Write For Us

Submit Tips

Subscribe to Print Edition

Contact Us

Search

HOME

REVIEWS

HOW-TOS

CODING

INTERVIEWS

FEATURES

OVERVIEW

BLOGS

SERIES

IT ADMIN

Advanced Nmap: A Recap

By Rajesh Deodhar on May 1, 2011 in How-Tos, Sysadmins, Tools / Apps 0 Comments

Search for:

Search

Get Connected RSS Feed Twitter

This final article in the series consolidates information from the previous articles, looks at NMaps future possibilities, and at the new tools from the development team.
Beginning its life as a simple port-scanner, Nmap has evolved into an excellent network security auditing tool. The Nmap website now describes it as a free and open source utility for network exploration or security auditing. Like most open source utilities, Nmap is released under the GNU GPL license (free to use, modify, and distribute). Interested users can download the latest version for their OS and start using it. All versions have the same command-line syntax and the same GUI; the only differentiator is a persons knowledge of how to use it to scan/audit the network. Understanding the various command-line options should help you use the tool in the most effective way. For example, while demonstrating the Nmap Scripting Engine capabilities at Black Hat 2010, the following steps were performed live: 1. Tracking a live Web cam installed on an unknown public IP. 2. Brute-forcing its username/password to gain access. 3. Watching the live video displayed. The seemingly impossible feat was performed in less than 15 minutes. Sure, it is definitely not easy to achieve this kind of expertise, but to effectively master Nmap for everyday use should not be too difficult.

Nmap command-line options

If you run n m a pwithout any switches, it gives you a list of all available command-line options. These are logically classified as shown in Table 1. Table 1: A summary of NMap commands Scan switch Target specification Utilisation You can specify the target in various intuitive ways: by directly specifying the hostname/IP address; or by giving the start and end addresses to specify a range. You can also pass a list of IP addresses to Nmap using the

i Lswitch, followed by the name of the file containing the IP list. You may

also exclude hosts with the e x c l u d e< h o s t n a m e ( s ) >switch. Host discovery From a wide range of hosts to be scanned, you will probably be interested in finding specific hosts, depending on the reason for the scan. Nmap has various host-discovery techniques; some of the important ones are:
s L , which will list the hosts to be scanned, but wont perform an actual

LINUX For You on

Follow

+2,530

scan.
P S , which will perform a TCP SYN scan by sending a SYN packet to the
Find us on Facebook

destination host, by default, on port 80. If an RST is received, it indicates a closed port. No reply indicates a filtered port, and an ACK response indicates an open port Similarly, P A(ACK ping), P R(ARP ping), P U(UDP Ping) are also available. While scanning internal networks, in particular, the noption that disables the DNS resolution of IP addresses, may come in handy. Scan techniques Nmap supports various scan techniques: s Sfor a SYN scan; s Pfor a ping scan; s Ufor a UDP scan; bfor an FTP Bounce scan; and s Ifor an idle scan, using a zombie host. By default, Nmap scans the 1,000 most common service ports. The t o p p o r t s nswitch overrides this default setting with n . The Fswitch reduces the most common scanned ports to 100. The following option is very useful if only predetermined ports are required to be scanned: p
U : p o r t n u m b e r sT : p o r t n u m b e r s

Open Source For You

Like 256,371 people like Open Source For You.

F acebook social plugin

Port specifications

Popular

Comments

Tag cloud

August 13, 2013 46 Comments Diksha P Gupta

India has immense under-utilised talent in the cloud security space

June 20, 2013 5 Comments sophie-samuel

Service/version detection

When services are running on non-standard ports, a version detection scan (s V ) on that particular port may provide an excellent option to detect what service it is. To run this scan on all ports, use a l l p o r t s . As mentioned on nmap.org, NSE is Nmaps most powerful and flexible feature. Users can write scripts in the Lua programming language for automated scanning. Nmap version 5.50 has 177 ready-made NSE scripts in various categories, including discovery, DoS exploits, version-detection and a few more. Some of the intrusive category scripts may crash the target system or use up significant resources on the host.

New and amazing features of Linux

June 20, 2013 3 Comments Priyanka Sarkar

Script scan

What it Takes to be an Open Source Expert

August 24, 2013 3 Comments Priyanka Sarkar

Secure Your Career with Ethical Hacking!

August 24, 2013 0 Comments Shashwat Pant

Get Fit With Android

Operating system detection Timings

The Ooption does operating system fingerprinting. Nmap version 5.50 has 2,982 OS fingerprints and 7,319 version-detection signatures.

