Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Nmap Tutorial: Common Commands: Page 3 of 3

Service and OS detection

Nmap is one of the most popular tools used for the enumeration of a targeted host. Nmap can use scans that provide the OS, version, and service detection for individual or multiple devices. Detection scans are critical to the enumeration process when conducting penetration testing of a network. It is important to know where vulnerable machines are located on the network so they can be fixed or replaced before they are attacked. Many attackers will use these scans to figure out what payloads would be most effective on a victim's device. The OS scan works by using the TCP/IP stack fingerprinting method. The services scan works by using the Nmap-service-probes database to enumerate details of services running on a targeted host.

Detect OS and services

This is the command to scan and search for the OS (and the OS version) on a host. This command will provide valuable information for the enumeration phase of your network security assessment (if you only want to detect the operating system, type nmap -O 192.168.0.9):

nmap -A 192.168.0.9

 

Standard service detection

This is the command to scan for running service. Nmap contains a database of about 2,200 well-known services and associated ports. Examples of these services are HTTP (port 80), SMTP (port 25), DNS (port 53), and SSH (port 22):

nmap -sV 192.168.0.9

 

More aggressive service detection

This is the command for an aggressive scan. Usually, experienced hackers will not use this command because it is noisy and leaves a large footprint on the network. Most black hat hackers prefer to run as silently as possible:

nmap -sV --version-intensity 5 192.168.0.9

 

Lighter banner-grabbing detection

This is the command for a light scan. A hacker will often use a light scan such as this to remain undetected. This scan is far less noisy than an aggressive scan. Running silently and staying undetected gives the hacker a major advantage while conducting enumeration of targeted hosts:

nmap -sV --version-intensity 0 192.168.0.9

 

Service and OS detection depend on different techniques to determine the operating system or service running on a certain port. A more aggressive service detection is useful if there are services running on unexpected ports, although the lighter version of the service will be much faster and leave less of a footprint. The lighter scan does not attempt to detect the service; it simply grabs the banner of the open service to determine what is running.

Nmap output formats

Save default output to file

This command saves the output of a scan. With Nmap, you can save the scan output in different formats:

nmap -oN outputfile.txt 192.168.0.12

 

Save in all formats

This command allows you to save in all formats. The default format can also be saved to a file using a file redirect command, or > file. Using the -oN option allows the results to be saved, but also allows them to be viewed in the terminal as the scan is being conducted:

nmap -oA outputfile 192.168.0.12

 

Scan using a specific NSE script

This command will search for a potential heartbleed attack. A Heartbleed attack exploits a vulnerability that is found in older, unpatched versions of OpenSSL:

nmap -sV -p 443 -script=ssl-heartbleed.nse 192.168.1.1

 

Scan with a set of scripts

This command is useful when searching for multiple types of attack. Using multiple scripts will save time and allow for better efficiency while monitoring the network. You can also use the following command to scan for heartbleed attacks:

nmap -sV -p 443 --script=ssl-heartbleed 192.168.0.13/24

It is important to keep an updated database of current scripts. To update the Nmap script database, type the command nmap - -script-updatedb . The following screenshot demonstrates the screen you will see when you run this command:

 

Currently, Nmap has 471 NSE scripts installed. The scripts allow you to perform a wide range of network security testing and discovery functions. If you are serious about your network security, then you should take the time to get familiar with some of the Nmap scripts.

The option --script-help=$scriptname will show help for the individual scripts. To get a list of installed scripts, use the command locate nse | grep script.

You may have noticed the -sV service detection parameter. Usually, most NSE scripts will be more effective, and you will get better scans by using service detection.

This tutorial is a chapter excerpt from "Applied Network Security" by Arthur Salmon, Warun Levesque, and Michael McLafferty. Through Packt's limited-time offer, buy it now for just $5, or get it as part of the  Security for Sysadmin eBook bundle for just $15.