Nmap : Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running. It was designed to rapidly scan large networks, but works fine against single hosts.
Various TCP/IP protocols
- Application layer : FTP, HTTP, SNMP, BOOTP, DHCP
- Transport layer : TCP, UDP, ICMP, IGMP
- Network layer : ARP, IP, RARP
- Data link layer : SLIP, PPP
UDP and TCP
UDP is a connection-less protocol that does not assure the delivery of packets at the other end. However, that does not mean it is an unreliable protocol; higher-level applications must take care to verify that data has been received at the other end. This practice has its own uses, like with live audio/video transfers, where real-time delivery is a must.
TCP is a connection-oriented protocol, which assures delivery of packets. ICMP packets are used to convey error messages, if any. The TCP three-way handshake is used to establish and reset connections, and this concept is key to understanding various NMap scan types. In the TCP three-way handshake:
1 A “client” initiates communication with a SYN (Synchronise) packet with a randomly generated number, X.
2 The server acknowledges with a SYN-ACK (Acknowledgement), X+1 and a randomly generated number, Y.
3 The client again sends an ACK, followed by Y+1, thus completing the handshake. Now the client and server can start data transfer.
NMAP Scan Types:
This is the default scan and is good for most purposes. It is quieter than a TCP Connect scan, that is, it won’t show up on most simple logs. It works by sending a single TCP SYN packet to each possible port. If it gets a SYN ACK packet back, then Nmap knows there is a service running there. If it doesn’t get a response, it assumes the port is closed. The SYN scan does not complete the TCP handshake by sending an ACK back to the machine; as far as the scanee is concerned, it never sees a valid connection. However, the remote system will hold this “half socket” open until it times out from not receiving a response.
This works much like the SYN scan, except it completes the full TCP handshake and makes a full connection. This scan is not only noisy but also puts more load on the machines being scanned and the network. However, if stealth or bandwidth is not an issue, a Connect scan is sometimes more accurate than the SYN scan. Also, if you don’t have administrator or root privileges on the Nmap machine, you won’t be able to run anything other than a Connect scan because the specially crafted packets for other scans require low-level OS access.
This does a simple ping of all the addresses to see which ones are answering to ICMP. If you don’t really care about what services are running and you just want to know which IP addresses are up, this is a lot faster than a full port scan. However, some machines may be configured not to respond to a ping (for example, machines running the new XP firewall) but still have services running on them, so a ping sweep is not as accurate as a full port scan.
This scan checks to see if there are any UDP ports listening. Since UDP does not respond with a positive acknowledgment like TCP and only responds to an incoming UDP packet when the port is closed, this type of scan can sometimes show false positives. However, it can also reveal Trojan horses running on high UDP ports and hidden RPC services. It may be quite slow, since some machines intentionally slow down responses to this kind of traffic to avoid being overwhelmed. Machines running Windows OS, however, do not implement this slowdown feature, so you should be able to use UDP to scan Windows hosts normally.
This is a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead. Most but not all computers will send a RST packet back if they
get this input, so the FIN scan can show false positives and negatives, but it may get under the radar of some IDS programs and other countermeasures.
Another very stealthy scan that sets all the TCP header flags to off or null. This is not normally a valid packet and some hosts will not know what to do with this. Windows operating systems are in this group, and scanning them with NULL scans will produce unreliable results. However, for non-Windows servers protected by a firewall, this can be a way to get through.
Similar to the NULL scan except all the flags in the TCP header are set to on. Windows machines won’t respond to this due to the way their TCP stack is implemented.Xmas scans derive their name from the set of flags that are turned on within a packet. These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header.
This tricky scan uses a loophole in the FTP protocol to “bounce” the scan packets off an FTP server and onto an internal network that would normally not be accessible. If you have the IP address of an FTP server that is attached to the local LAN, you may be able to breach the firewall and scan internal machines. It’s a good idea to test to see if your network is vulnerable to this exploit. Most current FTP servers have fixed this security hole. Note: You must input a valid FTP server that would have access to the network in addition to the IP addresses to be scanned.
This special type of scan looks for machines answering to RPC (Remote Procedure Call) services. RPC, which allows remote commands to be run on the machine under certain conditions, can be a dangerous service. Since RPC services can run on many different ports, it is hard to tell from a normal scan which ones might be running RPC. This scan will probe the ports found open on a machine with commands to show the program name and version if RPC is running. It’s not a bad idea to run one of these scans every so often just to find out if and where you have these services running.
