Network Security

nmap Target Finding and Investigation

So in this scenario we have been tasked to enter company X and see what we can find, job one is to recon the network environment, for this i will be using the tool NMAP!

You might be wondering have i missed a few steps to be able to get access to the network. Well, you would be surprised how many companies especially ones working with public access have old redundant and somewhat misplaced network ports.

You could implement social hacking and simply talk your way onto the network, for example report to reception and ask for the wifi key you require for a meeting. I’ll look into writing a post on social engineering and getting others to go the hard work.

Back to nmap.

Boot up your Kali and open a terminal window. To begin lets do a basic sweep of the whole network.

nmap -sn

This will then run away and scan the ip address range you specified and report back on all the hosts it finds with ip addresses and MAC addresses.

Now we have a basic overview of the target network we can start to probe the network for more information, select a target and run the following command.

nmap -sV -T4 -F

So after a short time it will show you more details about the target you selected. In my case the target looks to be a Linux box running several services like FTP, samba file/print services… and what ports are open.

Looks like an interesting target! We need to know more about it.

Lets run a more “aggressive” scan on the target using -A. This command has already been setup to run several of the more popularly used commands in Nmap, into one command for you to type. predefined it will run -O, -sC –traceroute and several others. For now, simply know that -O works for operating system detection, and -sC runs several scripts inside nmap at once such as speed and verbosity. When running this scan, which will take longer because of the extra scripts involved, you’ll receive back a bunch of strange looking fingerprint information, but hopefully the useful data will come in.


So, as you can see what started off as a simple IP address has soon uncovered a QNAP NAS with a list of ports and services you could attempt an exploit on.


As we now know we have our-self a QNAP NAS running samba we could run the following command to see what shares, users and other details.

enum4linux -a

using the -a it will get us all the information about the target.

So we now have a network NAS, know the set of users and what access, also what shares are available.

So, 10 minuets in and we have out target, usernames to use and what password policy to attempt a brute force attack.


In a followup post i will go through how i attempted a brute force attack on the samba QNAP NAS.


What does: enum4linux do?

Enum4Linux is a tool for enumerating information from windows and samba systems. It will show information such as RID cycling, User listing, shares, domain or workgroup detection, password policy…



What does: nmap do?

NMAP or Network Mapping is used to discover hosts and services on a computer network, thus building the “map” of the network. There are loads of switches you can input to make more targeted scans or look out for hosts with specific services your interested in.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.