Author: Fyodor
Required: flex, bison
Homepage: http://www.insecure.org/nmapCurrent stable release: 2.53
License: GPL
Platform ports: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, IRIX, BSDI, SunOS, HP-UX, AIX, Digital UNIX, Cray UNICOS and Windows NT.
The intent of this article is to familiarize the reader with the network scanner nmap. As Lamont Grandquist (an nmap contributor/developer) points out, nmap does three things: It will ping a number of hosts to determine if they are up. It will portscan hosts to determine what services they are offering and it will attempt to determine the OS (operating system) of host(s). Nmap allows the user to scan networks as small as a two node LAN (Local Area Network) or as large as a 500 node LAN and even larger. Nmap also allows you to customize your scanning techniques. Sometimes a simple ICMP (Internet Control Message Protocol) ping sweep may be all you need. If not, then maybe you're looking for a stealth scan giving back reports on UDP (User Datagram Protocol) and TCP (Transmission Control Protocol) ports that are available and as to what operating system the host is using? Still want more? You can do all that and log the data into either human-readable or machine-parsable format. In this article I will be covering some basic to intermediate scanning techniques to get you off and running with nmap. If you love it enough then I would suggest reading the the nmap man pages 50 times and then translating it into the foreign language of your choice;)
Some Linux distributions come with nmap as part of the install. If you do not have nmap then let's begin with grabbing the latest copy and getting it up and running. The version I will be covering here will be the source code tarball, optionally you have both rpm and source-rpm to choose from . The Linux distribution I am using is Red Hat 6.1. Download the nmap-latest.tgz file into your home directory. Once the download is complete perform tar -zxvf nmap-latest.tgz and this will unpack the source code into your home directory. Go into the newly created nmap-latest directory and read both the README and INSTALL files. Ideally the next step would be to perform configure, make and (as root) make install in the top level of the newly created directory. This will install the nmap binary into /usr/local/bin. From here we're ready to run nmap.
Scanning types
Without further ado, let's get down to business with nmap. First we will need an address to scan against. If you are working from a LAN then pick a number of one of your hosts. Let's say that your LAN consists of two machines: Adam and Eve. Adam (192.168.0.1) is the unit we'll be running nmap on. Eve (192.168.0.2) is the machine we will be scanning. From the command line I would type the following:
nmap 192.168.0.1
Here is a sample output from the scan:
Example 1
Starting nmap V. 2.53
by [email protected] (www.insecure.org/nmap)
Interesting ports on
Eve (192.168.0.2):
(The 1511 ports scanned
but not shown below are in state:closed)
Port
State
Service
21/tcp
open
ftp
23/tcp
open
telnet
25/tcp
open
smtp
79/tcp
open
finger
80/tcp
open
http
98/tcp
open
linuxconf
111/tcp
open
sunrpc
113/tcp
open
auth
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer
6000/tcp
open
X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
What the above example did was run a vanilla TCP scan against the designated address. As we can see from this sample output our host is up and gives us a list of available ports that are listening. This of course is the most basic of all commands and can be run without any special privileges. The disadvantage of this call is that any host running logging software will easily detect this sort of scan. The output of this call would be the same as adding the option -sT to the command line so it would look like this: nmap -sT 192.168.0.2. (Note that this call is allowable by normal users).
Not on a local LAN? Working from a single host dial-up machine? No problem, run ifconfig (or use your favorite text editor to view your /var/log/messages file, look for the last entry in the messages file that contains a remote IP address) to obtain your IP address and go from there. Let's say my IP address is 206.212.15.23, we can use that as a premise to base our scans on. So with that in mind let's check on our "neighbor":
nmap -sT 206.212.15.22
Here is the sample output:
Example 2
Starting nmap V. 2.53 by [email protected] (www.insecure.org/nmap)
Interesting ports on find2-cs-4.dial.ISP.net
(206.212.15.22):
(1522 ports scanned but not shown below are in
state: closed)
Port
State
Service
139/tcp
open
netbios-ssn
Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds
This is a very basic example of nmap's capabilities but it atleast gives the beginner some grounds to work off of if not on a local LAN.
-sS Now let's say that that you wish to use a more stealthy scan to prevent detection, you would then use our previous example only with the -sS (SYN) call so it would look like this: nmap -sS 192.168.0.2.The -sS (SYN) call is sometimes referred to as the "half-open" scan because you do not initiate a full TCP connection. The output will read the same as example 1 only with a lesser chance of detection from the other end. Unlike running the -sT call this call requires root privileges.
-sF -sX -sN Now for the truly paranoid or instances when the target may be running filtering or logging software that detect SYN we can issue a third type of call with the -sF (Stealth FIN), sX (Xmas Tree) or -sN (Null) scan. Note: Since Microsoft insists on doing things their own way, neither the FIN, Xmas or Null scan modes will work on Windows 95/98 or NT boxes. So if we were to get a listing of available ports running either the -sT or -sS options but "All scanned ports are: closed" running the -sF, sX or -sN option, then we can safely assume that the target is probably a Windows box. This really isn't a necessary procedure to verify a Windows machine since nmap has built in OS detection which we will cover later. These three commands also require root privileges.
