In most hacking/penetration testing books, besides contracts and agreements, the first step for a hacker is information gathering. This aligns with the Penetration Testing Execution Standard, or ‘PTES.’ While there are many other standards, some of which may be outdated, it’s beneficial to be familiar with one or two.

Many argue that Information Gathering is the most important part of a hack. How can you hack something if you know nothing about it? Questions like how many machines are on a network, what services are running on those machines, and whether these services are unpatched and vulnerable are crucial.

In an actual penetration test, gaining access to the network is necessary to conduct scans, as firewalls and routers can impede any meaningful scans unless you are already part of that network. For simplicity, we will use a ‘hacking lab’ to learn some of the tools used in scanning systems and ports for vulnerabilities. In our hacking lab, we won’t need to bypass firewalls, and our attacking machine will already be a part of the network. We will be focusing on the tool “nmap” as it is very powerful, versatile and widely used.

NOTE: Scanning networks that you do not own, or have explicit written permission is possibly illegal.

For instance “When used properly, Nmap helps protect your network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP. Reduce your risk by reading this legal guide before launching Nmap.” – https://nmap.org/book/legal-issues.html

I will be demonstrating the power of Nmap within the scope of VirtualBox, a virtual machine platform where I’ve created a network of isolated, vulnerable systems. Think of VirtualBox as a computer within your computer, allowing you to install operating systems without needing multiple physical machines. For those unfamiliar with setting up a “hacking lab”, check out my tutorial here: https://mad-twash.com/lets-create-a-hacking-lab/ . For a more detailed tutorial, I recommend this free resource: Network Chuck’s tutorial. If he tries to sell you a VPN don’t fall for it. Most people don’t need a VPN and its a waste of money. If you want to waste your money, stick it in my waist band!

Nmap, an acronym for ‘Network Mapper,’ is an essential tool in the computer industry, particularly in cybersecurity. Its significance is paramount for professionals who often encounter unfamiliar network structures during penetration testing. The primary utility of Nmap is to reveal these structures, a necessity since having prior knowledge of them would negate the need for such a tool! Beyond mapping network topology, Nmap is adept at inspecting ports and services and can even run scripts.

A crucial consideration for penetration testers is the nature of the test they intend to conduct. In scenarios simulating real-world attacks, the approach must be discreet, focusing on covert scanning and information gathering. Nmap is versatile in this regard, offering capabilities for both covert and overt scanning methods.

Another remarkable feature of Nmap is its compatibility with the Metasploit framework, available on both Kali and Parrot Linux distributions ( and can be or may already be installed on many many other Linux systems). While Nmap can be operated directly from the command line using ‘nmap [flags] [IP address]’, its integration within Metasploit offers significant advantages. When run through Metasploit, Nmap’s findings about a system’s structure and services are automatically stored in Metasploit’s database. This integration is especially beneficial for cybersecurity professionals. By having Nmap’s output readily accessible within the Metasploit framework, which is typically used for exploiting identified vulnerabilities, professionals can streamline their workflow. This eliminates the need for external notes, ensuring that all necessary information is immediately at hand during the testing process.

In this demonstration, we’ll be utilizing Nmap through the Metasploit framework. It’s important to note that the commands and flags applicable in this context are universally compatible with Nmap across various systems. For this demonstration, Parrot OS serves as the operating environment. A critical point for new users of Parrot OS is that the default password post-installation is ‘parrot’. Given that certain Nmap functionalities require root privileges, our first step involves switching to the root user. Following this, we can access Metasploit using the ‘msfconsole’ command, as detailed below.

If you haven’t set up a database yet for metasploit, have a look at this guide, as I’ve not made one yet. The process is simple. https://jamesonhacking.blogspot.com/2018/05/metasploit-database-setup-on-kali.html

To start, use the ‘ifconfig’ command in the console to identify your local network ID. This process varies when addressing a remote network, as penetrating their local network is essential to achieve the access level available in a controlled ‘hacking lab’ setup. In practical penetration testing, indiscriminate scanning of random IP addresses is not advisable without preceding intelligence gathering. Open Source Intelligence (OSINT) is integral in this preparatory phase, offering crucial insights into the target’s personnel, systems, infrastructure, and security protocols. However, it’s important to note that this guide’s focus is on scanner functionalities, not on the exhaustive aspects of conducting a hack.

Prior to deploying Nmap, engaging in OSINT is a standard procedure. Utilizing tools like ‘whois’, ‘Netcraft’, ‘nslookup’, and even strategic Google searches—sometimes humorously termed ‘Google-fu’—is a routine part of this phase. These methods help in pinpointing specific targets within a system. Once the target is identified, Nmap is then employed to scan these machines for vulnerabilities. We will soon explore practical examples of how Nmap is used in this context.

The ‘ifconfig’ command reveals that MY local IP address is 10.0.2.10 ( your IP address will most likely vary. Thats ok! for these examples just use the IP address that ifconfig gives you. Just don’t use the loop back address or the broadcast.), and our netmask is 255.255.255.0. This information indicates that devices on our network will have IP addresses starting with 10.0.2. In this structure, the last segment of the IP address, ‘.10’ in this case, identifies my computer, also referred to as the ‘host’. The ‘10.0.2’ segment is known as the network portion, signifying that every device on this network, whether it’s a computer, server, or even the router, will have an IP address beginning with 10.0.2. A helpful analogy is to think of the network portion of an IP address as the ‘street address’, and the host portion as the ‘house number’. Now, let’s discover who else is located on our ‘street’, 10.0.2.

