In the previous post of ethical hacking we briefly explain various options to get an enumeration of IP addresses and subdomains when performing an ethical hacking process. If you liked that “this is very safe because who is going to know that this subdomain exists” (that although you cannot believe it, it is more common than it seems), do not miss how the “who is going to know that I put this service in this port with such a strange number”…
In short, in this post we will try to see how it is possible to make an inventory of open ports in an IP or range of IPs, and even identify the technology under an open port, when this is possible. Basically this post is going to focus on the use of a fantastic and essential tool, nmap. Although it is a tool typically used in Linux (and of course included in the reference suite that I use in these posts, Kali), compilations for other operating systems can already be found.
Before going to work, we want to warn that nmap is a complex and complete tool, with a huge amount of options, parameters, etc.; This post is not intended as a manual for the use of the tool but again an introduction to it to understand the identification of services as a phase of ethical hacking prior to the detection of vulnerabilities. To learn more about the tool, we recommend reading their manual.
The Open Source nmap tool allows us to perform network and port scans, being able to scan a single destination, a range, a list of IPs… Based on TCP, UDP, ICMP, SCTP requests, etc. and incorporates various scanning techniques. We recommend in general to refresh some knowledge about transport protocols, for example remembering how the establishment of a TCP connection works with the negotiation in three steps: first, SYN type call from the client to a port, RST response if the port is closed or SYN-ACK if it is open, and the ACK from the client to the server to complete the process. Nmap will rely on these types of messages to determine if a port is listening or not at the destination. Sometimes this cannot be used, or is detected by the remote server, and there are other alternatives for scanning.
General syntax
nmap [ ...] [ ] { }
Our first scan
We can execute the following command:
nmap 45.33.49.119
We are not putting any kind of poll, so use the default poll, TCP SYN. nmap sends a SYN and assumes that the port is open if it receives an ACN SYN. There is also no additional parameter of options, and as a destination there is a single IP. This command will give us a result similar to the following:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-01 18:12 CEST
Nmap scan report for ack.nmap.org (45.33.49.119)
Host is up (0.19s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
70/tcp closed gopher
80/tcp open http
113/tcp closed ident
443/tcp open https
31337/tcp closed Elite
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds
Returning in a few seconds a list of open ports on that IP, including an SSH, an SMTP mail server, a web server, and a possible back orifice (https://www.speedguide.net/port.php?port=31337).
In many cases, this is simply a first point of analysis although, for example, the software behind an FTP server, SSH, etc., is fully updated and there are no known vulnerabilities. You could start, for example, a brute force attack with a dictionary on the SSH or FTP trying to access (there are a huge number of servers of this type with default or insecure credentials).
There are automatic tools (bots) that are basically continuously scanning wide ranges of IPs looking for recognizable open ports, for example database (MongoDB, MySQL, PostgreSQL, etc.), and when they detect an open port, they automatically attempt a login with default credentials. For example, in the case of typical LAMP / WAMP installations, a root / access to the mySQL port. And basically, a huge number of databases have been hacked without prior human intervention. This is viable even if we have it open in another port, since it is possible to identify in many cases that what is in port 5555 “to mislead”, to say something, is a mySQL through the fingerprint of the service, as we will see more ahead.
In short, it is very dangerous to leave credentials by default on web servers, routers, FTPs, SSHs, databases … because no one needs to have a mania, a bot will.

A first parameter
If we want to have some information about how nmap has obtained this information, we can increase the traces with the -v (verbose) or -vv parameter, where we can see that nmap has been issuing SYN commands and in some cases receiving RESET (closed port ), in other SYN-ACK (open port) and in others no response (“filtered”), which can make us understand that a firewall is stopping our request:
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 53
25/tcp open smtp syn-ack ttl 53
70/tcp closed gopher reset ttl 52
80/tcp open http syn-ack ttl 53
113/tcp closed ident reset ttl 52
443/tcp open https syn-ack ttl 53
31337/tcp closed Elite reset ttl 53
Increasing the range of IPs to scan
nmap 192.168.10.0/24 (subred completa)
nmap 192.168.10.1-20 (20 IPs)
nmap 192.168.10.*
nmap 192.168.10.1 192.168.10.2 192.168.10.3
Or for example, imagine that we have been accumulating IPs from our initial enumeration, and we have a file with the different IPs separated by tabs or line breaks (one IP or range per line). We can load the file with the -iL (input list) parameter and thus scan the entire IP inventory. It also allows, for example, to exclude some specific IPs with –exclude or –excludefile.
