Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. (nmap.org)
Nmap is a wonderful tool for enumeration. If you know all the specific flags (the parameters behind the nmap command) and what they can do, the tool itself will take over a big role in your cybersecurity career. Even aside from pentesting, Nmap is a tool that comes up again and again. The reason for this is its extremely widespread use in various legitimate software, in attacks, as well as in the toolbox of normal IT administrators.
So, what to use Nmap for? There are several use cases. For example, with Nmap you can:
- Do a network/host discovery
- Check what operating systems are running on what devices
- Check the configuration and settings of a firewall and Intrusion Detection System (IDS)
- See what protocols and services a device is using/exposing
- Identify open ports
Note: It is important to know that NMAP is a quite noisy tool. During scans it creates a lot of network traffic and at times can consume much bandwidth as well. Firewalls with intrusion-detection and prevention systems have made great strides in detecting and blocking scan traffic (and so they can also detect and block Nmap scans), so you might run an Nmap scan and receive no results at all. This is why you have to know the tool the best as you can. By leveraging a variety of different scan techniques you can avoid to being blocked and also to reduce traffic in general.
How to use Nmap
nmap <scan types> <options> <target>
What scan techniques are available with Nmap?
For all mentioned use cases we can ask Nmap to use different kind of so called scan techniques. With this scan techniques the tool is building up connections differently and also relies on a variety of different structured packets to send to hosts.
To get all current scan techniques, you can use the
nmap --help command. I shortened the output of the command a bit to summarize the scan techniques:
┌──(attacker㉿ATTCK)-[~] └─$ nmap --help | grep -A8 "SCAN TECHNIQUES" SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan
As I'm someone who wants to understand the technology behind everything, I'd say we dig a bit deeper into the different Scan techniques to understand, how Nmap is working "behind the scenes".
A TCP-SYN Scan
The word "SYN" should be something familiar, if you remember how network protocols, ore more in detail: how TCP is working.
In a SYN scan, Nmap sends the SYN and waits for the SYN-ACK if the port is open but never sends the ACK to complete the connection. If the SYN packet receives no SYN-ACK response, the port is not available; either it’s closed or the connection is being filtered. This way, Nmap finds out if a port is open without ever fully connecting to the target machine.
Syntax for a SYN scan
nmap -sS <options> <target>
Example for a TCP-SYN scan
┌──(attacker㉿ATTCK)-[~] └─$ sudo nmap -sS 172.27.0.102 [sudo] password for attacker: Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-18 11:33 CEST Nmap scan report for 172.27.0.102 Host is up (0.00026s latency). Not shown: 998 filtered ports PORT STATE SERVICE 135/tcp open msrpc 3389/tcp open ms-wbt-server MAC Address: 00:50:56:A9:80:3A (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.03 seconds
Note: You probably have seen that I used sudo for my Nmap scans. Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on Unix systems.
How to discover the usage of Nmap with VMware Carbon Black Cloud?
When an attacker is already in your network, he probably needs to redo some reconnaissance to get insights what services are running on what devices. They also often resort to Nmap in this case. Nmap helps them to find their next targets and allows them so to move laterally through the network step by step.
With Carbon Black Cloud Enterprise EDR you can create a watchlist to be alerted on the usage of enumeration tools like Nmap.
- Login to your CBC console.
- In the left-hand menu, go to Investigate.
- Type in the searchbar
(childproc_name:nmap* OR process_name:nmap*)and hit Enter
- Click on Add search to threat report on the top right below the time selector
- Click on Add new to create a new watchlist
- Type in the Name of the watchlist (e.g. Reconnaissance) and provide a description
- Tick the checkbox for Alert on hit
- Create a threat report with the name Enumeration and provide a description
- Provide some tags like reconnaissance, enumeration
- Hit Save
As soon we have created our watchlist and Nmap gets used in the environment, we're getting alerted on every hit.
When we want to get even more details, we can check the process triage to get a bit of details how Nmap was used and by which user. Also file modifications, network connectivity and process information can be seen more in detail. The hunt can begin.
We can also add Nmap to our Banned List to block it from running. You can do it via Enterprise EDR through Hash Banning (Take Action > Add to banned list) or via a policy blocking rule.