Browsing through the many tools a good pen tester needs, nearly all other tools refer to Nmap. This isn’t surprising as at its core; Nmap is primarily about finding intelligence on a target, such as what services and ports are running and how aggressive the firewall protecting it, if any, may be.

While on the nmap.org website itself I believe there is a disk image readily available to install Nmap and its easier to use GUI front-end Zenmap, I’m looking to use the tools in their most useful form so installed Nmap using the command line. I did however use Homebrew to install this which I mentioned in my Setting Up blog post to streamline the process by also grabbing any dependancies that a program needs.

This meant I was up and running with Nmap in minutes and able to run an initial scan relatively quickly to see what its initial output would be. I also had a read of the Nmap reference guide which lists the arguments Nmap uses, but with the mass of information this provides I think it more effective to learn by actually putting it into practice.

My plan to learn Nmap is to use old, out of date operating systems in VirtualBox and use those to build up my knowledge of spotting and investigating vulnerabilities, but for my initial learning I’ve scanned various devices on my home network to get used to the various features and syntax that Nmap uses. The first device I scanned was an AirPort Extreme that is my home router.

Nmap Initial Scan

This initial scan gives basic level output such as ports and services open and the devices MAC address (I’ve erased this in the image).  At the basic level Nmap is quite easy to understand showing what the ports that are open on a device, the protocol they use, and what services they’re running. With no Nmap arguments this output level is quite barebones with almost no information of what Nmap has actually done to find this information. Using the verbosity argument gives a greater output on what Nmap has actually done to find the information. Combining the verbosity argument with -O for Operating System detection provided a more detailed output of the steps Nmap took to detect the OS that was running on my Airport Extreme.

Nmap Verbose OS Scan

Once I had these initial steps done I then thought I’d use Nmap in conjunction with one of the scripts in its database to check for a vulnerability. A common one which many systems are still affected by is Heartbleed. I thought I’d check to make sure my website host (Siteground) had remedied any Heartbleed vulnerability. After running the built-in Nmap Heartbleed script I found that all SSL services were not vulnerable so can rest easy that my host has fully updated (perhaps a refund would be a good idea if they hadn’t updated after this much time).

Overall I’ve found that initially Nmap can seem daunting, but after taking the time to understand the structure for using arguments and also what the output it produces actually means Nmap does not seem as intimidating. That said I know I have only scratched the surface of Nmap and as I use it to do far more in-depth analysis, I may find the difficulty far greater.