We can do this by typing db_nmap -sS <your_local_IPaddress>/24

The -sS flag in Nmap, which I like to refer to as the ‘Shhhhhhhhh! flag,’ is renowned for its speed and efficiency. It initiates a ‘SYN scan,’ characterized by initiating but not completing the ‘three-way handshake’ process. This technical aspect might seem complex, but further details are available at Nmap’s SYN scan documentation. The reason I dub it the ‘Shhhhhhh scan’ is due to its relatively quiet nature. While it’s not entirely silent, it’s discreet enough to be considered close to it in the realm of network scanning.

The ‘/24’ notation is directly related to the subnet mask. While the concept might seem complex, it’s helpful to understand a basic correlation. A subnet mask of 255.255.255.0 is equivalent to ‘/24’ in shorthand notation. Similarly, a subnet mask of 255.255.0.0 corresponds to ‘/16’, and a subnet mask of 255.0.0.0 corresponds to ‘/8’. This shorthand notation simplifies the representation of subnet masks, making it easier to understand and communicate network segmentation. The /# notation is known as CIDR.

The output generated by the Nmap command can initially appear overwhelming, but it’s crucial not to be deterred by its complexity. The key pieces of information to focus on include the operating system (OS) of the target, as well as any services or open ports, along with the versions of these services. If the command ‘db_nmap’ was used, Metasploit conveniently stores the scan results in its database. To view a streamlined version of these scan results, simply enter the command ‘services‘ within the Metasploit console. This command provides a more digestible overview of the findings, making it easier to interpret and act upon the data.

Based on the provided screenshot, Nmap has detected three hosts on this network. These hosts are represented as simulated or virtual constructs in the network environment. The identified hosts are computers with the IP addresses ending in .1, .2, and .5. It’s important to remember that our network ID is 10.0.2, indicating that every device on this network will share the first three octets of this ID. Therefore, the complete IP addresses of the detected hosts are 10.0.2.1, 10.0.2.2, and 10.0.2.5. These are the only ‘hosts’ that Nmap has identified on the network.

Please note that your results, if you are running the above ” hacker lab” will very. I would be very surprised if your IP addresses were exactly the same as mine, although it is possible.

From the scan results, it’s notable that the machine with the IP address 10.0.2.1 has only one open port, as does the machine at 10.0.2.2. However, the machine at 10.0.2.5 stands out with a significantly higher number of open ports. Given our knowledge that our Metasploit machine is replete with vulnerabilities, we can infer that 10.0.2.5 is likely its address. Yet, the initial scan did not provide detailed information about the nature of these open ports, specifically regarding the services running on them and their versions.

To gain a deeper understanding of the potential vulnerabilities of 10.0.2.5, we could now consider conducting a more targeted scan. One approach could be to identify a possible ‘zombie’ machine within the network to perform an indirect scan against 10.0.2.5. This technique might reveal more detailed information about the services and their versions, thereby helping us to assess possible points of exploitation. You can find a detailed description of this process here: https://mad-twash.com/zombie-scan/

An additional flag that can be utilized in Nmap scans is -PO. This flag instructs Nmap to send raw IP packets to the target, devoid of any extra protocol-specific payloads. In contrast to typical pings, which use the Internet Control Message Protocol (ICMP), the -PO flag’s approach is more minimalistic. By sending these bare IP packets, the -PO flag offers a different method for probing the target system, potentially bypassing certain types of network filters that would typically intercept or respond differently to ICMP traffic. This scan would also be considered covert. However, I doubt that it would give us any more information about the target then we already have.

From the picture above, we get a solid idea of which ports are open. However, we still lack sufficient information about the services running on this machine to determine if there are vulnerabilities. We’ll continue with covert scans, using the -sV flag to stealthily detect the service/version running on a machine. We’ll then use -p to specify which port we want to check, as we already know which ports are open from our previous scan. The -T flag adjusts the timing of the scan from 1-5; the lower the number, the more covert the scan. Finally, -Pn tells Nmap to skip the ‘host discovery phase.’ We already know the host is live, so there’s no need for Nmap to ‘discover’ it again.

type db_nmap -sV -p 139 -T 1 -Pn <Target-IP>

Success! you can see that nmap has discovered that Samba is running on port 139. We can also see the version which is 3.x -4.x. We would then google this information and see if there were any vulnerabilities. Spoiler alert, there is! I’ve done a tutorial already on this particular vulnerability, and you can find it here: https://mad-twash.com/port-139-samba-3-x-4-x-linux-exploit/.

One final flag I’ll mention is the -A scan. This is an aggressive, loud scan ( the -A literally stands for Aggressive ) that can provide a wealth of information about a computer or network. It’s commonly featured in books and tutorials, but a word of caution: on very large networks, it can take a long time, and it is overt, the opposite of what we want in covert operations. However, it can return a significant amount of information and can be very useful if used correctly.

If you are using metasploit2 to practice these scans, feel free to repeat this process on the other open ports and see what you can find. Do a google search on the services/versions of these ports and see if you can find any vulnerabilities. Its a lot of fun!

Check out some of my other blog posts for more tips and tricks!

• Mad-twash 2023 (ノಠ益ಠ)ノ彡┻━┻