Discovering Hidden Secrets with Nmap
Hello all! And welcome to my next installment to the Player Ambassador training series. This time our topic is nmap scanning: what it does and how to tailor your scans to your competition needs. For some who already have a solid understanding of this topic skip down to Commands for the juicy details. If you’re not using Kali or don’t have nmap installed yet, go to nmap’s official site for the official download and install guide.
Background
When trying to find vulnerabilities on a target server, port scanning the box would be your second step. Step one would be open-source intelligence gathering against your target of course. 😉 Applications or software running on a server will sometimes be listening for traffic from the open internet on different ports. For example: If you’re trying to connect to a web client, your computer will be listening for a connection on either port 80 (HTTP, insecure) or port 443 (HTTPS, secure). If you need to transfer files from a machine you have credentials for, you can connect to port 21 (File Transfer Protocol). Need to remotely execute commands or access files? Try port 22 for authorized SSH (Secure Shell). The above are standard with most computers, but even games you download or software you install might be listening for data at specific ports on your machine. For more info on standard ports, you can review this list.
Why is this important? If an application has any open ports that are unsecured, you might be able to remotely access data with default credentials, or even none at all. Certain business software can be hopelessly outdated as well, and vulnerable to a host of compromising attacks.
Summary
| Flags | Use | Examples |
| -sS | TCP port SYN scan | nmap -sS scanme.nmap.org |
| -sT | TCP Connect scan | nmap -sT scanme.nmap.org |
| -sU | UDP port scan | nmap -sU scanme.nmap.org |
| -sV | Version detection | nmap -sV -sU scanme.nmap.org |
| -Pn | Assume all hosts are up | nmap -Pn -sS scanme.nmap.org |
| -T (0-5) | Sets the speed of the ping scan | nmap -sS -T4 scanme.nmap.org |
| -p | Sets port #’s to scan | nmap -p 1-65535 scanme.nmap.org |
Pressing control + x while running a command will give you details on approximately how much time the scan has left to complete.
Commands
The general format for Nmap commands is:
nmap [scan type] [options] {target}
There are 3 main ways you can specify targets:
| IPv4 | 45.33.32.156 |
| IPv6 | 2600:3c01::f03c:91ff:fe18:bb2f |
| Host Name | scanme.nmap.org |
There are ways to specify a range of target hosts, but the NCL will generally have you focus on one target host at a time.
Using just the nmap command with an IP address or hostname will scan through the first 1,000 TCP ports on the target. Though this is a good starting point, the competition is looking for a little more than that. The -p flag allows you to specify a range of ports to scan. There are a couple different ways to format it, but your best friend will be -p- which does a scan of all available ports (1-65535).
There are two different types of port connections you will most likely be asked about: TCP and UDP. (If you want to learn about the difference between the two, look here). Nmap will scan for TCP ports by default, but there are two other ways to specify it. -sS will do a TCP SYN scan, which means that it will initiate TCP communication but it will never complete the connection.
| TheBog:~ webwitch$ nmap -sS scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 13:58 PDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.059s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9929/tcp open nping-echo 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds |
The other way is the -sT flag, which runs a full connect TCP scan. Targets are more likely to log the connection, but it can be used when the TCP SYN scan isn’t an option. It will, however, give you essentially the same information.
| TheBog:~ webwitch$ nmap -sT scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 13:58 PDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.054s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9929/tcp open nping-echo 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds |
We aren’t worried about our target logging the connection in the NCL CTF. If you were to go out into the hacking world on a red-team engagement, scans like these need to be done stealthily— that’s where these options come in handy.
UDP ports are less commonly used in the world, but it’s always possible that they’ll be asked about in competition. If they are, all you have to do is substitute in the -sU flag and you’ll be good to go. Just a note: they will take longer than TCP scans, so try finishing the TCP scan questions first or run TCP and UDP in the same scan to save time.
| TheBog:~ webwitch$ nmap -sU scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 14:02 PDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.051s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 997 closed ports PORT STATE SERVICE 68/udp open|filtered dhcpc 123/udp open ntp 162/udp open|filtered snmptrap Nmap done: 1 IP address (1 host up) scanned in 30459.17 seconds |
More often than not, there are questions that ask you to identify the program running on a certain port. Thankfully, the -sV flag makes it easy to fingerprint these services.
| TheBog:~ webwitch$ nmap -sS -sV scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 23:31 PDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.063s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 9929/tcp open nping-echo Nping echo 31337/tcp open tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.78 seconds |
These four flags will get you through a majority of the scanning challenges. If you want to find ways to spice up your scans, there’s always the SANS nmap cheat sheet and this blog post I found myself returning to for reference time and time again. However, it’s good to remember that sometimes simpler is better and adding on features might just make your scan take longer for ultimately the same result.
Pro Tips
- There are sometimes where you try and scan a target and your computer swears up and down that it isn’t active. Some ways to troubleshoot are:
- Is your computer connecting to the internet properly? Try pinging google (ping 8.8.8.8). If you can’t connect, then you should probably troubleshoot your internet connection.
- Connected to the internet? Try adding the -Pn flag to your scan. This will make nmap pretend like the host is up even if it is skeptical and send the packets anyway.
- Is it still not giving you a response? Ask the NCL slack channel. Sometimes the boxes do go down because of how much traffic they are receiving at once. Maybe move on to a different question and come back to try that one later.
- As always, read the question carefully. I can’t tell you how many times I entered the wrong answer because a question was looking for the software on the highest filtered port and I was answering with the highest open port. Slow and steady will get you to your destination with higher accuracy.
CryptoKait 
One thought on “Intro to Scanning for the National Cyber League Games”