Nmap isn’t just a port scanner; it’s your digital lockpick for Capture The Flag competitions, revealing the hidden vulnerabilities that await.
Let’s say you’ve just landed on a target IP, 10.10.10.10, in a CTF. You want to know what’s running on it. You fire up Nmap:
nmap -sV -sC -O --open -p- -oN nmap_initial_scan.txt 10.10.10.10
This command does a few key things:
-sV: Probes open ports to determine service/version info.-sC: Runs default Nmap scripts, which often find common misconfigurations or vulnerabilities.-O: Tries to detect the operating system.--open: Only shows ports that are open.-p-: Scans all 65535 TCP ports. This is thorough but can be slow.-oN nmap_initial_scan.txt: Saves the output in a human-readable format.
The output might look something like this:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:00 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00050s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
139/tcp open netbios Samba smbd 4.6.2
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open mysql MySQL 8.0.26
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb-os-discovery: OS: Windows 6.1 (Samba 4.6.2), running in container
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.6.2), running in container
| Computer name: CTFBOX
| NetBIOS computer name: CTFBOX\n
| Domain name: WORKGROUP
| Workgroup: WORKGROUP
|_ Samba: Samba 4.6.2
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.50 seconds
This initial scan gives us a treasure trove:
- FTP (21):
vsftpd 3.0.3. This version is known to have vulnerabilities, especially older ones. - SSH (22):
OpenSSH 8.2p1 Ubuntu. This is a common version, but worth noting. - HTTP (80 & 443):
Apache httpd 2.4.41 ((Ubuntu)). Standard web server. - SMB (139):
Samba smbd 4.6.2. Thesmb-os-discoveryscript is particularly useful here, revealing it’s running on Linux and the NetBIOS name. - MySQL (3306):
MySQL 8.0.26. A database service.
The key to CTF recon is not just what is open, but what version and how it’s configured. The smb-os-discovery script is a perfect example of how Nmap scripts can go beyond basic port scanning. It’s not just telling us SMB is there; it’s telling us about the underlying OS and Samba version, which is crucial for finding exploits.
Now, you’d start digging into these services. For vsftpd 3.0.3, you might immediately search for exploits. For the Apache server, you’d browse the web. For MySQL, you’d consider default credentials or SQL injection.
To get even more detail, you’d refine your scans based on these findings. If you saw a web server, you’d run a directory brute-force:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_web_scan.txt
If you found a specific version of a service that’s known to be vulnerable, you’d use Nmap’s scripting engine to check for that specific vulnerability, if a script exists. For example, for a vulnerable SMB service, you might run:
nmap -p 445 --script smb-vuln-ms17-010 10.10.10.10
This command targets port 445 (SMB) and runs a specific script to check for the EternalBlue vulnerability.
The workflow is iterative. Nmap gives you the initial map, and then you use other tools to explore the territories it reveals. You might then go back to Nmap to perform more targeted scans on specific ports or services you’ve identified as interesting. For instance, if you find a web application that seems to be built with a particular framework, you might run a more in-depth Nmap scan on port 80/443 with scripts tailored to that framework.
You can also combine Nmap with other tools. For example, if Nmap identifies an open SMB share, you might then use smbclient to try and list its contents:
smbclient -L //10.10.10.10/ -N
This command attempts to list shares on the target IP without a password.
The power of Nmap in CTFs lies in its versatility and extensibility. It’s not just about finding open ports; it’s about gathering intelligence that guides your entire attack path. The initial -sV -sC -O -p- scan is your baseline, but every subsequent command should be informed by the results of the previous ones.
The next step is often to look for ways to escalate privileges on a compromised service, or to find other machines on the network that the current machine can reach.