Ethical hacking: identification of services with nmap

In the previous ethical hacking post, we briefly explained several options to obtain an enumeration of IP addresses and subdomains when performing an ethical hacking process. If you liked that “this is very safe because who will know that this subdomain exists” (although you can not believe it, it is more common than it seems), do not miss how the “who will know that I put this service on this port with such a strange number” ends badly … Let’s talk about service identification with nmap.

In short, in this post we will try to see how it is possible to make an inventory of open ports on an IP or range of IPs, and even identify the technology underneath an open port, when possible.

Basically this post is going to focus on the use of a fantastic and essential tool, nmap. Although it is a tool typically used in Linux (and of course included in the reference suite I use in these posts, Kali), you can already find compilations for other operating systems.

Before getting into the nitty-gritty, we would like to warn you that nmap is a complex and complete tool, with a huge amount of options, parameters, etc.; this post is not intended to be a manual for using the tool but again an introduction to it in order to understand the identification of services as a phase of ethical hacking prior to the detection of vulnerabilities. To learn more about the tool, we recommend reading its manual.

The Open Source tool nmap allows us to perform network and port scans, being able to scan a single destination, a range, a list of IPs… it is based on TCP, UDP, ICMP, SCTP, etc. requests and incorporates several scanning techniques.

We recommend in general to refresh some knowledge about transport protocols, for example by remembering how the establishment of a TCP connection works with negotiation in three steps: first, SYN-type call from the client to a port, RST response if the port is closed or SYN-ACK if it is open, and the ACK from the client to the server to complete the process. nmap will rely on these types of messages to determine whether or not a port is listening on the destination.

Sometimes this cannot be used, or is detected by the remote server, and there are other alternatives for scanning.

General syntax and first scan

General syntax:

nmap [  ...] [  ] {  }

Next, we proceed to perform the first scan:

We execute the command:


We are not setting any type of scan, so it uses the default scan, TCP SYN. nmap sends a SYN and assumes the port is open if it receives a SYN ACK. There are also no additional option parameters, and as a destination there is a single IP. This command will give us a result similar to the following:

Starting Nmap 7.70 ( ) at 2019-10-01 18:12 CEST
Nmap scan report for (
Host is up (0.19s latency).
Not shown: 993 filtered ports
22/tcp    open   ssh
25/tcp    open   smtp
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed ident
443/tcp   open   https
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds

It returns in a few seconds a list of open ports on that IP, including an SSH, an SMTP mail server, a web server, and a possible back orifice.

In many cases this is simply a first point of analysis even if, for example, the software behind an FTP, SSH, etc. server is fully up-to-date and there are no known vulnerabilities. Already at first you could, for example, launch a brute force dictionary attack on the SSH or FTP server trying to gain access (there are a huge number of such servers with default or insecure credentials).

There are automatic tools (bots) that are basically continuously scanning wide IP ranges for recognizable open ports, for example database ports (MongoDB, MySQL, PostgreSQL, etc.), and when they detect such an open port, they automatically attempt a login with default credentials. For example, in the case of typical LAMP / WAMP installations, a root access / to the mySQL port. And basically this way a huge amount of databases have been hacked without prior human intervention. This is feasible even if we have it open on another port, since it is possible to identify in many cases that what is on port 5555 “to mislead”, to say something, is a mySQL through the fingerprint of the service, as we will see later.

In short, it is very dangerous to leave default credentials on web servers, routers, FTPs, SSHs, databases… because there is no need for anyone to have a bug, a bot will do it.

Scan ips with nmap

A first parameter

If we want to have some information about how nmap has obtained this information, we can augment the traces with the -v (verbose) or -vv parameter, where we can see that nmap has been launching SYN commands and in some cases receiving RESET (port closed), in others SYN-ACK (port open) and in others no response (“filtered”), which can make us understand that a firewall is stopping our request:

PORT            STATE           SERVICE         REASON
22/tcp          open            ssh             syn-ack ttl 53
25/tcp          open            smtp            syn-ack ttl 53
70/tcp          closed          gopher          reset ttl 52
80/tcp          open            http            syn-ack ttl 53
113/tcp         closed          ident           reset ttl 52
443/tcp         open            https           syn-ack ttl 53
31337/tcp       closed          Elite           reset ttl 53

Increasing the range of IPs to be scanned

nmap allows us to determine IP ranges to scan in several ways (it is recommended to analyze the manual or use –help for more complete information). For example:

nmap (subred completa)
nmap (20 IPs)
nmap 192.168.10.*

Or for example, let’s imagine that we have been accumulating IPs since our initial enumeration, and we have a file with the different IPs separated by tabs or line breaks (one IP or range per line). We can load the file with the -iL parameter (input list) and perform the scan of the entire IP inventory. It also allows, for example, to exclude some specific IPs with —exclude or —excludefile.

Defining the ports to be scanned

We can manually define the ports we want to scan. For example, if we are looking for web servers on ports 80, 443 and 8080 in a subnet we could do it with the -p parameter:

nmap -p 80,443,8080

We can also ask nmap to scan the “N” (whole number) most common ports; for example, to scan the 25 most common ports in a range of IPs:

nmap --top-ports 25

Receiving a response like this:

21/tcp    closed   ftp
22/tcp    open     ssh
23/tcp    closed   telnet
25/tcp    closed   smtp
53/tcp    open     domain
80/tcp    open     http
110/tcp   closed   pop3
111/tcp   open     rpcbind
135/tcp   closed   msrpc
139/tcp   open     netbios-ssn
143/tcp   closed   imap
199/tcp   closed   smux
443/tcp   closed   https
445/tcp   open     microsoft-ds
587/tcp   closed   submission
993/tcp   closed   imaps
995/tcp   closed   pop3s
1025/tcp  closed   NFS-or-IIS
1720/tcp  closed   h323q931
1723/tcp  closed   pptp
3306/tcp  closed   mysql
3389/tcp  closed   ms-wbt-server
5900/tcp  open     vnc
8080/tcp  closed   http-proxy
8888/tcp  closed   sun-answerbook

We can ask to scan all TCP, UDP and SCTP ports (slower) with the identifier –p– :

nmap -p-

Identifying operating systems and services

As we can see, nmap allows us to detect ports that are listening on an IP or a range. Later we will also see how other scanning techniques can be defined. In addition, nmap allows us to try to identify which technology (product, version, etc.) is behind an open port, or even the operating system installed on a server, with the -O and -sV parameters. This detection is based on the “signature” (fingerprint) of the responses given by the service to certain calls.

nmap -O -sV

PORT         STATE         SERVICE       VERSION
22/tcp       open          ssh           OpenSSH 6.7p1 Raspbian 5+deb8u3 (protocol 2.0)
53/tcp       open          domain        ISC BIND 9.9.5 (Raspbian Linux 8.0 (Jessie based))
80/tcp       open          http          Apache httpd 2.4.10 ((Raspbian))
111/tcp      open          rpcbind       2-4 (RPC #100000)
139/tcp      open          netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp      open          netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
4567/tcp     open          http          Jetty 9.4.8.v20171121
5900/tcp     open          vnc           RealVNC Enterprise 5.3 or later (protocol 5.0)
MAC Address: B8:27:EB:CD:FE:89 (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RASPBERRYPI; OS: Linux; CPE: cpe:/o:linux:linux_kernel

In this case, not only do we know that this machine has certain ports open. It also tells us that it is a Raspberry running Raspbian (so, for example, we could do a brute force test with a “pi” user, which is the default user), and the versions of the different ports that are listening, so this information can be used to exploit vulnerabilities on unpatched versions, etc.

Using more probing techniques

By default nmap uses SYN as a scanning technique. It is a fast and not very intrusive / detectable technique, but sometimes , but it supports a total of 12 different techniques that we can define as parameters, as we can see in the tool’s user manual.

For example, if we want to do a scan based on UDP calls, we can make a call of the type:

nmap  -sU

Searching for vulnerabilities with nmap

Although there are more “comfortable” and specific tools to search for vulnerabilities, such as Nessus, or suites such as Metasploit that consolidates several tools, nmap also allows us to perform vulnerability analysis.

To do this, it uses a series of Lua scripts that are located in a path on our machine (in the case of Kali, in /usr/share/nmap/scripts/ ) and can be invoked with —script or its equivalent -sC.

Scripts can belong to one or several categories, so we can ask nmap to evaluate, for example, all the scripts of a category against a host. There are some particularly interesting categories such as “vuln” (scripts dedicated to detect vulnerabilities in the target), “exploit“, etc.

For example, if we want to scan vulnerability category scripts against a host:

nmap --script vuln

22/tcp     open       ssh
80/tcp     open       http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20;
|   Found the following possible CSRF vulnerabilities: 
|     Path:
|     Form id: cse-search-box-sidebar
|_    Form action:
|http-dombased-xss: Couldn't find any DOM based XSS. | http-enum:  |   /images/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' |  /shared/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-slowloris-check: 
|   Slowloris DOS attack
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.  It accomplishes this by opening connections to the target web server and sending a partial request. By doing so, it starves the http server's resources causing Denial Of Service.
|     Disclosure date: 2009-09-17
|     References:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9929/tcp  open  nping-echo
31337/tcp open  Elite

As we can see, the script has detected a potential vulnerability based on the Slowloris denial of service attack. If we analyze the scripts in the aforementioned path, we can see that there is precisely one that exploits this vulnerability, called http-slowloris. If we want more information about the script we can launch the following command:

nmap --script-help http-slowloris

Explaining how the script works, how to launch it (it is also possible to do it with nmap itself with —script and –script-args), etc. We can also get for example a description of all the scripts that search for vulnerabilities:

nmap --script-help vuln

We can also, for example, launch all scripts of a given type. For example, if we want to scan for vulnerabilities on SMB protocol on a given host:

nmap --script smb-*

We can also, for example, evaluate a vulnerability over our entire network by choosing a specific script against a range. The –script parameter

nmap --script-help vuln
nmap --script

In short, nmap even includes interesting options for assessing vulnerabilities and even launching exploits, although there are other tools commonly used for this purpose.

Searching for vulnerabilities with nmap

Other interesting options

As we have said, nmap has a lot of options and it is impossible to try to cover even a small percentage of them in a post. In fact, there is an official nmap book of almost 500 pages… but in any case we try to comment here some of them that seem interesting.

  • The tool allows you to generate the scan result in a processable output file, e.g. in XML format, with -oX or -oN .
  • When scanning wide IP ranges, we can disable the DNS reverse resolution attempt with the -n parameter.
  • During the execution of a command we can increase the level of information displayed on the console (verbosity) by pressing the “V” key.
  • If we have a firewall that cuts us off, we can try –Pn

In short, we have tried to develop a “brief” introduction to nmap as a tool for identifying open ports and services on a host or IP range. In later posts we will see other ways to detect vulnerabilities.


    The best electronic signature solution for your business

    Scroll to Top