Tuesday, January 26, 2010

Nmap 101: Introduction to Network Scanning with Nmap

Nmap is an open source program released under the GNU General Public License (see www.gnu.org/copyleft/gpl.html). It is an evaluable tool for network administrators which can be used to discover, monitor, and troubleshoot TCP/IP systems. Nmap is a free cross-platform network scanning utility created by Gordon “Fyodor” Lyon and is actively developed by a community of volunteers.
Nmap’s award-winning suite of network scanning utilities has been in constant development since 1997 and continually improves with each new release. Version 5.00 of Nmap (released in July of 2009) adds many new features and enhancements including:
  • Improved service and operating system version detection
  • Improved support for Windows and Mac OS X
  • Improved Nmap Scripting Engine (NSE) for performing complex scanning tasks
  • Addition of the Ndiff utility which can be used to compare Nmap scans
  • Ability to graphically display network topology with Zenmap
  • Additional language localizations including German, French, and Portuguese
  • Better overall performance
To get started using Nmap, simply follow these three steps...



Step 1: Install Nmap

Windows and Mac OS X users can install Nmap by downloading the appropriate installer www.nmap.org/download.html. Linux users can install Nmap by simply typing one of the following commands:

For Debian and Ubuntu based systems
# apt-get install nmap

For Red Hat and Fedora based systems

# yum install nmap

For Gentoo Linux based systems
# emerge nmap

Note: See this post for information how to install Nmap from source.

Step 2: Find a target system to scan

Now that you have Nmap installed it's time to select a target. The Nmap project provides a test system that you can freely scan located at scanme.insecure.org. This is a good place to start until you get comfortable with Nmap usage. Once you get a good feel for how Nmap works you can move on to more interesting targets like your router at home or maybe a server at work.

Note: Scanning networks that you do not have permission to scan can get you in trouble with your internet service provider, the police, and possibly even the government. Don’t go off scanning the FBI or Secret Service websites unless you want to get in trouble.

Warning: Aggressively scanning some systems may cause them to crash which can lead to undesirable results like system downtime and data loss. Always scan mission critical systems with caution.

Step 3: Scan!

Executing Nmap with no command line options will perform a basic scan on the specified target. A target can be specified as an IP address or host name (which Nmap will try to resolve).

# nmap scanme.insecure.org

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-07 09:36 Central Daylight Time

Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 994 filtered ports
PORT      STATE  SERVICE
25/tcp    closed smtp
70/tcp    closed gopher
80/tcp    open   http
110/tcp   closed pop3
113/tcp   closed auth
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds


The scan above shows the output of a basic scan on scanme.insecure.org. A default Nmap scan will check for the 1000 most commonly used TCP/IP ports. Ports that respond to a probe are classified into one of six port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered.

For faster results, you can use the -F option which instructs Nmap to perform a scan of only the 100 most commonly used ports.

# nmap -F scanme.insecure.org

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-07 09:36 Central Daylight Time

Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 994 filtered ports
PORT      STATE  SERVICE
25/tcp    closed smtp
70/tcp    closed gopher
80/tcp    open   http
110/tcp   closed pop3
113/tcp   closed auth
31337/tcp closed Elite


Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds


Nmap scans the top 1000 commonly used ports by default. The -F option reduces that number to 100. This can dramatically speed up scanning while still representing the majority of commonly used ports.

Scan Multiple Systems

Nmap can be used to scan multiple hosts at the same time. The easiest way to do this is to string together the target IP addresses or host names on the command line (separated by a space).

# nmap 192.168.10.1 192.168.10.100 192.168.10.101

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-07 20:30 CDT
Interesting ports on 192.168.10.1:
Not shown: 997 filtered ports
PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
80/tcp open   http

Interesting ports on 192.168.10.100:
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs

Nmap done: 3 IP addresses (2 hosts up) scanned in 6.23 seconds

The example above demonstrates using Nmap to scan three addresses at the same time (although only 2 of the targets appear to be online).

Tip: Since all three targets in the above example are on the same subnet you could use the shorthand notation of nmap 192.168.10.1,100,101 to achieve the same results.

You can also use Nmap to scan an entire subnet using CDIR noation , ranges, or a wildcard. The following three examples demonstrate this syntax.

# nmap 192.168.10.1/24

# nmap 192.168.10.*

# nmap 192.168.10.1-254

Either of the above examples would work for scanning the 192.168.10.x class C network.

Perform an Aggressive Scan

The -A parameter instructs Nmap to perform an aggressive scan.

# nmap -A 10.10.1.51

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-10 09:39 CDT
Interesting ports on 10.10.1.51:
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Linksys WAP54G wireless-G router http config
|_ html-title: 401 Unauthorized
|  http-auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = Linksys WAP54G
MAC Address: 00:12:17:AA:66:28 (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Device: WAP

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds

The aggressive scan selects some of the most commonly used options within Nmap and is provided as a simple alternative to typing a long string of command line arguments. This type of scan provides additional information about the remote system in addition to the port stats provided by a typical Nmap scan.


Scan All Ports

To scan all ports on a remote system, use the -p "*" option. This is a wildcard used to scan all 65,535 TCP/IP ports on the specified target.

# nmap -p "*" 10.10.1.41

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-16 14:07 Central Standard Time

Interesting ports on 10.10.1.41:
Not shown: 4204 closed ports
PORT     STATE    SERVICE
7/tcp    open     echo
9/tcp    open     discard
13/tcp   open     daytime
19/tcp   open     chargen
21/tcp   open     ftp
23/tcp   open     telnet
25/tcp   open     smtp
37/tcp   open     time
111/tcp  open     rpcbind
113/tcp  open     auth
139/tcp  open     netbios-ssn
512/tcp  open     exec
513/tcp  open     login
514/tcp  open     shell
515/tcp  open     printer
543/tcp  open     klogin
...


Note: You must enclose the wildcard statement in quotes so your system does not interpret it as a shell wildcard.

Detect the Operating System on a Target

The -O parameter enables Nmap’s operating system detection feature.

# nmap -O 10.10.1.48

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-11 13:09 Central Daylight Time
...

MAC Address: 00:0C:F1:A6:1F:16 (Intel)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop

...

In most cases, Nmap is able to identify the operating system on a remote target. Operating system detection is performed by analyzing responses from the target for a set of predictable characteristics which can be used to identify the type of OS on the remote system. The results are displayed below the output of the port scan results.

Other Useful Tips and Tricks

Scan an IPv6 system: nmap -6 [target]
Ping Scan: nmap -sP [target]
Perform an advanced traceroute: nmap --traceroute [target]
Display Verbose output: nmap -v [target]

These are just some of the many options available for network scanning with Nmap. To learn about more about Nmap's advanced scanning features checkout my latest book Nmap Cookbook: The Fat-free Guide to Network Scanning.


No comments:

Post a Comment