Beginner-friendly Nmap Tutorial

Posted on September 11, 2019 by RobertSalmansRobertSalmans

You know it seems like every day we’re hearing about new data breaches happening. Ten million users affected here 30 million users over there, but don’t worry, everybody gets free credit monitoring!

Now doesn’t that just give you warm fuzzies? Well, none of us want to be responsible for letting something like that happen and one of the many ways that we can help prevent that is to do vulnerability scans and patch our vulnerabilities. Now, to do this we can use the Nmap tool which is used for scanning networks, looking for hosts and the open ports they have, and what services they’re running.

(For the full video version of this tutorial please scroll to the end of this post)

To begin

So we’ll start by installing Nmap. I’m on a Kali Linux host that uses the apt package manager, so to install Kali I’ll use apt-get install Nmap. This also works for a Linux system using the app package manager such as Ubuntu or Kali or Debian.

But if you’re on a Red Hat distribution you can use yum install Nmap so that’s like CentOS, Fedora, or Red Hat.

But if you’re not running Linux at all, for example maybe you’re on a Windows host, in that case just jump on over to (https://nmap.org/book/inst-windows.html)  and use the downloads page where you’ll see Windows binaries. There’s a setup.exe and if you’re on a Mac there are Mac binaries as (.dmg package).

So now that we’ve got Nmap installed, to do a vulnerability scan we’re going to download a script using the Nmap scripting engine to give Nmap some additional capabilities.

These scripts are used to do all kinds of things, but what we’re going to use them to do is vulnerability scanning. So I’m going to switch over to GitHub here’s the URL: https://github.com/vulnersCom/nmap-vulners and I’m on the Nmap – vulner space.

Now click on the “clone or download” button and copy the URL that populates. But before pasting, switch directories and jump into the

root@kali:/# cd /usr/share/nmap/scripts

directory – because this is where all the Nmap scriptures reside. And since I’m downloading a new one, I want to put it where all the others are.  This way, when I run my Nmap command the Nmap’s service will know exactly where to find it.

So let’s go ahead and switch over to

root@kali:/usr/share/nmap/scripts#git clone

and then paste that URL right in.

It’ll take just a couple seconds to download.

Run the script

Now we have our script so let’s go ahead and clear the screen. Next, it’s time to actually run our vulnerability scan using Nmap. The command is just like this:

nmap – – script

which tells Nmap “Hey, I want to use a script.”

And that’s going to then look in that script’s directory where we put the one that we just downloaded.

The name of the script is:

nmap – vulner then we need to use – lowercase s capital V and that’s because we’re going to scan what a host for a service version as the SV, then put in whatever I’m going to scan. This could be a server or a workstation(s) or it could be a whole network. For example, at your home or at your business somewhere that you’re allowed to do this type of scanning. It should look like this:

root@kali:/# cd /usr/share/nmap/scripts# nmap –script nmap-vulners -sV

Now put in the host you’re scanning which is 56. 105 for me, and at this point, we could run Nmap and it will do the scan.

Create a text file

But it will output all this information into our terminal which is a little clunky to work around. And it’s way easier to have that output in something like a text file that we can search through, so that’s what we’re going to do. Let’s use the greater than ( > ) character to output to my root desktop and then give it a name like 105 – vulner txt:

root@kali:/# cd /usr/share/nmap/scripts# nmap –script nmap-vulners -sV 192.168.56.105 > /root/Desktop/105-vulners.txt

And at this point, if we hit the enter button it would run the scan and output that information to a text file. It looks like this:

nmap text file

Reading the output

You’ll notice the target or host I was scanning: 56.105 and again this can be any of your servers or workstations, things you want to scan for vulnerabilities. So now you can see the port and then state. Our port number, that the service runs on, and the state is open meaning that port is open. And then we have a version. It’s very important that we get this version (highlighted above), that’s why we used that command – SV because we want the service version.

Because there are all different kinds of versions of the same service, one version might have a vulnerability but then they fixed it and released a new version. So we need to know exactly which version we’re dealing with. Now look down at the port 22 which is SSH and is running OpenSSH version 4.7 p1 and here you can see where it found possible vulnerabilities on that version.

nmap script vulnerabilites

Now take a look at what it’s showing here. First, we have a CVE number and this is a number used to track the vulnerability throughout its lifecycle, it’s an identifier. Then we have a number like 7.5  and this is a severity scale ranging from 10 being the most dangerous to 1 which is very little risk. And then we have a URL  that we could go to and get some additional information, specifically about this vulnerability.

Personally I like to start with a 7.0 or greater when I’m going through a vulnerability scan report and work to fix and patch those because those are going to be the riskiest and then I work my way down. At some point you’ll start to see that the vulnerabilities aren’t really all vulnerabilities- they might just be part of the application or system. And you may not need to actually patch those. But definitely start with your 7.0 and above and get those fixed as soon as you can.

Patching the vulnerabilities

So now as we scroll down we see there’s some here for DNS this is on the bind server which is a Linux DNS services. And we see there might be some for Apache etc. So again, we’re identifying the version number first, and when you see that there are possible vulnerabilities, to fix them you need to do is go to that vendor’s website, armed with your version number.

Often times, updated versions can solve the most common vulnerabilities. If the vendor website shows there is a newer version available, it would be in your best interest to go ahead and upgrade. And you did it! Now you know how to scan for vulnerabilities and repair common problems, fast!

For the full video version of this tutorial, see below:

Looking for even more tutorial content? Start a Hands-On Lab and see what you’re capable of HERE.

We can’t wait to see what you create.

 

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *