Nmap: a “Hacker Tool” for Security Professionals

(788 views)

Nmap: a “Hacker Tool” for Security Professionals

by Justin Hutchens

security-326154_640

The notion of the “ethical hacker” has always been an ironic one. The developing trends of ethical hacking and offensive security have transformed the information security industry into one of the most self-perpetuating industries in the world.

The software and tools that are used to secure vulnerable information assets are the same tools that can be used to exploit them. Perhaps it’s the other way around. Perhaps the tools that were created for the sole purpose of exploiting information assets are now being used to safeguard them. I suppose this is a debate that could go on forever and is really just another instance of “what came first…the chicken or the egg?”

The purpose of this essay is not to discuss the philosophical question of intent. My intentions are more modest. I merely seek to justify the importance of a tool that has been consistently labeled as malicious hacking software. The tool that I am referring to is Network Mapper, or nmap for short. Whether you are a crazed rogue agent that is bent on inciting global revolution or a network security professional (hopefully the latter, rather than the former), nmap should have a permanent place in your toolkit. Perhaps, instead of hurling criticism at an extremely functional networking tool, we should hold individuals accountable for their actions and reflect upon the well-known Benjamin Parker caveat…“with great power, comes great responsibility.” Despite some claims to the contrary, nmap is not malicious software. And I think the only reason that it is often labeled as such is because of its very impressive list of capabilities. Despite its potential to do harm, nmap can certainly play an important role in securing a network infrastructure within a professional environment.

Nmap has steadily evolved over the years from a simple scanning utility into a full blown penetration testing platform. It can be used in every step of the security auditing process, to include network discovery, port scanning, service enumeration, vulnerability mapping and even exploitation. Throughout this article, I will discuss the capabilities of nmap as they pertain to each step in the penetration testing process.

Installation and Preparation

Obviously, prior to using nmap, it is important to have a functional version installed on the system that you are using. By default, nmap is already installed on most penetration testing and network security operating systems such as Kali-Linux, Backtrack, DEFT, Node-Zero, Security Onion and NST. However, it can also be loaded to nearly any platform of your choice. Nmap can easily be installed on all commonly used operating systems to include Windows, Linux and OSX. There is also documentation available for installing it on more obscure platforms to include BSD, Solaris, AIX and AmigaOS. Installation packages and instructions on how to perform the install on any of these systems can be found at https://nmap.org/book/install.html.

Zenmap – Graphical Interface

In addition to the traditional command-line interface for nmap, there is also a graphical front-end interface called Zenmap. Zenmap is also integrated into many of the different penetration testing platforms previously discussed. However, it is not installed by default in Kali-Linux (the platform that I will be using for this tutorial). Fortunately, it is in the installation repository and can easily be installed with a single command:

apt-get install zenmap

Zenmap’s point-and-click interface not only effectively streamlines what would otherwise require complicated commands but it can also be an extremely useful tool for learning how to use nmap. It uses ‘profiles’ to save commonly used scan configurations for later modification and/or use. Take a look at the image of the Zenmap interface that is provided in Figure 1 and we will briefly address each of the components.

f1

Figure 1. Zenmap Graphical Interface

The first component is the Target field (Figure 1. A). This field is where you can specify the remote systems that you want to run a scan against. You can enter a single IP address (e.g. 192.168.1.1), you can enter a sequential range of IP addresses (e.g. 192.168.1.0-255) or you can use CIDR notation to specify a desired subnet (e.g. 192.168.1.0/24). The second component is the Profile field (Figure 1. B). You can click on the drop down arrow to the right of this field to see several pre-configured profiles for scanning. Profiles allow you to save commonly used scan configurations for future use. You can also create profiles of your own and they will then appear in this list (we’ll discuss how to do this later in this article). The third component is the Command field (Figure 1. C). This field will indicate the command that is going to be sent to the backend. To launch the command appearing in this field, you simply click the Scan button. You can modify the value in this field directly; however, it will be automatically populated based on the values of the Target field and the selected profile. If you are new to nmap, you should pay close attention to this field, as it will provide you with a better understanding of the appropriate syntax and use of different nmap commands. The fourth component is the Host/Service list (Figure 1. D). Once you have performed scans, information will be populated in this list. If you have the Hosts button selected, all discovered host IP addresses will be listed. And if you have the services button selected, all discovered network services will be listed. The final component (Figure 1. E) is where you can sort through all of the information that has been produced by all the scans that you have performed. The Nmap Output tab will display the exact output that would be provided if the command had been entered from the command-line interface. The Ports/Hosts tab content will vary depending on if you have the Hosts or Services button selected for your list. If the Hosts button is selected, then the information under the Ports/Hosts tab will reflect the services that were identified on the actively highlighted IP address in the list. Otherwise, if the Services button is selected, the information under the Ports/Hosts tab will identify all hosts that were found to have the particular service that is highlighted in the list. The topology tab will provide a graphical representation of the logical topology of the network, to include all hosts that have been discovered by scanning. It will use returned TTL (Time-To-Live) values to display the logical orientation of hosts, relative to one another. The Host Details tab is where you will find the bulk of information that has been discovered about a selected host. This information includes MAC addresses, IP addresses, open ports, identified services, operating system information and any additional information that has been collected. Finally, the scans tab will provide a history of scans that have been performed during the session.

At the top of the screen you will see several different drop-down menus to include Scan, Tools, Profile and Help. The Help menu is self-explanatory. The Scan menu contains options to create new scans, save scans or open previously saved scans. The Tools menu provides some additional functions that can be used to sort through and organize information collected during your scans. And the Profile menu provides options to create new scan profiles or edit existing profiles.

We will now briefly discuss how to create a new profile and then launch a scan using that profile. To get started, select the Profile drop-down menu and then select “New Profile or Command.” This will open up a profile configuration interface that can be seen in Figure 2.

f2

Figure 2. Zenmap Profile Editor

The first tab (Profile tab) allows you to create a unique name and description for the profile. All the other tabs are where you will specify different configurations that will be used in your scan. As you can see in the Scan tab displayed in Figure 2, creating a scan profile is as simple as checking the boxes for options that you want to enable, entering values so that those options can be effectively employed, or selecting from pre-defined choices in the drop-down menu. If you are unsure about the function or appropriate use of any option here, you can hover over it with your mouse and the help column on the right side of the screen will be automatically populated with information on what the specific option does and appropriate values and syntax for any requested input fields. With each minor adjustment that you make to the scan configuration, the command field at the top is adjusted accordingly. This feature makes Zenmap an extremely effective tool in learning how to use nmap commands correctly. Once you have configured the scan options to your liking, you can either select the Scan button at the top right of the screen for single use, or you can select Save Changes at the bottom right. The Save Changes button will save the profile with the name provided on the first tab configurations and can then be used immediately or at a later time by selecting it by name from the Profile drop down menu on the main Zenmap interface. Although Zenmap is very powerful, you should not allow it to become a crutch that prevents you from learning the command line functions of nmap. Although Zenmap can perform many of the same functions, it still has its limitations and is not as powerful as nmap. To use nmap effectively and to its full potential, it is important to become equally familiar with the command line interface.

