Nmap : The Pentester’s One Step Shop to Network Domination

 Article by Houcem HACHICHA

Nmap is one of the best security software in the world. It is free and open source. It is actively developed and new features and improvements are added to it on a daily basis.
Originally, Nmap is a network portscanner. The tool has then been extended to perform service and OS identification. With the addition of the Nmap Scripting Engine (NSE) back in 2008, Nmap is today capable of performing vulnerability scanning and even exploitation.
In this blog, I’ll try to describe some of the Nmap capabilities that can be harnessed in blackbox penetration testing.Network Perimeter Identification with Nmap
Nmap has built-in traceroute capabilities. A classic traceroute using Nmap can be performed using the following command:
#nmap -PN -sn –traceroute 


However, Nmap’s traceroute can be more efficient when combined with port scanning as it will be performed post-scanning and will try to select the best protocol/port combination that will most likely reach the target, as shown in the figure below.
#nmap -PN –traceroute 

Live System identification with Nmap
Using Nmap, the penetration tester can make use of TCP SYN and TCP ACK pings to identify live systems. This is a highly recommended approach (at least by Fyodor) since the classic ping is nowadays often blocked by modern firewalls and some routing devices.
#nmap -sn -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 –source-port 53
-PA option is best against stateless firewalls, while -PS is best against statefull firewalls. The previous command also sets the source port to be 53 as this DNS port is generally allowed inbound.
Efficient Portscanning and Service Identification with Nmap
Scanning 65535 ports on a /24 network takes a long time, sometimes longer than the penetration test itself. The penetration tester has to be efficient and try to perform the most possible comprehensive portscan in the limited amount of time he has.

The Nmap team has elaborated a list of the most commonly used TCP and UDP ports. They added a –top-ports switch that allows the user to specify the number of ports of the top used ports list he wants to scan. For instance, –top-ports 100 will instruct Nmap to scan the top 100 used ports in the world.

Furthermore, the Nmap team estimated the following efficiency statistics:
Top ports to scan [TCP] : Estimated effectiveness
  • 3674 : ~100%
  • 2000 : 96%
  • 1000 : 93%
  • 500 : 89%
  • 250 : 83%


Top ports to scan [UDP] : Estimated effectiveness
  • 1017 : ~100%
  • 500 : 97%
  • 250 : 94%
  • 100 : 90%
  • 50 : 86%
Long story short, the command to use for an almost 100% efficient TCP scan is:
#nmap -Pn -T4 -sS –top-ports 3674 –reason -sV
And for UDP:
#nmap -Pn -T4 -sU –top-ports 1017 –reason -sV
The –top-ports value needs to be adjusted depending on how large the target network is and how much time the penetration tester has.
The figure below is a sample “efficient” Nmap TCP portscan and service detection against scanme.nmap.org.
OS identification with Nmap
OS identification can also be performed with Nmap using the -O switch:
#nmap -O
The figure below illustrates Nmap’s OS identification in action.

About News