Though often neglected, adjusting scan time is very important in effective network scanning. Consider two scenarios: When scanning a large number of hosts, fine-tuning scan timing is essential. For example, scanning a Class B IP address range (up to 65,535 addresses) may require significant time. The possible options to use here are: m i n r t t t i m e o u t ,m a x r t t t i m e o u tand h o s t t i m e o u t . To scan devices deployed with IDS/IPS, only a few probes may be allowed in a certain interval; s c a n d e l a ymay be used here.

Firewall/IDS evasion and spoofing Output

fdoes fragmentation; Di p _ l i s tsets up decoy hosts. S i p _ a d d r e s s e sdoes spoofing of source IP address, while s o u r c e p o r t p o r t n u m b e rspoofs source port numbers.

Three basic output options are available: o Nfor normal output, o Xfor XML output, and o Gfor g r e p pable output. The o Aoption provides output in all the above formats. One more important option is verbosity. While a scan is running, you may press v to increase verbosity and V (Shift+v) to decrease it. The most important is 6 , which enables IPv6 scanning.

Miscellaneous

Nmap uses various files to store its default options. Users may edit these files to fine-tune options for individual scanning requirements. From the exhaustive list above, a few options that come in really handy while scanning networks are shown in Table 2.

Table 2: Interesting NMap options Option

s Cs m b u s e r s e n u m s Cs m b s h a r e s e n u m

Description Really handy for scanning SMB networks, these options respectively return a list of users, and a list of shares detected in the specified host range. Detects operating systems even of various networking devices. Runs a standard scan, including OS version detection Speeds up the scan; especially useful in quickly scanning a range of IP addresses. Ping response is disabled on a few hosts to be scanned. This option assumes the hosts are up/online.

A T 4

P N(or P 0 )

Other tools
The Nmap team is also developing some other very interesting tools, some of which follow: ncrack Network authentication cracking tool, includes support for cracking RDP, SSH, HTTP, HTTPS, SMB, POP3, POP3S, FTP, and telnet. ncat Reads and writes data across networks from the command line (similar to netcat) zenmap GUI for Nmap ndiff Compares and shows differences in two Nmap scan result files nping Network packet generation, response analysis and response time measurement tool. Includes echo mode, debugging with sent/received packets, captured packets on the server, etc. rainmap An online scanning service With this, I conclude this series on NMap.

References
NMap Network Scanning book by Gordon Fyodor Lyon Various NMap site links: Homepage, Download, NSE Documentation, Rainmap Documentation The Lua programming language (used for NSE programming) insecure.org
Feature image courtesy: Alpha six. Reused under the terms of CC-BY-SA 2.0 License.

Related Posts:
Advanced Nmap: Scanning Techniques Continued Advanced Nmap: FIN Scan & OS Detection Advanced Nmap: Scanning Firewalls Continued Advanced NMap: Some Scan Types Advanced Nmap: NMap Script Scanning
Tags: Advanced Nmap Series, black hat, DNS, DOS, firewall, Gordon "Fyodor" Lyon, GPL, internal networks, IP, IP addresses, IPV6, LFY May 2011, Lua, network exploration, network security, NMap, NSE, online scanning service, operating systems, port scan, port scanner, Security, security auditing, UDP, xml

Article written by:

Rajesh Deodhar
The author is BE (Industrial Electronics), CISA (Certified Information Systems Auditor) and DCL (Diploma in Cyber Law). He has more than 15 years of experience in the field of computer hardware, networking, firewalls and IS auditing. He is a director at Omega Systems and Services, Pune. Connect with him: Website

Previous Post

Next Post

Securing Database Servers

The Quick Guide to QEMU Setup

AROUND THE WEB

ALSO ON LINUX FOR YOU

What's this?

Billionaires Dump Stocks, Prepare for Collapse Moneynews Don't Get Alzheimer's: Here's What May Cause It Newsmax Health Don't Let Your Kids Read This: Paying Teens for Citi Women & Co. Watch what you say when you're not talking Kelly OCG

India has immense under-utilised talent in the cloud 46 comments Secure Your Career with Ethical Hacking! 3 comments Cyber Attacks Explained: The Botnet Army 1 comment GNOME Extensions Spicing Up the Desktop Experience 1 comment

0 comments Leave a message...

Newest Community Share

No one has commented yet.

C o m m e n t fe e d

Su b s cri b e vi a e m a i l

Reviews

How-Tos

Coding

Interviews

Features

Overview

Blogs

Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems

For You & Me Developers Sysadmins Open Gurus CXOs Columns

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.