Network Discovery

The first step in the penetration testing process that we are going to discuss is network discovery. Prior to evaluating the security of information systems on a network, you first need to identify what you are evaluating. There are a number of different ways that you can discover hosts on a network by using nmap. In this section, we will discuss how to use nmap to perform host discovery at layers 2, 3 and 4 of the OSI model and we will also discuss the advantages and disadvantages of each. An example of a command to perform layer 2 discovery can be seen here:

nmap -PR -sn 192.168.1.0-255

The -PR switch specifies an ARP ping. This uses layer 2 ARP (Address Resolution Protocol) packets to identify live hosts within the specified range. It does this by sending out an ARP broadcast request for each of the IP addresses identified. If there is a live host on the network with one of those IP addresses, that host will send an ARP reply to the scanning system with its IP address and its corresponding layer 2 MAC address. Nmap will collect replies from all live hosts and then will return a list of hosts that were discovered. The -sn switch is used to request nmap not perform any port scanning. This prevents the transmission of any additional traffic, beyond what is necessary to perform the layer 2 host discovery sweep. Layer 2 discovery is effective because it is the fastest of all three options. However, it is limited by the fact that it can only be performed against hosts that are on the same local area network as the system that is performing the scan.

For remote hosts, you will have to use either layer 3 or layer 4 discovery. An example of a command that could be used to perform layer 3 discovery is:

nmap -PE -sn 109.74.11.0-255

This command will send a series of ICMP echo requests to each layer 3 IP address in the list. Nmap will collect all ICMP echo replies that are received and will return a list of all live hosts. This discovery scan is slower than performing an ARP ping, but it will return results for hosts on remote networks.

Finally, suppose that you are attempting to discover remote systems (so you can’t use layer 2) that are behind a firewall that drops all incoming ICMP traffic (so you can’t use layer 3). To address this problem, you will need to perform discovery at the transport layer (layer 4). There are several different ways that you can use layer 4 scans to perform discovery. One effective method is using a UDP ping. An example of a UDP ping command is:

nmap -PU53 -sn 109.74.11.0-255

This command generates a series of DNS server status requests for each of the target IP addresses. A series of DNS query responses will be received from live hosts and nmap will then return these results. Because DNS is a commonly used service on UDP port 53, it is possible to identify additional live hosts by using this technique that may have been configured to not respond to ICMP traffic. Another effective layer 4 alternative to ICMP ping sweeps is to use a TCP ACK ping. An example of this can be seen below:

nmap -PA80 -sn 109.74.11.0-255

This command will send a series of unsolicited ACK replies to the specified port for all of the hosts in the IP range. Because these ACK packets were out of context of any established line of communication, live hosts will reply with a TCP RST packet to indicate that the communication should be discontinued. Nmap will collect these responses as the indication of live hosts and will then return a list of them.

Port Scanning and Service Enumeration

Now that we have discovered the active IP addresses on the network that we are performing a penetration test against, we next need to identify open ports on each system and the services running on those ports. Scanning TCP ports on remote systems is the most basic function of nmap. To perform a TCP scan of a target system, use the basic command:

nmap 109.74.11.34

Like other nmap commands, this can also be used to perform scans against multiple hosts by using a sequential series (192.168.1-255) or CIDR notation (192.168.1.0/24). This standard nmap command performs a scan on 1000 commonly used TCP ports. Alternatively, you can specify a single port to scan by using the -p switch followed by the port number that you want to scan.

nmap 109.74.11.34 -p 21

This above command will scan TCP port 21 on the specified system. You can also scan a series of ports by using the -p switch and then listing the desired ports, separating them with commas.

nmap 109.74.11.34 -p 80,443

This command will scan ports 80 and 443 on the target system. You can scan a sequential range of ports by using the -p switch followed by the first value in the range, a dash, and then the last value in the range.

nmap 109.74.11.34 -p 0-100

The above command scans the first 100 ports. To scan all 65,536 TCP ports on a target, use the following command:

nmap 109.74.11.34 -p 0-65535

You can use a TCP ACK scan to identify ports that are filtered. To do this, use the -sA switch. You can then specify a port or series of ports. No port specification will scan the standard 1,000 ports. This will then return a list of filtered ports. An example of this command can be seen below:

nmap 109.74.11.34 -sA

Penetration testers and security professionals will sometimes only scan for open TCP ports on target systems. Overlooking UDP services can cause one to completely overlook glaring vulnerabilities that might easily lead to compromise. To scan for UDP services on a target system, use the following command:

nmap 109.74.11.34 -sU

Because UDP services are not connection oriented in the same way that TCP services are, this will take longer than a typical TCP scan. The time required to complete UDP scans can be reduced by scanning for specific ports. You can specify ports the same way you had with TCP scans.

