Getting Started

Learn the basic penetration testing terminology and the steps taken by attackers to access a system.

This course is a deep dive into Network Mapper (Nmap). Nmap is a cybersecurity tool that helps us map an entire network of computers and gather data on individual devices on the network.

Intended audience and prerequisites

Since this is a topic on cybersecurity, some basic networking knowledge is preferred. This doesn’t mean that a mastery of networking jargon is required; knowledge of how computers talk to each other in a network (or the internet) should be sufficient.

Learning outcomes

Let’s see what we’ll learn by the end of the course.

  • Knowledge of ports, protocols, and how they work together to establish a communication channel

  • Using Nmap flags to obtain detailed information about the server

  • Using Nmap in stealth mode to evade detection (there’s a type called paranoid scan!)

  • Using the aggressive scan mode to get detailed results

  • Advanced scans like NULL, FIN, and Xmas

  • Detecting operating systems, software, and services

  • Spoofing IP addresses to evade further detection

  • Using the Nmap Scripting Engine to discover vulnerabilities

  • Writing a simple port scanner using Python (bonus)

Terminology

Hacker and cracker: Contrary to popular belief, the term “hacker” refers to someone who enjoys solving hard problems. The official name for the bad guys is “cracker.”

Penetration testing: This involves attacking systems (with permission) to understand and fix vulnerabilities. This is also called a cybersecurity audit or pen testing.

Vulnerability: This is a hole, misconfiguration, or anything that exposes a system to cyberattacks. Vulnerabilities with no patches released are called zero-day vulnerabilities.

Exploitation: This involves taking control of a system by leveraging its vulnerabilities.

Payload: This is a piece of malicious code sent to the target system to gain access. Most exploitations will include one or more payloads.

Malware: This is malicious software, i.e., any piece of software that’s designed to harm the target. This includes payloads as well.

Red and blue team: Companies often perform cybersecurity drills where two teams take part: the red team attacks, and the blue team defends. This is to simulate real-world attacks and be ready when the real bad guys come in.

The hacker’s journey

Now that we know these terms, let’s look at an average penetration testing audit. There are a few steps involved in a pen testing engagement, from information gathering to exploitation. We’ll also see where Nmap fits in the equation.

Press + to interact
The hacker’s journey
The hacker’s journey

Passive reconnaissance (recon): This is the first step in a pen testing engagement. We can use tools like Recon-ng, theHarvester, and Sherlock to gather publicly available information from the web.

Active reconnaissance/enumeration: This is where we actively engage with the target. This involves tools like Nmap, Nessus, and Nikto to gather information about the target system. Using active recon, we can find open ports, operating systems, misconfigured services, and other information that will help us exploit and gain access to that system.

Exploitation: This is where we exploit the target using the information we gathered during active and passive reconnaissance. This step involves tools like Metasploit to send payloads to the target.

Post exploitation: After we’ve exploited a target, we have to maintain access to that system. This is where a cracker installs malware like keyloggers and rootkits to maintain their access to the target system.

Reporting: A good cybersecurity audit ends with a detailed report on all the steps taken by the hacker. This helps the organization understand its security posture and take steps to strengthen it.

Now that we know what a cybersecurity audit is and where Nmap helps us as hackers, let’s look at what Nmap is in detail.

Disclaimer: Before we move further into the course, we want to stress that scanning a website or a server without permission is illegal. Companies have cyberdefense systems that will track users’ activity and report to the authorities. We want to emphasize that we’re not responsible for any issues that might arise from misuse on your part.

Although hacking with permission has its limitations, it’s better than going to jail. Don’t be a cracker.

Let’s scan a site

Let’s try a simple scan. We can use the scanme.nmap.org URL to try our scan. Nmap allows everyone to use this URL for learning, so we have permission to scan it.

Start the terminal and run the following command:

nmap scanme.nmap.org
Simple Nmap scan

Don’t worry about the results for now. By the end of the course, the output will make complete sense.

Terminal 1
Terminal
Loading...

We can see that there are a few open ports. Nmap will also list the services running in those ports.

This is just a sample response from Nmap. Nmap has a number of flags, options, and scripts with which we can pull a lot more information about a server than a few open ports.

If this sounds interesting, the rest of the course is sure to be fun. Once we’re done with the course, we’ll be able to use Nmap to scan any network and obtain critical information about the devices in the network.