Defining the ports to scan
We can manually define the ports we want to scan. For example, if we look for web servers on ports 80, 443 and 8080 in a subnet, we could do so with the -p parameter:
nmap -p 80,443,8080 192.168.10.0/24
We can also ask nmap to scan the “N” (integer) most common ports; For example, to scan the 25 most common ports in a range of IPs:
nmap --top-ports 25 192.168.10.0/24
Receiving an answer like this:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
53/tcp open domain
80/tcp open http
110/tcp closed pop3
111/tcp open rpcbind
135/tcp closed msrpc
139/tcp open netbios-ssn
143/tcp closed imap
199/tcp closed smux
443/tcp closed https
445/tcp open microsoft-ds
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
1025/tcp closed NFS-or-IIS
1720/tcp closed h323q931
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp open vnc
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
We can ask that all TCP, UDP and SCTP ports (slower) with the identifier -p- be scanned:
nmap -p- 192.168.10.0/24
Identifying operating systems and services
As we see, nmap allows us to detect ports that are listening on an IP or a range. Later we will also see how other survey techniques can be defined. In addition, nmap allows us to try to identify what technology (product, version, etc.) is behind an open port, or even the operating system installed on a server, with the -O and -sV parameters. This detection is based on the “signature” (fingerprint) of the answers that the service gives to certain calls.
nmap -O -sV 192.168.10.5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Raspbian 5+deb8u3 (protocol 2.0)
53/tcp open domain ISC BIND 9.9.5 (Raspbian Linux 8.0 (Jessie based))
80/tcp open http Apache httpd 2.4.10 ((Raspbian))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
4567/tcp open http Jetty 9.4.8.v20171121
5900/tcp open vnc RealVNC Enterprise 5.3 or later (protocol 5.0)
MAC Address: B8:27:EB:CD:FE:89 (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RASPBERRYPI; OS: Linux; CPE: cpe:/o:linux:linux_kernel
In this case, we not only know that this machine has certain open ports. It also tells us that it is a Raspberry running Raspbian (with which, for example, we could do a brute force test with a user “pi”, who is the default user), and the versions of the different ports that are listening, so that this information can be used to exploit vulnerabilities over unpatched versions, etc.
Using more polling techniques
By default nmap uses SYN as a polling technique. It is a fast and not very intrusive / detectable technique, but sometimes, but it supports a total of 12 different techniques that we can define as parameters, as we can see in the tool’s user manual.
For example, if we want to do a scan based on UDP calls, we can make a call of the type:
nmap -sU 192.168.10.5
Searching for vulnerabilities with nmap
Although there are more “comfortable” and specific tools for the search for vulnerabilities, such as Nessus, or suites such as Metasploit that consolidates various tools, nmap also allows us to perform vulnerability analysis.
To do this, it uses a series of Lua scripts that are located in a path of our machine (in the case of Kali, in / usr / share / nmap / scripts /) and that can be invoked with –script or its equivalent -sC .
Scripts can belong to one or several categories, so we can ask nmap to evaluate, for example, all scripts in a category against a host. There are some especially interesting categories such as “vuln” (scripts dedicated to detecting vulnerabilities at the destination), “exploit”, etc.
For example, if we want to scan the vulnerability category scripts against a host:
nmap --script vuln scanme.nmap.org
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=scanme.nmap.org
| Found the following possible CSRF vulnerabilities:
|
| Path: http://scanme.nmap.org:80/
| Form id: cse-search-box-sidebar
|_ Form action: https://nmap.org/search.html
|http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /images/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' | /shared/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. By doing so, it starves the http server's resources causing Denial Of Service.
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9929/tcp open nping-echo
31337/tcp open Elite
As we can see, the script has detected a potential vulnerability based on the Slowloris denial of service attack. If we analyze the scripts that are in the route mentioned above, we see that there is precisely one that exploits this vulnerability, called http-slowloris. If we want more information about the script we can launch the following command:
nmap --script-help http-slowloris
Explaining how the script works, how to launch it (it is also possible to do it with the nmap itself with –script and –script-args), etc. We can also obtain for example a description of all scripts that look for vulnerabilities:
nmap --script-help vuln
We can also for example launch all scripts of a certain type. For example, if we want to scan vulnerabilities over SMB protocol on a given host:
nmap --script smb-* 192.168.10.5
We can also, for example, assess a vulnerability over our entire network, choosing a specific script against a range. The –script parameter
nmap --script-help vuln
nmap --script
In short, nmap even includes interesting options to assess vulnerabilities and even launch exploits, although there are other tools commonly used for this purpose.

Other interesting options
As we have commented, nmap has many options and it is impossible to try to cover even a small percentage in a post. In fact, there is an official nmap book of almost 500 pages… But in any case we try to comment here some that seem interesting.
As we have commented, nmap has many options and it is impossible to try to cover even a small percentage in a post. In fact, there is an official nmap book of almost 500 pages… But in any case we try to comment here some that seem interesting.
- The tool allows you to generate the scan result in a processable output file, for example, in XML format, with -oX or -oN .
- When we scan wide ranges of IPs, we can disable the DNS reverse resolution attempt with the -n parameter.
- During the execution of a command we can increase the level of information displayed on the console (verbosity) by pressing the “V” key.
- If we have a firewall that cuts us, we can try -Pn.
In short, we have tried to develop a “brief” introduction to nmap as a tool for identifying open ports and services on a host or range of IPs. In later posts we will see other ways to detect vulnerabilities.
All set?
It’s time to handle documents more efficiently