This scan relies on an anomaly in the responses to ACK packets in some operating systems to reveal ports that are supposed to be filtered. Operating systems that are known to be vulnerable to this kind of scan include some versions of AIX, Amiga, BeOS, BSDI, Cray, DG/UX, Digital UNIX, FreeBSD, HP/UX, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, OpenVMS, OS/2, QNX, Rhapsody, SunOS 4.X, Tru64 UNIX, Ultrix, VAX, and VxWorks.
This type of scan is a new feature for Nmap version 3.0. It is a super stealthy method whereby the scan packets are bounced off an external host. You don’t need to have control over the other host but it does have to setup and meet certain requirements. You must input the IP address of our “zombie” host and what port number to use.It is one of the more controversial options in Nmap since it really only has a use for malicious attacks.
NMAP CHEAT SHEET ( Nmap Commands)
nmap -sP 10.0.0.0/24
Ping scans the network, listing machines that respond to ping.
nmap -p 1–65535 -sV -sS -T4 target
Full TCP port scan using with service version detection — usually my first scan, I find T4 more accurate than T5 and still “pretty quick”.
nmap -v -sS -A -T4 target
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -sS -A -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -sV -O -sS -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
nmap -v -p 1–65535 -sV -O -sS -T4 target
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.
nmap -v -p 1–65535 -sV -O -sS -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.
Nmap scan from file
nmap -iL ip-addresses.txt
Scans a list of IP addresses, you can add options before / after.
Nmap Output Formats
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24
Outputs “grepable” output to a file, in this example Netbios servers. E.g, The output file could be grepped for “Open”.
nmap -sV -v -p 139,445 10.0.0.1/24
Find all Netbios servers on subnet
nmap -sU — script nbstat.nse -p 137 target
Nmap display Netbios name
nmap — script-args=unsafe=1 — script smb-check-vulns.nse -p 445 target
Nmap check if Netbios servers are vulnerable to MS08–067
inputfilename: Input from list of hosts/networks
num hosts: Choose random targets
host1[,host2][,host3],… : Exclude hosts/networks
exclude_file: Exclude list from file
List Scan — simply list targets to scan
Ping Scan — disable port scan
Treat all hosts as online — skip host discovery
TCP SYN/ACK, UDP or SCTP discovery to given ports
ICMP echo, timestamp, and netmask request discovery probes
IP Protocol Ping
Never do DNS resolution/Always resolve [default: sometimes]
- sS = TCP SYN scan
-sT = Connect scan
-sA = ACK scan
-sW = Window scan
-sM =Maimon scan
-sU = UDP Scan
-sN = TCP Null scan
-sF = FIN scan
-sX = Xmas scan
- — scanflags = Customize TCP scan flags
- -sI zombie host[:probeport] = Idle scan
- -sY = SCTP INIT scan
- -sZ = COOKIE-ECHO scan
- -sO = IP protocol scan
- -b “FTP relay host” = FTP bounce scan
Port Specification and Scan Order
-p = Specify ports, e.g. -p80,443 or -p1–65535
-p U:PORT =Scan UDP ports with Nmap, e.g. -p U:53
-F =Fast mode, scans fewer ports than the default scan
-r =Scan ports consecutively — don’t randomize
— top-ports “number” =Scan “number” most common ports
— port-ratio “ratio” = Scan ports more common than “ratio”
Service Version Detection
-sV = Probe open ports to determine service/version info
— version-intensity “level” = Set from 0 (light) to 9 (try all probes)
— version-light = Limit to most likely probes (intensity 2)
— version-all = Try every single probe (intensity 9)
— version-trace = Show detailed version scan activity (for debugging)
-sC = equivalent to — script=default
— script=”Lua scripts” = “Lua scripts” is a comma separated list of directories, script-files or script-categories
— script-args=n1=v1,[n2=v2,…]= provide arguments to scripts
-script-args-file=filename = provide NSE script args in a file
— script-trace = Show all data sent and received
— script-updatedb = Update script database
— script-help=”Lua scripts” = Show help about scripts
-O = Enable OS Detection
— osscan-limit = Limit OS detection to promising targets
— osscan-guess = Guess OS more aggressively
Timing and Performance
