Last article of my series on tools for network analysis, after wireshark, ntop and a fine assortment of tools to use with the command line is the time to see nmap.
Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).
Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in eight movies, including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum.
Installation
Nmap is available in many distribution on my Ubuntu 10.04 i installed with just aptitude install nmap zenmap
Options
nmap has a lot of options, I will illustrate the most common uses with examples in order to present some of the most useful options; for the complete list, check the man pages or the online documentation
Target
1) Basic use
Everything on the Nmap command-line that isn’t an option (or option argument) is treated as a target host specification. The simplest case is to specify a target IP address or hostname for scanning.
Example as target my ADSL router:
nmap 192.168.0.1
Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-27 19:29 CEST
Interesting ports on 192.168.0.1:
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
8080/tcp open http-proxy
49152/tcp open unknown
MAC Address: 00:18:4D:AF:A0:64 (Netgear)
Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds
So we can see that ports 80,8080 e 49152 are open.
2) Scan a network of 8 nodes:
nmap 192.168.0.1/29
Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-27 19:56 CEST
Interesting ports on 192.168.0.1:
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
8080/tcp open http-proxy
49152/tcp open unknown
MAC Address: 00:18:4D:AF:A0:64 (Netgear)
Interesting ports on 192.168.0.3:
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
9100/tcp open jetdirect
50000/tcp open iiimsf
MAC Address: 00:20:00:7B:F1:D1 (Lexmark International)
Nmap done: 8 IP addresses (2 hosts up) scanned in 7.58 seconds
3) Scan a list of hostname read from a file
-iL (Input from list)
Reads target specifications from . Passing a huge list of hosts is often awkward on the command line, yet it is a common desire.
4) Exclude some host
--exclude [,[,...]] (Exclude hosts/networks)
Specifies a comma-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc. This can be useful when the network you wish to scan includes untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by other people.
Scan Types
5) TCP connect() Scan [-sT]
These scans are so called because UNIX sockets programming uses a system call named connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection was made. If it fails, the connection could not be made (the remote system is offline, the port is closed, or some other error occurred along the way). This allows a basic type of port scan, which attempts to connect to every port in turn, and notes whether or not the connection succeede
Example
nmap -sT -p 80 -oG - 192.168.1.* | grep open
Search for a list of server with http port open
6) SYN Stealth Scan [-sS]
To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs.
Example
nmap -sS -P0 -sV -O < target >
Get info about remote host ports and OS detection
Where < target > may be a single IP, a hostname or a subnet
-sS TCP SYN scanning (also known as half-open, or stealth scanning)
-P0 option allows you to switch off ICMP pings.
-sV option enables version detection
-O flag attempt to identify the remote operating system
7) Ping Scan [-sP]
This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open.
nmap -sP 192.168.0.*
More Examples
nmap -sV -T4 -O -F --version-light
The (-F) options specifies that you only wish to scan for ports listed in the nmap-services file (see /usr/share/nmap/nmap-services). This is much faster than scanning all 65535 ports on a host. The option (-sV) enables the version detection and (-O) will be used to detect the Operating System. The option (–version-light) is a convenience alias for –version-intensity 2. This light mode makes version scanning much faster, but it is slightly less likely to identify services. The (-T4) option prohibits the dynamic scan delay from exceeding 10ms for TCP ports.
These are some of the main options you can use on command line, but you can also check Zenmap for the graphic Frontend of Nmap
Zenmap
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. The purpose of Zenmap is not to replace Nmap. You still can use the good old command-line, but you will be able to use some advanced features like the Topology tab. This is an interactive view of the connections between hosts in a network.
Zenmap has the ability to show the differences between two scans. You can see what changed between the same scan run on different days, between scans of two different hosts, between scans of the same hosts with different options, or any other combination. This allows administrators to easily track new hosts or services appearing on their networks, or existing ones going down. To save an individual scan to a file, choose “Save Scan” from the “Scan” menu (or use the keyboard shortcut ctrl+S). If there is more than one scan into the inventory you will be asked which one you want to save. Results are saved in Nmap XML format. You are also able to save all scans related to your environment in a directory. This will be extremely helpful if you have to test networks in different locations at the same time. You will be able to reread the scan result offline including the “Topology” Tab in the future if necessary.
The Zenmap’s “Topology” tab provides an interactive, animated visualization of the connections between hosts on a network. Hosts are shown as nodes on a graph that extends radially from the center. The topology view is most useful when combined with Nmap’s –traceroute option, because that’s the option that discovers the network path to a host.
And finally, remember that scans others network can be considered an attack and denounced as such, so be careful what you do!
Popular Posts:
- None Found
Theres a web based port scanner people can use at http://viewdns.info/portscan/
[…] by a web interface called NST WUI. Among a collection that can be used by this interface are nmap with a vizualization apparatus ZenMap, ntop, a event manager for VNC, a minicom-based depot server, […]
Hi, It’s a very useful article. I didn’t know how to use nmap. I used to employ basic commands like ping, telnet, nslookup, … But this one is powerful. Thanks for your very good explanation.