmap offers the network details and also helps to identify the security vulnerabilities present in the system. Nmap is independent and runs on popular operating systems such as Windows, Mac and Linux.
Nmap Scan Types
A variety of scans can be performed using Nmap. Below are the types of scans.
Generally, a TCP scan is used to check and complete a three-way handshake between you and a chosen target system. A TCP scan is very noisy and can be detected with almost little to no effort. This is noisy because the services can log the sender's IP address and might trigger Intrusion Detection Systems.
UDP scans are used to check whether there is any UDP port up and listening for incoming requests on the target machine. Unlike TCP, UDP has no mechanism to respond with a positive acknowledgment. Therefore, there is always a chance for a false positive in the scan results.
Nevertheless, UDP scans are used to reveal Trojan horses that might be running on UDP ports or even reveal hidden RPC services. This type of scan may be slow because, in general, machines tend to slow down their responses to this kind of traffic as a safety measure.
This is another type of TCP scan. However, unlike a normal TCP scan, Nmap itself crafts a syn packet, which is the first packet that is sent to establish a TCP connection. Most importantly, the connection is never formed. Rather, the responses to these specially crafted packets are evaluated by Nmap to produce scan results.
ACK scans are used to know whether a particular port is filtered or not. This proves to be very helpful when trying to probe for firewalls and their current set of rules. Simple packet filtering will allow established connections, whereas a more sophisticated firewall might not.
FIN scans are also stealthy, like the SYN scan, but they send a TCP FIN packet instead. Most but not all computers will send an RST packet (reset packet) back if they get this input, so the FIN scan can show false positives and negatives. However, it may get under the radar of some IDS programs and other countermeasures.
Null scans are stealthy scans and what they do is as the name suggests: they set all the header fields to null. Normally, this is not a valid packet and a few targets will not know how to deal with such a packet. Such targets are generally some version of Windows and scanning them with NULL packets may end up producing unreliable results. On the other hand, when a system is not running Windows, this can be used as an effective way to get through.
These are also stealthy in nature. Computers running Windows will not respond to Xmas scans due to the way their TCP stack is implemented. The scan gets its name from the set of flags that are turned on within the packet that is sent out for scanning. XMAS scans are used to manipulate the URG, FIN and PSH flags that can be found in the TCP header.
RPC scans are used to discover machines that respond to Remote Procedure Call services (RPC). RPC allows commands to be run on a particular machine remotely under a certain set of connections.
RPC service can run on a wide range of different ports; therefore, it becomes hard to infer from a normal scan whether RPC services are running or not. Generally, it’s a good idea to run an RPC scan from time to time to find out where you have these services running.
IDLE scan is the stealthiest of all scans, as the packets are bounced off an external host. Control over the host is not necessary, but the host needs to meet a specific set of conditions. It is one of the more controversial options in Nmap since it only has use for malicious attacks.
Vulnerability discovery is an essential part of the remediation process. Taking the appropriate inventory of vulnerabilities is key to success. If you want to learn how to improve this process,, then check out Topia, a vulnerability management tool that helps CISOs as well IT managers make informed security decisions.