Solved Nmap: how are you supposed to scan network ports if you are not on the network?

---

Hello,

After watching the reconnaissance episodes of CySA+, I realized that to use nmap, you had to be already connected to the network you want to scan, right?

What I don't understand is, how are you supposed, maybe not as blue team but as a red team, to scan a network for open ports if you're not even in the network?

Let's say a penetration tester wants to scan a network for open ports, but they are not connected to this network, how are they supposed to find an entry point, except for sending an email with an attachment that exploits a software vulnerability?

I am wondering, what is the goal of Nmap in the end? I first looked at it as a tool to find ports and services which you could exploit to gain a basic access to a network. If it can only be used on a network to which you are already connected, is it more a tool that is used for privilege escalation? I mean, do you use it only to scan for computers that might give you an administrative access to the network?

What I also saw on quora regarding my question was that, when someone is not on a network, another possibility is to exploit a vulnerability in a router, and then once the router is taken over, they can scan the network with Nmap. Is it correct? What are the other methods an external pentester could use?

Thomas, you are spot-on with your realization. You must be connected to the same network in order to be able to scan network hosts with nmap.

Now, think about what networks you might be connected to that your target may also be connected to.

• External Untrusted (the Internet)
• DMZs (hosts that are connected to both trusted and untrusted networks)
• Internal Trusted (home/business network)

Now to your questions about how a pentester would scan hosts on these networks with nmap. Let's take them one at a time...

EXTERNAL

If we are putting this in the context of a penetration test scenario, a pentester could spin up an Internet facing host either with a cloud service like AWS/Azure/Docker/etc, install nmap, and scan the client's Internet facing hosts. This list of hosts can be given to the pentester by the client or can be built using DNS queries, ping sweeps, and/or searching for registered sub-domains. The pentester will most likely find hosts like web servers and mail servers as well as various other services. The pentester might also be fortunate enough to find an internet-facing device like a web camera or other IoT device. Maybe even a misconfigured host that shouldn't be facing the internet, but accidentally was patched down to the wrong port, put in the wrong VLAN, or a multitude of other security misconfigurations that could expose a host to the wild-west that is the Internet.

At the end of the day, any of these external facing hosts could be discovered, enumerated, and scanned using nmap.

DMZs

Here we have hosts that are connected to the Internet as well as have some connection to the private internal trusted network. They are what's called multi-homed, which is a $20 way of saying it has multiple network cards and are connected to different networks simultaneously. A lot of times you see this as a web server running a web application that is connected to a database. Since it is Internet-facing, our External scanning rules apply. Then if the pentester is able to exploit a vulnerability in the web application, they now have a "pivot" into the internal trusted network. Then pentester could then install nmap on the compromised host or proxy nmap through it and use it to scan hosts in any other networks that it is connected to.

INTERNAL

Here the client may grant a pentester access to the internal network purposefully for the sake of finding out how far a real threat could penetrate into the internal network if they were able to access it. This is called an Internal Pentest. But the pentester may gain access to the internal network by attacking the wireless network, finding an open ethernet port, hijacking the network connection of an IP phone, network printer, or some other network device. They could drop a LAN Turtle which will create a tunnel through the internal network and out to the internet, giving the pentester a backdoor. As you mentioned, the pentester could use malware via a phishing campaign. These are just a few common examples.

So, what is the goal of nmap? It is a tool to find open ports on a network host and enumerate the services running on those ports. It also does host discovery and some vulnerability scanning. The good news is that just because you're not jacked into a private network doesn't mean that there aren't internet-facing targets that could be the open window into that private network, but it all starts with nmap.

I hope that helps to clear things up for you.

Daniel Lowrie

Hey Daniel,

I was re-reading your answer and was intrigued by the part where you say you could install nmap on the pivot machine to scan other machines on the network. What tool do adversaries or you as a pen tester use to do this?

I came upon nmap's ncat tool which allows to set up network servers and clients. There is also a section on proxies.
Is that the tool you were referring to?
Also, could you explain the difference in what you said between using nmap on the compromised host or proxy nmap through it?

Thank you

Installing nmap on a compromised machine would be just like installing software on any other machine. You could use package managers like apt or yum, or you could compile from source binaries (download the binary to the compromised host and perform ./config, make, make install or something similar depending on the install notes of the application).

Theoretically there are a few ways in which this could be done, but in my answer I was referring to using dynamic port-forwarding with SSH and ProxyChains. See the Pentest+ series to learn more https://app.itpro.tv/course-library/comptia-pentest/pentesting-tools-remote-access/

Hopefully that helps to clear things up.

I think I understand the thought behind your idea. With your example in terms of thinking like a red team, you would start by being connected to the "External Network", using NMAP to scan their external IPs like
"1.1.1.1" for example. See what doors are open, versions of services, see if anything responds. NMAP is used in reconnaissance to get the lay of the land to help with further investigation using other tools a pentester will have in their arsenal

With a pentester as well, you may have an external test and then an internal test in which you will get a week in the office, onsite, in which you would be able to use NMAP internally.

Valid idea about a "jump" machine, and @daniel-lowrie87 has posted a great answer on that.

Cheers
Sam

@Sam-Hall Hi Sam, thank you for your answer. I would have like to read Daniel's answer on this, but you link redirects to an unauthorized page. Could you maybe paste this answer here?

Thank you!