Nmap – The Good, the Bad and the Ugly

I will start with a funny comment I found on StackExchange.

Port scanning is more akin to taking a walk around the neighbourhood and trying every handle of a door and every window to see if it’s open, to see if the neighbours have left anything available for future investigation or exploitation/theft.

Anyway, nmap is an useful tool if you use it with good intentions and white-hat reasons. You can find communication channels, vulnerabilities in your network and many more.

Nmap can discover services and hosts that are up, by sending ICMP echo requests, TCP packets and many other probes, and analysing the responses. Nmap manual man nmap is useful for getting started.

3 Basic Examples of Nmap commands:

1.  nmap -sn 192.168.0.0/24

With this command, you will see all IPs in your subnet. It will scan every single IP from 192.168.0.0 to 192.168.0.255. It is commonly known as a ‘ping scan’ or ‘ping sweep’ and doesn’t do a port scanning (it works with -sP , as well)

2.  nmap -Pn 192.168.0.0/24

This command skip ‘ping scan’ and start scanning all ports of every IP. Some hosts are configured to not response to ping, so nmap will try to see what ports are open, even if the host seems to be down. For an accurate result, this command should be ran with superuser.

3.  nmap -O 192.168.0.206

-O option enables OS detection and can identify the OS of a host. Nmap is analysing fingerprints of responses and search in its database the operating system that have similar fingerprints.

DoS attack with Nmap

Is it really easily to launch a DoS attack (e.g. Slowloris) with Nmap; it can be done by a kid. To test if a host is vulnerable, you can run nmap --script dos -Pn website.com . This command doesn’t launch the attack (This does).

To investigate a simple DoS attack to the Application Layer, you can find the IP of attacker by typing

and see how many connections are per IP. If you see 100+ connections, you can drop this IP. Of course, when the application is on the same server with the web server, you will see 127.0.0.1  connections. Don’t drop them.

To prevent DoS attacks on Apache webservers, you can install reqtimeout modules. Moreover you can set maximum 100 connections for a source IP, to your firewall.

Nmap Scripting Engine

Nmap has a lot of scripts in their NSE Documentation. Some of them are useful when you are trying to gather informations about a host.

Leave a Reply

Your email address will not be published. Required fields are marked *