Options which take TIME are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T 0–5 =Set timing template — higher is faster (less accurate)
— min-hostgroup SIZE
— max-hostgroup SIZE
Parallel host scan group sizes
— min-parallelism NUMPROBES
— max-parallelism NUMPROBES
— min-rtt-timeout TIME
— max-rtt-timeout TIME
— initial-rtt-timeout TIME
Specifies probe round trip time
— max-retries TRIES
Caps number of port scan probe retransmissions
— host-timeout TIME
Give up on target after this long
— scan-delay TIME
— max-scan-delay TIME
Adjust delay between probes
— min-rate NUMBER
Send packets no slower than NUMBER per second
— max-rate NUMBER
Send packets no faster than NUMBER per second
Firewalls IDS Evasion and Spoofing
-f; — mtu VALUE =Fragment packets (optionally w/given MTU)
-D decoy1,decoy2,ME = Cloak a scan with decoys
-S IP-ADDRESS =Spoof source address
-e IFACE = Use specified interface
— ip-options OPTIONS = Send packets with specified ip options
— ttl VALUE = Set IP time to live field
— spoof-mac ADDR/PREFIX/VENDOR = Spoof NMAP MAC address
— badsum = Send packets with a bogus TCP/UDP/SCTP checksum
Nmap Output Options
-oN = Output Normal
-oX = Output to XML
-oS = Script Kiddie / 1337 speak… sigh
-oG = Output greppable — easy to grep nmap output
-oA BASENAME = Output in the three major formats at once
-v = Increase verbosity level use -vv or more for greater effect
-d = Increase debugging level use -dd or more for greater effect
— reason = Display the reason a port is in a particular state
— open = Only show open or possibly open ports
— packet-trace = Show all packets sent / received
— iflist = Print host interfaces and routes for debugging
— log-errors = Log errors/warnings to the normal-format output file
— append-output = Append to rather than clobber specified output files
— resume FILENAME = Resume an aborted scan
— stylesheet PATH/URL = XSL stylesheet to transform XML output to HTML
— webxml = Reference stylesheet from Nmap.Org for more portable XML
— no-stylesheet = Prevent associating of XSL stylesheet w/XML output
Nmap Enumeration Examples
nmap -sV -v -p 139,445 10.0.1.0/24
nmap -sU — script nbstat.nse -p 137 10.0.1.12
nmap — script-args=unsafe=1 — script smb-check-vulns.nse -p 445
Nmap Target Scan
Scan a single IP nmap 192.168.1.1
Scan a host nmap www.testhostname.com
Scan a range of IPs nmap 192.168.1.1–20
Scan a subnet nmap 192.168.1.0/24
Scan targets from a text file nmap -iL list-of-ips.txt
Nmap Port Selection
Scan a single Port = nmap -p 22 192.168.1.1
Scan a range of ports = nmap -p 1–100 192.168.1.1
Scan 100 most common ports (Fast) = nmap -F 192.168.1.1
Scan all 65535 ports = nmap -p- 192.168.1.1
Nmap Port Scan types
Scan using TCP connect = nmap -sT 192.168.1.1
Scan using TCP SYN scan (default) = nmap -sS 192.168.1.1
Scan UDP ports = nmap -sU -p 123,161,162 192.168.1.1
Scan selected ports — ignore discovery = nmap -Pn -F 192.168.1.1
Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan. Ignoring discovery is often required as many firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn parameter. Of course this can make scan times much longer as you could end up sending scan probes to hosts that are not there.
Service and OS Detection
Detect OS and Services = nmap -A 192.168.1.1
Standard service detection = nmap -sV 192.168.1.1
More aggressive Service Detection = nmap -sV — version-intensity 5 192.168.1.1
Lighter banner grabbing detection = nmap -sV — version-intensity 0 192.168.1.1
Service and OS detection rely on different methods to determine the operating system or service running on a particular port. The more aggressive service detection is often helpful if there are services running on unusual ports. On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.
Digging deeper with NSE Scripts
Scan using default safe scripts = nmap -sV -sC 192.168.1.1
Get help for a script = nmap — script-help=ssl-heartbleed
Scan using a specific NSE script = nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts = nmap -sV — script=smb* 192.168.1.1
According to my Nmap install there are currently 471 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions.
The option — script-help=$scriptname will display help for the individual scripts. To get an easy list of the installed scripts try locate nse | grep script.