nmap 109.74.11.34 -sU -p 69

The above command performs a scan of UDP port 69, a commonly used port for TFTP (Trivial File Transport Protocol). It is also possible to identify the version and version number for each particular service. To do this, use the -sV switch.

nmap 109.74.11.34 -sV

This command will use a combination of banner grabbing and probe-response analysis to attempt to identify the service and version number of that service for each scanned port. Using similar techniques, it is also possible to have nmap attempt to determine the operating system that is running on the target. To do this, use the -O switch.

nmap 109.74.11.34 -O

Once completed, it will either return a positive identification of the operating system or it will give a best guess and then a list of other possible operating systems.

Advanced Scanning Techniques

There is a common problem that you will frequently encounter when performing a penetration test against mid to large size enterprise networks. Most companies and organizations these days have become more security-minded and will likely have firewalls or intrusion detection systems standing between you and the systems that you are trying to scan. To scan such systems, we will need to employ some more advanced scanning techniques. One way to potentially bypass firewalls and/or intrusion detection systems is to use some traditional stealth scanning techniques that are integrated into nmap. One method that can be employed is to use a slower timing template. Timing templates range from -T0 (paranoid scan) all the way up to -T5 (Insane scan). The lower the value of the timing template, the slower the scan will be performed. Slower scans are less likely to be flagged by intrusion detection systems. An example of a paranoid scan would be:

nmap 109.74.11.0-255 -T0

Another technique that can be used to mask your scan is to flood the network with additional decoy traffic using the -D switch. This function will allow you to specify multiple addresses to spoof traffic from or you can use the RND option to spoof traffic from random addresses.

nmap 109.74.11.0-255 -D RND:5

In addition to performing the traditional TCP port scan of the target systems, the command above will also spoof traffic from 5 random addresses to obfuscate the actual scan traffic. Another technique that can be used is to vary the packet length of your transmitted requests. Some intrusion detection systems and firewalls will drop packets based on signature packet lengths. To prevent this, you can specify the data length by using the --data-length switch followed by the packet size in number of bytes.

nmap 109.74.11.0-255 --data-length 15

This command will send all scanning traffic in packets that are 15 bytes in length. While this might be helpful to avoid some signature based intrusion detection systems, consistently sending packets of an unusual specified packet length could flag an anomaly based intrusion detection systems. Network intrusion detection systems will also flag traffic if you begin to sequentially connect to systems within a specified network range. To avoid performing your scans in sequence, you can use the --randomize-hosts switch.

nmap 109.74.11.0-255 --randomize-hosts

This command above will randomly scan each host in the range instead of performing them in sequence (109.74.11.0, then 109.74.11.1, then 109.74.11.2, etc…). While you can’t spoof your IP address (because you wouldn’t receive the replies necessary to determine open ports), you can spoof your MAC address. To do this, you can use the --spoof-mac switch, followed by a vendor ID, a specific MAC address, or 0.

nmap 109.74.11.0-255 --spoof-mac 0

Using 0 as your argument will apply a random MAC address to your scan traffic. One final technique that is worth mentioning is using the -f switch to fragment packets.

nmap 109.74.11.0-255 -f

Fragmenting packets will separate the data payloads of your scan traffic into multiple packets, allowing it to more easily bypass content inspection intrusion detection systems or firewalls. While all of these techniques can be effective for scanning publically accessible servers behind a firewall, they are usually not sufficient for scanning hosts on an internal network. While certain publically accessible servers will be available for scanning, much of the internal infrastructure will be deeper within the network and not so easily accessible. Consider the diagram in Figure 3. This is a simple example of a common configuration in enterprise networks.

f3

Figure 3. Common Network Configuration

The problem that we encounter here is that the internal network lies behind an internal firewall, which has stricter rules about ingress traffic, compared to the external firewall. This internal firewall is likely blocking inbound traffic from remote addresses on the web; however, it is possible that the systems in the DMZ can communicate with the internal systems. In order to be able to scan these internal systems, we must make the systems in the DMZ work on our behalf. We will discuss several different ways to do this, to include proxy scanning, zombie scanning and FTP bounce scanning.

