Why Learning Go is Essential for Aspiring DevOps Professionals

 Network scanning is an essential activity for security professionals, network administrators, and penetration testers. One of the most powerful tools for this purpose is Nmap (Network Mapper). Nmap is a free and open-source tool used to discover hosts and services on a computer network. It is widely used for network inventory, managing service upgrade schedules, and monitoring host or service uptime. In this guide, we will explain in detail how to perform network scanning using Nmap on Termux, an Android-based terminal emulator that brings a Linux environment to your mobile device. The process involves installing and configuring Nmap on Termux and using its various options for effective network scanning.

1. What is Nmap?

Before diving into its usage, it's essential to understand what Nmap is and why it is valuable for network scanning.

Nmap is a versatile tool primarily used for:

• Host Discovery: Identifying active devices on a network.
• Port Scanning: Finding open ports on the target system, which are potential entry points for attackers.
• Service Identification: Determining the services running on those open ports, including their version and configuration.
• OS Detection: Identifying the operating system running on the target machine based on network responses.
• Vulnerability Scanning: Some Nmap scripts can be used for vulnerability scanning, detecting common weaknesses in systems.

Nmap’s primary features include:

• Port Scanning: It detects open ports (both TCP and UDP) on a target machine.
• Service Version Detection: It attempts to detect the version of services running on open ports.
• OS Fingerprinting: It can determine the OS of the target machine.
• Scriptable Interactions: Nmap has the ability to run scripts (called Nmap Scripting Engine or NSE) to automate certain tasks like vulnerability detection, service detection, and even exploitation.

How Does Nmap Work?

Nmap works by sending specially crafted packets to a target and analyzing the responses. By analyzing how different operating systems, services, and firewalls react to these packets, Nmap deduces useful information such as:

• Which devices are online
• What services are available
• What ports are open
• What OS is being used
• Vulnerabilities and risks associated with specific services and ports

2. Setting Up Nmap on Termux

To run Nmap on Termux, you need to set up a suitable environment, including installing Termux itself, updating its repositories, and installing Nmap.

a. Install Termux:

1. Download Termux from the Google Play Store or F-Droid.
2. Launch Termux after installation to begin setting up your environment.

b. Install Required Packages:

In Termux, you'll need to install a few basic packages before installing Nmap.

1. Update Package Repositories: To ensure you have the latest versions of available packages, you need to update the Termux package repositories by running the following command:

   pkg update
   pkg upgrade
   

2. Install Nmap: Now that your repositories are updated, you can install Nmap directly from Termux’s package manager:

   pkg install nmap
   

   This command installs Nmap along with its dependencies.

3. Confirm Installation: To check if Nmap was successfully installed, type the following command:

   nmap --version
   

   You should see version information for Nmap, confirming that the tool is installed.

3. Basic Usage of Nmap on Termux

Now that you have Nmap installed, let’s dive into some basic usage examples.

a. Simple Host Discovery

You can use Nmap to quickly check which devices are online on a given network. This is also known as "Ping Scan."

1. Ping Scan Command: To discover which devices are alive on your network, use the following command:

   nmap -sn <target IP range>
   

   For example:

   nmap -sn 192.168.1.0/24
   

   Here, the -sn flag tells Nmap to perform a "ping scan," which means it will send ICMP Echo Request packets (like a ping) to each IP address in the specified range. The 192.168.1.0/24 is the target subnet (the 24 means it's a standard Class C network).

   This command will list all the active devices in the specified network range.

b. Port Scanning

Nmap’s main function is port scanning. It sends packets to a target machine on specific ports to check if they are open. By identifying open ports, you can discover services that might be vulnerable.

1. Scan for Open Ports: To perform a basic port scan and identify which ports are open on a target machine, run:

   nmap <target IP>
   

   For example:

   nmap 192.168.1.10
   

   This command scans the most common 1,000 TCP ports of the target IP. The results will show open ports and their associated services.

2. Scan Specific Ports: If you’re interested in scanning specific ports, you can use the -p option followed by a comma-separated list of port numbers:

   nmap -p 22,80,443 192.168.1.10
   

   This command scans ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

3. Scan All Ports: To scan all 65,535 TCP ports, you can use:

   nmap -p- 192.168.1.10
   

   This scan is more exhaustive but will take longer.

c. Service and Version Detection

One of Nmap’s most useful features is its ability to identify the version of services running on open ports. This can be useful for detecting vulnerabilities associated with specific versions of services.

1. Service Version Detection: Use the -sV option to attempt to detect the version of services running on the open ports:

   nmap -sV 192.168.1.10
   

   This will show the version of the services (like Apache, MySQL, etc.) running on open ports.

d. Operating System Detection

Nmap can also determine the operating system of a remote machine based on its network response patterns. This is done through the -O option.

1. OS Detection:

   nmap -O 192.168.1.10
   

   The output will provide a guess of the operating system running on the target machine, which can help you tailor further attacks or defenses.

e. Running Nmap Scripts

The Nmap Scripting Engine (NSE) allows you to run pre-built scripts to automate common tasks like vulnerability scanning, service detection, and even exploitation.

1. Running Nmap Scripts: To run an NSE script, use the --script option followed by the script’s name. For example, to run a script to check for SSL vulnerabilities, use:

   nmap --script ssl-enum-ciphers 192.168.1.10
   

   There are hundreds of scripts available, and you can explore them by browsing the Nmap script directory (typically found in /usr/share/nmap/scripts/).

f. Scan Multiple Hosts

Nmap allows you to scan multiple hosts or an entire range of IP addresses. This is especially useful when auditing larger networks.

1. Scan a Range of IPs:

   nmap 192.168.1.1-20
   

   This scans IP addresses from 192.168.1.1 to 192.168.1.20.

2. Scan a Subnet:

   nmap 192.168.1.0/24
   

   This scans the entire 192.168.1.x network.

4. Advanced Nmap Techniques

While the basics of Nmap can be sufficient for general network scanning, there are several advanced techniques that can be used for more targeted penetration testing or troubleshooting.

a. Stealth Scanning (Syn Scan)

A stealth scan sends a SYN packet (a part of the TCP handshake) to the target to identify open ports without completing the handshake, which can help avoid detection by intrusion detection systems (IDS).

nmap -sS 192.168.1.10

This sends SYN packets to ports and waits for responses, but it doesn’t complete the TCP handshake, making it harder to detect.

b. Scan with Timing Control

If you’re scanning a large network and want to control the speed of your scan, use the -T option for timing control.

nmap -T4 192.168.1.0/24

The -T4 setting speeds up the scan, which can be useful for large networks but may trigger detection by IDS systems.

c. Firewall Evasion

Sometimes, firewalls or IDS systems block common Nmap scanning techniques. Nmap has options to bypass these protections, such as fragmenting packets or using different protocols.

nmap -f 192.168.1.10

This option fragments packets, which can help bypass firewalls that are filtering large packets.

Conclusion

Using Nmap on Termux allows you to perform powerful network scanning and penetration testing directly from your mobile device. By following the steps outlined in this guide, you can discover devices, open ports, and potential vulnerabilities on your network, all from the convenience of your phone.

Network scanning with Nmap on Termux provides great flexibility and portability for security professionals and penetration testers, enabling them to quickly assess the security posture of a network or system. However, as with all penetration testing tools, be sure to use Nmap responsibly and always obtain proper authorization before scanning any network or system. Unauthorized scanning and penetration testing can be illegal and result in severe consequences.