top of page
  • Writer's pictureRohit Panoria

Network Enumeration with Nmap-Part 3: Saving the Results and Service Enumeration.


Saving the Results

Nmap provides various options for saving its scan results. Here are some of the techniques:

  1. Saving to a text file: This is the most common and simple technique to save Nmap scan results. You can use the -oN option followed by the filename and path where you want to save the output in a text file format. For example, nmap -oN scanresult.txt 192.168.1.1.

  2. Saving to a XML file: Nmap can also save scan results in XML format using the -oX option. XML format can be easily processed and parsed by other tools, making it a more flexible option. For example, nmap -oX scanresult.xml 192.168.1.1.

  3. Saving to a grepable file: The -oG option saves scan results in a grepable format. This format can be easily used with other Unix/Linux command-line tools like grep, awk, or sed. For example, nmap -oG scanresult.gnmap 192.168.1.1.

  4. Saving to a scriptable output: Nmap can also save scan results in a scriptable format using the -oS option. This format is useful if you want to parse Nmap output with a script, as it is in a format that can be easily read by scripting languages. For example, nmap -oS scanresult.lst 192.168.1.1.

  5. Saving to a PostgreSQL database: If you want to save scan results to a database, you can use the -oA option to save the output in all the above formats at once. The -oA option is followed by a basename that specifies the name of the output files. For example, nmap -oA scanresult --db postgresql://user:password@localhost/nmap_db 192.168.1.1.

Note that you may need to use sudo or run Nmap as an administrator to have the necessary permissions to save output files or access databases.


Different Formats

While we run various scans, we should always save the results. We can use these later to examine the differences between the different scanning methods we have used. Nmap can save the results in 3 different formats.

  • Normal output (-oN) with the .nmap

  • Grepable output (-oG) with the .gnmap file extension

  • XML output (-oX) with the .xml file extension

We can also specify the option (-oA) to save the results in all formats. The command could look like this:

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.28 -p- -oA target

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 12:14 CEST
Nmap scan report for 10.129.2.28
Host is up (0.0091s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds

Scanning Options

OptionsDescription

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-oA target

Saves the results in all formats, starting the name of each file with 'target'.

If no full path is given, the results will be stored in the directory we are currently in. Next, we look at the different formats Nmap has created for us.

Rpstark@securesect[/securesect]$ ls

target.gnmap target.xml target.nmap

Normal Output
Rpstark@securesect[/securesect]$ cat target.nmap

# Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28
Nmap scan report for 10.129.2.28
Host is up (0.053s latency).
Not shown: 4 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

# Nmap done at Tue Jun 16 12:15:03 2020 -- 1 IP address (1 host up) scanned in 10.22 seconds
Grepable Output
Rpstark@securesect[/securesect]$ cat target.gnmap

# Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28
Host: 10.129.2.28 ()	Status: Up
Host: 10.129.2.28 ()	Ports: 22/open/tcp//ssh///, 25/open/tcp//smtp///, 80/open/tcp//http///	Ignored State: closed (4)
# Nmap done at Tue Jun 16 12:14:53 2020 -- 1 IP address (1 host up) scanned in 10.22 seconds
XML Output
Rpstark@securesect[/securesect]$ cat target.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28 -->
<nmaprun scanner="nmap" args="nmap -p- -oA target 10.129.2.28" start="12145301719" startstr="Tue Jun 16 12:15:03 2020" version="7.80" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="12145301719" endtime="12150323493"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="10.129.2.28" addrtype="ipv4"/>
<address addr="DE:AD:00:00:BE:EF" addrtype="mac" vendor="Intel Corporate"/>
<hostnames>
</hostnames>
<ports><extraports state="closed" count="4">
<extrareasons reason="resets" count="4"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port>
<port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="smtp" method="table" conf="3"/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="http" method="table" conf="3"/></port>
</ports>
<times srtt="52614" rttvar="75640" to="355174"/>
</host>
<runstats><finished time="12150323493" timestr="Tue Jun 16 12:14:53 2020" elapsed="10.22" summary="Nmap done at Tue Jun 16 12:15:03 2020; 1 IP address (1 host up) scanned in 10.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

Style sheets

With the XML output, we can easily create HTML reports that are easy to read, even for non-technical people. This is later very useful for documentation, as it presents our results in a detailed and clear way. To convert the stored results from XML format to HTML, we can use the tool xsltproc.


XML Output
Rpstark@securesect[/securesect]$ xsltproc target.xml -o target.html

If we now open the HTML file in our browser, we see a clear and structured presentation of our results.


Nmap Report

More information about the output formats can be found at: https://nmap.org/book/output.html


Service Enumeration

For us, it is essential to determine the application and its version as accurately as possible. We can use this information to scan for known vulnerabilities and analyze the source code for that version if we find it. An exact version number allows us to search for a more precise exploit that fits the service and the operating system of our target.

Here are some techniques you can use to enumerate services with Nmap:

  1. Default service version detection: Nmap has a default service version detection feature that attempts to identify the versions of the services running on target machines. This feature is enabled by the -sV option. For example, nmap -sV 192.168.1.1.

  2. Aggressive service version detection: If the default service version detection fails to identify the version of a service, you can use the -sV option with the -version-all option to enable the aggressive service version detection. This option is more intrusive and may increase the risk of being detected by security systems. For example, nmap -sV --version-all 192.168.1.1.

  3. Service fingerprinting: Nmap includes a database of known service fingerprints that can be used to identify services based on their unique characteristics. This feature is enabled by the -sF option. For example, nmap -sF 192.168.1.1.

  4. Banner grabbing: Nmap can also grab banners from open ports to identify services running on the target machine. This feature is enabled by the -sV option with the --script banner option. For example, nmap -sV --script banner 192.168.1.1.

  5. Script scanning: Nmap has a scripting engine that can be used to execute custom scripts for service enumeration. This feature is enabled by the -sC option, which runs the default set of scripts, or the -script option, which allows you to specify custom scripts. For example, nmap -sC 192.168.1.1 or nmap --script=ssl-heartbleed 192.168.1.1.

Note that service enumeration with Nmap can be time-consuming and may generate a large amount of network traffic, which may trigger security systems. It's important to use these techniques with caution and only with the appropriate permissions and authorization.


Service Version Detection

It is recommended to perform a quick port scan first, which gives us a small overview of the available ports. This causes significantly less traffic, which is advantageous for us because otherwise we can be discovered and blocked by the security mechanisms. We can deal with these first and run a port scan in the background, which shows all open ports (-p-). We can use the version scan to scan the specific ports for services and their versions (-sV).


A full port scan takes quite a long time. To view the scan status, we can press the [Space Bar] during the scan, which will cause Nmap to show us the scan status.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.28 -p- -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:44 CEST
[Space Bar]
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.64% done; ETC: 19:45 (0:00:53 remaining)

Scanning Options

Description

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-sV

Performs service version detection on specified ports.

Another option (--stats-every=5s) that we can use is defining how periods of time the status should be shown. Here we can specify the number of seconds (s) or minutes (m), after which we want to get the status.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.28 -p- -sV --stats-every=5s

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:46 CEST
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 13.91% done; ETC: 19:49 (0:00:31 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 39.57% done; ETC: 19:48 (0:00:15 remaining)

Scanning Options

Description

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-sV

Performs service version detection on specified ports.

--stats-every=5s

Shows the progress of the scan every 5 seconds.

We can also increase the verbosity level (-v / -vv), which will show us the open ports directly when Nmap detects them.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.28 -p- -sV -v 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:03 CEST
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 20:03
Scanning 10.129.2.28 [1 port]
Completed ARP Ping Scan at 20:03, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:03
Completed Parallel DNS resolution of 1 host. at 20:03, 0.02s elapsed
Initiating SYN Stealth Scan at 20:03
Scanning 10.129.2.28 [65535 ports]
Discovered open port 995/tcp on 10.129.2.28
Discovered open port 80/tcp on 10.129.2.28
Discovered open port 993/tcp on 10.129.2.28
Discovered open port 143/tcp on 10.129.2.28
Discovered open port 25/tcp on 10.129.2.28
Discovered open port 110/tcp on 10.129.2.28
Discovered open port 22/tcp on 10.129.2.28
<SNIP>

Scanning Options

Description

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-sV

Performs service version detection on specified ports.

-v

Increases the verbosity of the scan, which displays more detailed information.

Banner Grabbing

Once the scan is complete, we will see all TCP ports with the corresponding service and their versions that are active on the system.

Rpstark@securesect[/htb]$ sudo nmap 10.129.2.28 -p- -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:00 CEST
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp filtered netbios-ssn
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp filtered microsoft-ds
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host: inlane; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.73 seconds

Scanning Options

Description

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-sV

Performs service version detection on specified ports.

Primarily, Nmap looks at the banners of the scanned ports and prints them out. If it cannot identify versions through the banners, Nmap attempts to identify them through a signature-based matching system, but this significantly increases the scan's duration. One disadvantage to Nmap's presented results is that the automatic scan can miss some information because sometimes Nmap does not know how to handle it. Let us look at an example of this.

Rpstark@securesect[/htb]$ sudo nmap 10.129.2.28 -p- -sV -Pn -n --disable-arp-ping --packet-trace

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 20:10 CEST
<SNIP>
NSOCK INFO [0.4200s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.28:25] (35 bytes): 220 inlane ESMTP Postfix (Ubuntu)..
Service scan match (Probe NULL matched with NULL line 3104): 10.129.2.28:25 is smtp. Version: |Postfix smtpd|||
NSOCK INFO [0.4200s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Nmap scan report for 10.129.2.28
Host is up (0.076s latency).

PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host: inlane

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Scanning Options

Description

10.129.2.28

Scans the specified target.

-p-

Scans all ports.

-sV

Performs service version detection on specified ports.

-Pn

Disables ICMP Echo requests.

-n

Disables DNS resolution.

--disable-arp-ping

Disables ARP ping.

--packet-trace

Shows all packets sent and received.

If we look at the results from Nmap, we can see the port's status, service name, and hostname. Nevertheless, let us look at this line here:

NSOCK INFO [0.4200s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.28:25] (35 bytes): 220 inlane ESMTP Postfix (Ubuntu)..

Then we see that the SMTP server on our target gave us more information than Nmap showed us. Because here, we see that it is the Linux distribution Ubuntu. It happens because, after a successful three-way handshake, the server often sends a banner for identification. This serves to let the client know which service it is working with. At the network level, this happens with a PSH flag in the TCP header. However, it can happen that some services do not immediately provide such information. It is also possible to remove or manipulate the banners from the respective services. If we manually connect to the SMTP server using nc, grab the banner, and intercept the network traffic using tcpdump, we can see what Nmap did not show us.


Tcpdump
Rpstark@securesect[/htb]$ sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Nc
Rpstark@securesect[/htb]$ nc -nv 10.129.2.28 25

Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)

Tcpdump - Intercepted Traffic
18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0

The first three lines show us the three-way handshake.

1. [SYN] 18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], <SNIP>

2. [SYN-ACK] 18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], <SNIP>

3. [ACK] 18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], <SNIP>


After that, the target SMTP server sends us a TCP packet with the PSH and ACK flags, where PSH states that the target server is sending data to us and with ACK simultaneously informs us that all required data has been sent.

4. [PSH-ACK] 18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], <SNIP>


The last TCP packet that we sent confirms the receipt of the data with an ACK.


5. [ACK] 18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], <SNIP>



For the Fourth Part: Network Enumeration with Nmap-Part 4: Nmap Scripting, Performance and Firewall and IDS/IPS Evasion. Please refer to below link:


Please follow us! We respect your knowledge and ideas. Please feel free to contact us at securesect@outlook.com, Our team stands ready to make corrections and enhancements. Rohit Panoria @Security Researcher and Consultant References:



24 views0 comments

Comments


bottom of page