Probably the easiest way to scan the internal systems is by using a proxy chain. Let us suppose that we have acquired access to a proxy service within the DMZ by locating an open-access proxy service, brute forcing a proxy service with hydra or by installing a proxy service on an already compromised machine. Once you have configured your system to route traffic through that proxy, you can perform nmap scans by using a full connection scan (-sT).

nmap 10.1.1.0-255 -sT

If there is no proxy service available, there are some clever ways that you can leverage machines within the DMZ to get scan results on internal systems. One way to do this is to use zombie scanning, also referred to as idle scanning. In order to perform a zombie scan against the systems on the internal LAN, we have to find a viable zombie host within the DMZ. A zombie host is any relatively idle system that uses incremental IPID sequencing. In order to locate a zombie host, we can use an nmap script to scan the DMZ for a system that fits this description.

nmap --script ipidseq 109.74.11.0-255

This script will send a series of packets to each host and track the IPID numbers for all replies received. It will then analyze these IPID numbers to classify each system as either random sequence, all zeros, or incremental. See Figure 4 for an example of the output for an incremental system.

f4

Figure 4. Zombie host located with IPID Sequence Script

Once we have acquired an IP address for our zombie system, we are ready to attempt our zombie scan. Prior to addressing how to perform the scan, I will briefly discuss how the scan works. Refer to Figure 5 for a diagram of what takes place when a zombie scan is performed against an open port.

f5

Figure 5. Zombie scan against open port

First, our nmap scanner determines the current IPID value of the zombie system by sending an unsolicited SYN/ACK packet. Because no SYN packet was originally sent by the zombie system to establish a connection, the zombie then replies to our scanner with an RST packet. Our scanning system will then use the IPID of the RST packet as a reference point. Then, our scanning system will immediately follow this up with a spoofed SYN packet sent to the target system using a source IP address of the zombie system. Because the source IP address is one within the DMZ, this connection request is more likely to be able to pass through the firewall. If the target receives the packet and the destination port is open, the target will then return a SYN/ACK packet to the zombie system (who it thinks sent the original SYN packet). Because this SYN/ACK packet is received out of context, the zombie system will then reply to the target system with a RST packet, thereby incrementing its IPID value by one. Finally, our scanner will send one last SYN/ACK packet to the zombie system. The subsequent RST reply from the zombie will increment the IPID one more time. So if the targeted port on the remote system is open, the final IPID value returned will be two numbers higher than the original value. Alternatively, Figure 6 illustrates what takes place when the port of the target system is closed.

f6

Figure 6. Zombie scan against closed port

If the port on the target system is closed, the zombie system receives no unsolicited response from the target and is therefore not instigated to send an RST packet to the target. So if the IPID value of the final RST response has only incremented by one, we can deduce that the port is closed because no SYN/ACK reply was sent to the zombie system to instigate a RST response. Otherwise, if the final IPID value has incremented by two from the original value, then we can deduce that the port on the target system must be opened because it must have replied to the zombie which instigated the response that incremented the IPID value of the zombie system.

While this may sound extremely complicated; do not become intimidated by the description, as nmap does nearly all the work for you. To actually perform a zombie scan, you just have to enter a simple command.

nmap -sI 192.168.199.132 -Pn 192.168.199.130

The -sI switch tells nmap to perform a zombie scan using the following IP address as the zombie host (192.168.199.132). The -Pn switch prevents nmap from performing an initial ICMP ping on the target system prior to attempting the scan. So, the final IP address in the command identifies the target system. The output for this command can be seen in Figure 7.

f7

Figure 7. Zombie scan against closed port

It should be noted that the IP range that I used to demonstrate this zombie scan is a private range on my internal network. For this to work effectively against a remote network, as described in the original scenario, the systems in both the DMZ and the internal network must be on publically routable IP ranges. If the internal network is configured on a private range behind a NAT (Network Address Translation) server, then the nmap scanner will not be able to send the spoofed SYN packet to the internal address from its remote location.

Another way to use systems within the DMZ to attempt to scan hosts on the internal network is to use FTP bounce. Some legacy FTP servers support the capability of transmitting files to a third party system. If you have discovered an FTP server in the DMZ that allows anonymous login or that you have brute forced with hydra, you can test the FTP server to determine if it supports FTP bounce. To do this, use the ftp-bounce script.

nmap --script ftp-bounce --script-args

ftp-bounce.username=anonymous,

[email protected] 109.74.11.201

This command uses the nmap script with username and password arguments against the FTP server. Once completed, this scan will indicate if FTP bounce is possible or not. If the script indicates that FTP bounce is working, you can use the FTP server to perform a port scan against other systems on the network. Figure 8 illustrates how this works.

f8

Figure 8. FTP bounce scan

The scanner will attempt to send binary data, via the FTP bounce function, to the target system at a designated port. If the data is transmitted, the FTP server will then report back this back to the scanner, indicating that the port on the target system is open. To perform an FTP bounce scan, use the -b switch.

nmap -b ftpuser:[email protected]:21 10.1.1.128-255

In this command, the -b function is used to perform a ftp bounce scan using the username “ftpuser” and the password PassW0rd, against the FTP server at 192.168.11.201 hosted on TCP port 21. The actions described in the diagram above will then be performed against each of the common 1000s ports on each of the target hosts from 10.1.1.128 to 10.1.1.255.

Vulnerability Mapping and Exploitation with NSE

Once you have discovered live hosts on the target network and have managed to enumerate open ports and/or running services on those hosts, you can begin testing for and exploiting vulnerabilities. With the newly integrated NSE (Nmap Scripting Engine), there are a number of preloaded scripts that come with the standard nmap installation. These scripts have a wide range of different functions from basic information gathering (like the two that we have already discussed), vulnerability mapping, brute forcing, denial of service and even remote exploitation. All of these scripts are located in your nmap installation directory. In Kali-Linux, they can be found at /usr/share/nmap/scripts/. To browse to these scripts and begin working with them, use the following commands:

cd /usr/share/nmap/scripts/

ls

The cd command will change the directory to the location of the NSE scripts, and the ls command will display the contents of the directory. You can then view any of the scripts by using the cat command, followed by the name of the script that you want to view. For the purpose of this demonstration, we will use ftp-vuln-cve2010-4221.nse. To view the contents of this script, use the following command:

cat ftp-vuln-cve2010-4221.nse

f9

Figure 9. NSE script contents

Figure 9 displays the contents of this script. If you browse to the top of the script contents, you will see several pieces of helpful information to include a description of the script, a list of additional resources for reference, and appropriate use and syntax of the script. However, sorting through these scripts in the directory and locating a script that performs a specific function can be very tedious. In my opinion, this is where Zenmap (the graphical interface that we had previously discussed) really shines through. To demonstrate how helpful the Zenmap interface can be when working with NSE scripts, open it once again from the command line with the command:

zenmap

Then select the Profile drop-down menu and click “New Profile or Command.” After the Profile Editor opens up, choose the Scripting tab at the top of the screen. Figure 10 displays an image of the Zenmap Scripting interface.

