Vulnerability Management with Nmap and Netdiscover

Nmap is a network scanning tool often used for vulnerability management. It can discover hosts and services on subnets accessible by the scanner. Through Nmap, vulnerability researchers and auditors can assess system vulnerabilities within a corporate environment and formulate remediation plans. This article looks at Nmap commands and explains their usages and differences.

Part 1: Host Discovery with Nmap

nmap -sn 10.10.1.0/24

Using the above command, we can find out what hosts are up and running on a subnet. In this example, we found that there are 5 hosts within 10.10.1.0/24 network.

nmap -sn: Perform ping scan and disable port scan
nmap -sn: Perform ping scan and disable port scan

Part 2: Host Discovery with Netdiscover

netdiscover -i eth0 -r 10.10.0.0/16

What if you do not know what subnets are available? If you are not sure what hosts to scan for, you can use netdiscover to scan for all hosts reachable by your machine. The discovered IP address and MAC address of hosts will be shown.

netdiscover -r: scan a given range instead of auto scan
netdiscover -r: scan a given range instead of auto scan

Part 3: Port Discovery with Nmap

nmap -sS 10.10.1.0/24

With the “-sS” option, nmap performs port discovery. Apart from the IP address, you can find out what ports are open in the current environment.

nmap -sS: probe open ports
nmap -sS: probe open ports

Part 4: Service Discovery (with version) with Nmap

nmap -sV 10.10.1.0/24

With the “-sV” option specified, Nmap will look for open ports and detect the version of software running on hosts within the specified subnet. Note that this option usually takes significantly more time to complete. In this example, Like the port discovery option (-sS), we can find that services including FTP (21), SSH (22), Telnet (23), MySQL (3306), PostgresSQL (5432) etc., are currently open. However, notice that Nmap detects the full software name and version with the service discovery option. It requires more time to run compared to the port discovery option (-sS).

nmap -sV: probe open ports and find out service information
nmap -sV: probe open ports and find out service names and versions

Part 5: Comprehensive Host Scanning with Nmap

nmap -A 10.10.1.0/24

With the “-A” option specified, Nmap will perform OS detection, version detection, script scanning and traceroute. Compared to the service discovery option, additional information will be discovered, including NetBIOS and SSL credential validity. Like the “-sS” option, this option usually takes significantly more time to complete.

nmap -A: perform OS detection, version detection, script scanning and traceroute
nmap -A: perform OS detection, version detection, script scanning and traceroute

Part 6: Bypass IDS / IPS by Fragmenting Nmap Packets

nmap -f 10.10.1.0

Nmap can be detected by IDS / IPS due to its network scanning behaviour. With the option “-f”, we can tell nmap to fragment a large packet into smaller ones for sending over the corporate network. It is more difficult for an IPS to detect network scanning activity when packets are fragmented and sent at a slower rate.

nmap -f: perform a fragscan to avoid detection by IPS/IDS
nmap -f: perform a fragscan to avoid detection by IPS/IDS