Why I love using NMAP

Whether you’re in the Information Security industry,played Capture The Flags competitions or maybe you’re just someone that likes Cyber Security. You probably have heard the tool named NMAP.

What is NMAP?

Basically short for Network Mapper, it’s used by numerous professionals for network discovery and security auditing.

What makes NMAP special?

Let me save you some time and read it on the official nmap page.

They also are featured in some popular movies.

Example of NMAP in action? Sure

Enough talking. Let me walk the talk.

There are different versions of NMAP, if you prefer GUI and fancy displays you might want to use Zenmap which is also found on the nmap page. But if you’re a command line hero like me you can use nmap executable/binary whatever you want to call it.

That’s a lot of output!
  • Okay so first of all, to use nmap in the terminal or command prompt. Basically we first call the name of the tool or binary which is nmap .
  • How I like to supply arguments or information to nmap is :
nmap <target>  
  • By default NMAP scans for top 1000 ports if you didn’t supply any flags.
  • What are flags you might ask?
nmap <target> -sCV
  • See that -sCV ? It’s short for -sV and -sC . -sV stands for probe the port to determine the version or service. Basically if we scan port 80, -sV will knock on the door and ask questions like

Who are you? Oh you’re a HTTP service?

How old are you? Oh you’re Apache 2.4.7?

  • -sC basically stands for run default scripts. NMAP has a lot of scripts to run against a target, that’s another blog post for another day.
  • How do I know all this? It’s from muscle memory and the help command is always there. nmap -h outputs :
Yes there’s a lot of flags you can supply to NMAP!

Still want to see how NMAP script works? Sure.

  • So earlier in the screenshot, we saw in the http-generator that it’s running Drupal 7.
  • If you don’t know Drupal 7, it’s basically a content management system. Think of it like brothers of WordPress. It’s something you use to create a blog or perhaps a website for your customers.
  • From my experience, I already know Drupal 7 is usually a red flag and is usually exploitable.
  • Sure I can use any scripts or scanners to detect or exploit the vulnerability but let’s use NMAP
  • Searching on the nmap page, there is a script we can use for this called http-vuln-cve2014-3704
  • How do we use the script? Let’s look at the nmap official page.
nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" <target>
  • Whoa, that’s a lot. First of all we use --script flag to specify what script we want to use in this case http-vuln-cve2014-3704 .
  • The script has arguments we can supply with --script-args and the argument is called http-vuln-cve2014-3704.cmd= and we can supply any command we want. In this case, we are running uname -a which is basically print the OS version of the system.
  • Finally it expects another argument which is http-vuln-cve2014-3704.uri= and it is default set at /drupal so thats fine.
  • And finally we just enter our target!
It works!
  • For my solution, I basically added the -p flag which means specify which port we want to target and basically since I know Drupal 7 was running on port 80 we set it to that. Do know that, you can use set target in my case it was 192.168.64.193 anywhere whether it is in the front or in the back of the command.
  • Here we can see some info outputted from NMAP.
  • You might not understand it but that’s another blog post for another day.

Conclusion

NMAP super cool tool. Rustscan is also something that I use for port scanning and can be used together with NMAP to make a perfect combo. But mastering and using NMAP is a step that you must take.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking