7 Essential Nmap Commands to Use for Pen Testing

Kali is a beast. The Linux pentesting distro comes preloaded with hundreds tools for exploration, enumeration and exploitation. Although it can be overwhelming to learn all of them, there are a few you will keep coming back for as you improve your pentesting skills. These top tools were covered in a previous post. You can find them all over these cybersecurity courses. Today, we’re going deep into the top of these top tools, the pentester’s Swiss Army knife, Nmap.
This open-source network scanner is able to do everything, from host discovery to port poking and OS detection. It is also extensible, so anyone can add ons to it using the Nmap scripting engine. These things can be combined to make it super easy to script scan a LAN for Windows servers running unpatched SMB versions. It’s easy to get a list of these machines by running one command. Vulnerable SMB is the lowest-hanging fruit for SYSTEM access to Windows servers. A domain admin will be a quick and easy option for a skilled pentester.
This is only the beginning of Nmap’s power. It was even used by Trinity in this scene from The Matrix Reloaded. You can see the end Nmap’s output at four seconds. It shows a machine running SSH on open port 22. Although the “sshnuke exploit” is Hollywood shenanigans it is based entirely on real pentesting methodologies. The one line that says “Attempting to exploit SSHv1CRC32” is based upon a buffer overflow that can provide remote command execution.
Presumably, she used Nmap to locate machines that had port 22 open and were running vulnerable versions of the SSH servers. Sshnuke then connects via SSH to, exploits the vulnerability to get remote code execution and runs the passwd command for changing the root password to Z10N0101 (nice touch there with that password). For the benefit of all viewers, add some dramatic music and a flashing message indicating “ACCESS GRANTED”, and you’re done. All that’s left to do is connect via SSH and log in as root. Nmap is the reason.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start training. You won’t likely be destroying power plants in a simulation for humanity anytime soon. Let’s now look at how you can and will use Nmap every day in your less exciting pentesting operations.
Kali & Stapler to Enumerate Nmap Targets
We’ll be using a boot-to root image called Stapler to help us explore some of the uses of Nmap. As you may recall from a recent article boot-to-root images can be virtual machines that have been prebuilt with system services and other installed software and configured to look like real-world servers. They are vulnerable to hacking, but they serve as an exercise in pentesting skills in a controlled, safe environment.
Download the image for this article and Stapler. Then, fire it up in your preferred virtualization platform with Kali. Follow the same process as the previous article to find Stapler’s IP on your virtual network using (surprising suprise!) Nmap and the “-sn” flag to ping all subnets for live hosts.
Stapler has many open ports. This means that there are many services we can enumerate using Nmap. Enumeration is essential for any pentest exercise or engagement. Insufficient enumeration can lead to wasted hours.
Before you can create a plan of attack, you must first explore every port.
1. Basic Nmap scan
The basic Nmap runs it without any flags and only the IP of the machine being tested.
[email protected]:# Nmap Starting Nmap 7.80 ( https://nmap.org) at 2020-02-20 17.00 ESTNmap scan report to up (0.00030s latency).

Author: Victoria