Introduction to Nmap

Before I begin, I always carried a small notebook with me to jot down the most common flags I use when tackling CTF challenges. Here are some of my go-to flags:

-sV: service and version
-sC: allow running usual scripts
-T4: accelerate speed
-p-: scan all ports

I’m excited to expand this list as I learn more about Nmap and Bash.

This post will break down each command in HTB Academy and provide a different perspective on some concepts rather than a detailed explanation of what Nmap can do. If you are going to try this module for yourself, go to the Nmap module in Hack The Box. If you want to sign up, use my referral link to register and win cubes with me!

Breaking down Host Discovery Commands

On Scan Network Range we have the command:

nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

So what really is each flag, and how do they affect the output?

Running nmap 10.129.2.0/24 will scan the subnetwork and return the hosts and their open ports.

Nmap scan with no flags

Adding -sn will disable port scanning and remove them from the output.

Nmap scan with sn flag

The -oA flag, when I ran it, didn’t change the output from just running nmap with the -sn flag. It turns out -o is output control. We have:

-oN for normal output
-oX for XML output
-oG for Grepable output
-oS for output in l33t format

And we have a convenient flag, -oA, which returns normal, XML, and Grepable outputs all together. So after running nmap 10.129.2.0/24 -sn -oA tnet, there will be 3 files in our directory: tnet.nmap, tnet.gnmap, and tnet.xml.

Then we have | grep for | cut -d" " -f5. grep is often used to search for strings in files. So | grep for looks in the output for the word for. The previous scans have the format of:

Nmap scan report for <ip>
Host is up (_ latency)

Therefore, | grep for will return the strings Nmap scan report for <ip>.

Nmap with grep

Finally, there is cut, a command that prints selected parts of lines. The flag -d stands for delimiter and -f for field. Using -d without -f will prompt you to Try 'cut --help', and using -f without -d will return the same output we got when running grep.

Cut with d flag

When the flag specifies -d=" ", it is saying that the delimiter will be a space. Manually, if we take Nmap scan report for <ip> and apply the delimiter " ", we know that we won’t have a string but rather each word separated: Nmap, scan, report, for, <ip>. The original command puts the flag -f5, but what if I continue with the previous cut and use -f1?

[*]$nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f1
Nmap
Nmap
Nmap
Nmap
Nmap

The only thing that outputs is Nmap. From splitting the string ourselves, we know that <ip> is the fifth string (fourth if we were programming, but anyway). Therefore, using -f5 will return:

Nmap original string

On Scan IP List we have the command:

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

We get a new flag: -iL. So, what happens if we run the command:

Failed nmap

Whoops. What happened? I forgot to read what the flag does. the-iL flag performs defined scans against targets provided in the hosts.lst

I'll use the previous result and send it to hosts.lst. So I'll run the command nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5 , and add > hosts.lst. The > redirects the output.

A fun fact I'd like to add here, while > redirects, >> appends. So if you have a file with contents, > will delete whatever you have and write the output. But if you use >>, whatever you have in your file won't be deleted and the output will be appended.

Once with a host.lst file, running the command returns

il flag with host.lst

Which makes sense since the previous scan was the one who let us know that those hosts were up.

These IPs can also be defined as <ip0> <ip1> ... <ip2> and a neat trick is that you can define them as <ip0> - <ip2> if they are continuous. So if you were scanning for ...10 ...11 ...12 ...13 ...14 ...15 ...16, you can specify as ...10-...16. Just as we can specify severalIPs, we can use a single IP <ip>

Next on Scan Single IP we have

nmap 10.129.2.80 -sn -oA host -PE --packet-trace

Let’s break it into two: -PE and --packet-trace.

Using -PE shows the same result as without it.

Nmap using pe

So, what is the difference? That’s where --packet-trace comes in handy. --packet-trace is self-explanatory; you’ll see what is sent and what is received. Using -PE we only see ICMP requests.

Nmap pe packet trace

When not specifying -PE, we see both TCP and ICMP.

Nmap no PE

The next flags were --reason, which displays why the host is alive, and --disable-arp-ping, which is self-explanatory.

Hint for solving the question: TTL values are different for each operating system

Breaking down Host and Port Scanning

We begin with

nmap 10.129.2.28 --top-ports=10

--top-ports comes from the Nmap database and we can specify how many ports we want. We can scan the best 5 or 10 up to 1000

Nmap scanning top 1 port
Nmap scanning top 5 ports
Nmap scanning top 10 ports

Getting into Nmap - Trace the Packets, we are shown with the following:

nmap <ip> -p 21 --packet-trace -Pn -n --disable-arp-ping

-p defines the port. We can change this port to be 80 (HTTP), 22 (SSH), 23 (telnet), or the specific port we want to scan.

Nmap port 21 scan
Nmap port 22 scan
Nmap port 23 scan
Nmap port 80 scan

As seen in the previous section, a simple Nmap <ip> -p21 --packet-trace shows that nmap is using TCP and ICMP packets.

Nmap p21 packet trace

TCP communicates that a port is closed by setting the RST flag in the response:

Nmap p21 no ICMP

The RCVD receives RA, which is the RST flag and the ACK flag.

I did not have to use -n but this disables DNS resolution

Getting into Connect Scan, not much of nmap is done but we can gather some bits of information:

The flags -Pn -n --disable-arp-ping --packet-trace are useful for observing the sent and response packets.

  • A TCP packet is dropped or rejected when there are firewalls.

  • Dropped packets take longer scan times than usual and we don't get a response.

  • Rejected packets get a receive and show up as unreachable

TCP is useful because it requires a three-way handshake. It is why we can determine if a port is open, closed or filtered. But UDP does not require a handshake. The UDP scan is longer but maybe admins forgot to set them.

Let's break down the UDP scan flags in the following command.

nmap 10.129.2.28 -F -sU

sU performs a UDP scan and -F scans the top 100 ports.

Starting with the -F flag. If not specified, the -F does a TCP scan:

Nmap using F flag

If specified -sS, it performs the same given that it is the same scan

Nmap F flag with TCP

Adding -sU we receive different open|filtered ports:

Nmap UDP scan

Before the next part, from my written down notes, I use the -p- flag a lot, considering sometimes there may be services running in other ports. Here is where I use -T4. Since -p- is too slow, -T4 makes it a bit faster. The flag -T refers to Timing templates.

Breaking down Saving the Results

This goes on with the first section and the -oA flag. Based on what we have learned on the previous two sections, this section is chill and the only command to write down is

xsltproc target.xml -o target.html

Which prettifies the .xml into an HTML view

XML shown in an HTML page

This is it for today, I'll continue tomorrow, finishing Host Enumeration and going into Bypass Security Measures. Thank you for reading, if you have any comments or would like to connect, I am always eager to chat on my linkedlin

PreviousNetwork EnumerationNextCont'd Nmap

Last updated