-sU This option tells nmap to scan for listening UDP (User Datagram Protocol) rather than TCP ports on a target host. Although this can sometimes be slow on Linux machines it runs particularly fast against Window boxes. Using our previous examples of Adam and Eve, let's run (once again root privilege is required) a -sU scan against Eve:
nmap -sU 192.168.0.2
Here is the sample output from the scan:
Example 3
Starting nmap V. 2.53 by [email protected]
(www.insecure.org/nmap)
Interesting ports on Eve (192.168.0.2):
(The 1445 ports scanned but not shown below are
in state: closed)
Port
State
Service
111/udp
open
sunrpc
517/udp
open
talk
518/udp
open
ntalk
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
As we can see nmap scanned 1455 ports on Eve and gave us a listing of the UDP ports it found to be listening. We can gather from examples one and two that we are looking at a Linux install. With that in mind if you remember in the introduction I mentioned that nmap performs three things: It pings, it portscan's and it detects the target's (operating system). Now that we've briefly covered the first two uses let's move onto OS detection
-O This is the option to be used to determine the operating system of the given target. It can be used in conjunction with our above mentioned scan types or by itself. Nmap uses what is called TCP/IP fingerprinting to try and accurately determine the OS of the given target. For a more complete reading on OS fingerprinting please see Foyer's article titled "Remote OS detection via TCP/IP fingerprinting" found here. Now with that in mind let's get right to our next example. Using our target host (Eve) from Example 1, I would type the following: (Note that the -O option requires root privileges)
nmap -O 192.168.0.2
Here is a the sample output from the scan:
Example 4
Starting nmap V. 2.53 by [email protected] (www.insecure.org/nmap)
Interesting ports on Eve (192.168.0.2):
(The 1511 ports scanned but not shown below are
in state:closed)
Port
State
Service
21/tcp
open
ftp
23/tcp
open
telnet
25/tcp
open
smtp
79/tcp
open
finger
80/tcp
open
http
98/tcp
open
linuxconf
111/tcp
open
sunrpc
113/tcp
open
auth
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer
6000/tcp
open
X11
TCP Sequence prediction: Class=random positive
increments
Difficulty=1772042 (Good luck!)
Remote operating system guess: Linux 2.1.122
- 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Notice that nmap reports the same available port data as it did in example 1 due to the default -sT option, but also the OS of the machine (in this case Linux) and the kernel version...not bad ehh?! Nmap comes equipped with an impressive OS database.
Instead of limiting ourselves to scanning just one target., let's broaden our horizon's to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our "community". At the command line type the following (substituting a valid address of your choice of course):
nmap -sT -O 206.212.15.0-50
What this does is instruct nmap to scan every host between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:
To create a human readable output file issue the -oN<textfile name> command into your nmap string so that it would look similar to this:
nmap -sT -O -oN sample.txt 206.212.15.0-50
Rather have a machine parsable file? Enter the -oM <textfile name> to pipe the output into a machine parsable file:
nmap -sT -O -oM sample.txt 206.212.15.0-50
*Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.
-I This is a handy little call that activates nmap's TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let's take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:
-iR Use this command to instruct nmap to scan random hosts for you.
-p Port range option allows you to pick what port or ports you wish nmap to scan against.
-v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.
-h Displays a quick reference of nmap's calls
Now that we have looked at nmap's three basic usage types and some of it's other options, let's mix and match them.
nmap -v -v -sS -O 209.212.53.50-100
This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses 209.212.53.50 and 209.212.53.100. This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let's log our results into a human readable file for future reference:
nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100
Now let's make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the output (I'm a log junkie) for future reference into a human readable file called ftphttpscan.txt:
nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100
Remember the -iR option mentioned previously? Let's use it to take a random sampling of Internet web servers using the verbatim example from nmap's man page:
nmap -sS -iR -p 80
Last but certainly not least, while gleaning information, don't forget to nmap yourself. Just type at the command line: nmap 127.0.0.1 This is especially useful and recommended if you're a newcomer to Linux and connected to the Internet via DSL or cable modem.
Now for those of you who would rather not work on the command line (shame on you) there are graphical front ends for nmap.
NmapFE - NmapFE, written by Zach Smith, comes included in the nmap-2.53.rpm and uses the GTK interface. NmapFE can be found at http://codebox.net/nmapfe.html
Kmap - Kmap, written by Ian Zepp, uses the QT/KDE frontend for nmap at can be found at http://www.edotorg.org/kde/kmap/
KNmap - KNmap, written by Alexandre Sagala, is another KDE frontend for nmap and can be found at http://pages.infinit.net/rewind/
This wraps up our quick and dirty look and nmap. I hope you find the application as enjoyable as I do. Comments or questions can be sent to either myself [email protected] or [email protected]. Happy scanning.