f10

Figure 10. Zenmap Scripting Interface

A list of all of the available nmap scripts is located on the left side of the screen. You can select any of these to have it included in your nmap command. Some scripts will require arguments in order to be able to run correctly. Post authentication scripts will often require a username and password for specific network services. In the example in Figure 10, arguments can be supplied to configure the brute force attack that is to be performed against the MySQL service. You can also easily pass the script arguments by entering the values in the Arguments window. These arguments will automatically be populated in the generated nmap command. The window in the top center provides a description of the selected script, appropriate use and syntax, and even categories to describe the functions of the script. These categories can be especially helpful if you are trying to perform a specific type of task, such as vulnerability analysis. After launching an NSE script with an nmap command, you will see the results in the standard nmap output. In the case of brute force scripts, the output will show if the brute force attack was successful and, if so, will display the discovered username and password. In the case of vulnerability scripts, the output will indicate if the vulnerability is present on the target system(s). And in the case of exploitation scripts, the output will provide information about the payload that was subsequently delivered to the target system.

Scripting with Nmap

In addition to its own integrated scripting engine, nmap also supports several output options that make it easy to use traditional scripting languages for performing output analysis. Two output formats that can be useful for scripting include greppable output (-oG) and XML output (-oX). XML can be effective for higher level scripting languages that have modules that can be imported for XML parsing and greppable output can be used in conjunction with the bash shell scripting to streamline analysis of nmap results. To demonstrate how this output feature could be used in conjunction with scripting, we will review a simple 4-line bash shell script, displayed in Figure 11 to analyze the results of an nmap scan.

f11

Figure 11. Nmap Result Analysis Bash Script

Consider a scenario in which an nmap scan was already performed against a very large network and the output of the scan was saved in greppable format to a networkscan.txt file. And suppose that we want to use hydra to perform a brute force attack against all FTP services on the network, but we do not want to waste the time that would be required to scan port 21 on the entire network again. This simple script will extract all systems that have a specified port open. The first line prompts the user for a port number. The second line then assigns the value of the user input to the ‘port’ variable. The third line indicates to the user that all systems with that open port will be listed. And finally, the last command is where we grep out the results from the nmap greppable output. The script uses the grep command to extract all lines from the output file that reference the specified port. This will include lines that enumerate each instance of where the port is open, closed or filtered. Then, it pipes that output over to another grep function that extracts only instances in which the specified port is open. This output is then piped over to the cut function, which specifies a space character as the delimiter and then outputs the second field. By doing this, our script then outputs the IP address for each system that has the specified port open. Figure 12 displays the output of the script.

f12

Figure 12. Nmap Result Analysis Script Output

While this is a very simple script, it demonstrates how easy it can be to extract information from the greppable output format. Once acquired, this collected information could easily be used for further scripting. It could be used as a starting point to perform some other subsequent task against each system that was identified to have a specific port open.

An All-In-One Penetration Testing Tool

By combining its different capabilities, one could easily perform a complete penetration test by using nmap alone. There is no denying that nmap, with its impressive list of functions and capabilities, is a truly powerful tool. And as the years progress, it will likely become even more powerful as more people continue to contribute to this project. Like a kid with his father’s gun, nmap can be a dangerous tool in the wrong hands. But if used correctly, it can be an invaluable asset for ensuring the security of your network infrastructure. So always remember to use it wisely and to use it well.

About the Author

jh

Justin Hutchens currently does network vulnerability analysis, intrusion detection and digital forensics for a large enterprise network with over 33,000 networked systems. He has filled numerous different roles in the Information Technology field to include network design, system development, database administration and network security. He also currently teaches courses on penetration testing with the Backtrack and Kali-Linux operating systems. He currently holds a Bachelor’s degree in Information Technology and multiple professional certifications to include CISSP (Certified Information System Security Professional), CEH (Certified Ethical Hacker), ECSA (EC-Council Certified Security Analyst) and CHFI (Computer Hacking Forensic Investigator).

 

September 2, 2014
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.