Using NMap

Using NMap – Various Scan Types and ways to use NMap

**Always make sure you have appropriate documented permission from the organization to scan and that you have the appropriate network access. Jobs have been lost because organization have been caught unaware and labeled scanning as “rogue” when appropriate permissions were not in place.**

Now lets get to the syntax of some basic scans types of Nmap.

You must ensure that the directory that contains the nmap binary or Windows executable is in your $PATH or that you are in the directory where Nmap is installed.

1) Running nmap with no parameters causes the following usage information to display on the screen:

# nmap

Nmap 4.50 (http://insecure.org)
Usage: nmap [Scan Type(s)] [Options] {target specifi cation}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from fi le
HOST DISCOVERY:
-sL: List Scan – simply list targets to scan
-sP: Ping Scan – go no further than determining if host is online
 ……. etc

You can use this command to check if nmap has been properlly insatlled in the system.


2) To scan a single target and uses the default options is the following:

# nmap 192.168.100.2

Starting Nmap 4.50 (http://insecure.org) at 2010-12-22 09:56 EST
Interesting ports on 192.168.100.2:
Not shown: 1705 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
3389/tcp open ms-term-serv
6346/tcp filtered gnutella
6347/tcp filtered gnutella2
8081/tcp open blackice-icecap
MAC Address: 00:12:F0:D3:BF:74 (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 4.837 seconds

When no other options are given, Nmap performs host discovery and then performs a SYN port scan against each active target. Nmap also performs ARP discovery by default against targets on the local Ethernet network.


3) The-A command-line option performs OS and version detection, script scanning, and tracerouting, all in addition to default port scanning.

# nmap-A 192.168.2.3

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 11:45 EST
Interesting ports on 192.168.2.3:
Not shown: 1705 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
3389/tcp open microsoft-rdp Microsoft Terminal Service
6346/tcp filtered gnutella
6347/tcp filtered gnutella2
8081/tcp open http Network Associates ePolicy Orchestrator
(Computername: LT-A020479 Version: 3.6.0.453)
|_ HTML title: Site doesn’t have a title.
Service Info: OS: Windows
Host script results:
|_ NBSTAT: NetBIOS name: LT-A020479, NetBIOS MAC: 00:11:25:D6:DA:43
Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/.
Nmap done: 1 IP address (1 host up) scanned in 1710.661 seconds


4) Defining targets

  • a)  To scan the entire 192.168.11.0 Class C network, along with selected systems from 192.168.100.0 using octet ranges, and a single host using the DNS name yourhost.abc.com, you could use the following command:

#nmap 192.168.11.0/24 192.168.100.10-15 yourhost.abc.com

  • b) We can also specify selected octet ranges using a comma-separated list, for example to scan the following hosts: 192.168.15.10, 192.168.15.20, 192.168.20.10, 192.168.20.20, 192.168.35.10, 192.168.35.20, 192.168.36.10, 192.168.36.20, use the below command

#nmap 192.168.15,20,35-36.10,20

  • c) The exclude list. If you are interested in scanning your public-facing subnet or demilitarized zone (DMZ), to look for rogue hosts, but you don’t want to scan your known Web, DNS, and mail servers, you could use the following command:

#nmap –sP ––exclude webserver.company.com,dnsserver.company.com,mail.company.com 192.168.120.0/24

The targets must be tab, space, or newline delimited.

  • d) Target specification from an input file and excluded targets from an exclude file

#nmap –sV –iL windows_servers_list.txt

where -sV is software version and windows_servers_list.txt has a list of your known Windows servers from your asset database
To use an exclude fi le of known IP addresses from your IP asset database, use the below command

#nmap ––excludefile ip_database.txt 192.168.0.0/16

Brief Note :-

-iL <filename>                                              Specify an input fi le with a list of tab-,space-, or newline-delimited targets.
-iR <number of targets>                           Scan a specifi ed number of random targets.
–exlude <host1[,host2][,host3],…>        Specify comma-separated targets to not scan
–excludefile <filename>                          Specify an input file with a list of tab, space, or newline-delimited targets to not scan.


5)  The simplest way to perform host discovery is to perform a ping scan:

# nmap -sP 192.168.12.0/24

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 11:40 EST
Host 192.168.12.1 appears to be up.
Host 192.168.12.3 appears to be up.
Host 192.168.12.4 appears to be up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 1.281 seconds


6) Ping/Scan Types

-PE – The ICMP type 8 echo request expects an ICMP type 0 echo reply from an active host.
-PP – The ICMP type 13 timestamp request expects a type 14 timestamp reply from an active host.
-PM – The ICMP type 17 address mask request expects a type 18 address mask reply from an active host.
-PS – The TCP SYN ping creates a packet with the SYN fl ag set and sends it to specified ports on the target.
-PA – The TCP ACK;Nmap creates and sends a packet with the ACK flag set. If the target responds with a RST packet it is active.
-PU – UDP ping is similar to the TCP SYN and ACK pings, but in this case Nmap creates and sends a UDP packet.
-P0 (zero) – Used to disable ping scanning.


7) -sL Nmap option prints a list of potential targets and their DNS names. This option is passive since it does not send any packets to the targets, but it does perform DNS name lookups for each host. Below output is truncated.

# nmap -sL 192.168.110.0/24

Starting Nmap 4.50 (http://insecure.org) at 2010-12-22 11:53 EST
Host 192.168.100.0 not scanned
Host switch.abc.com (192.168.110.1) not scanned
Host serverA.abc.com (192.168.110.2) not scanned
Host serverB.abc.com (192.168.110.3) not scanned
Host system.abc.com (192.168.110.4) not scanned
Host 192.168.110.5 not scanned


8) Port scan:-

  • -sS :- TCP SYN. SYN scanning is quick and provides reliable results for open, closed, and fi ltered ports.

# nmap -sS 192.168.4.3

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 09:46 Eastern
Standard Time
Interesting ports on 192.168.4.3:
Not shown: 1707 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
3389/tcp open ms-term-serv
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 26.248 seconds

  • -sT :- If a user doesn’t have root or administrator privileges, Nmap will perform the TCP connect scan (-sT ). TCP connect scans are more likely to be logged since they complete a full TCP connection.

# nmap -sT 192.168.3.3

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 09:52 Eastern
Standard Time
Interesting ports on 192.168.3.3:
Not shown: 1704 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
3389/tcp open ms-term-serv
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 365.014 seconds

  • -sU :- The Nmap UDP scan sends an empty UDP header to the target port. The target responds with an ICMP port unreachable error if the port is closed.

# nmap -sU 192.168.120.4

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 10:15 Eastern
Standard Time
Interesting ports on 192.168.120.4:
Not shown: 1483 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
259/udp open|filtered fi rewall1-rdp
427/udp open|filtered svrloc
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:30:65:0D:28:32 (Apple Computer)
Nmap done: 1 IP address (1 host up) scanned in 56.742 seconds

  • -sO :- Nmap provides the ability to analyze IP protocols with the IP protocol scan (-sO).

# nmap -sO 192.168.22.3

Starting Nmap 4.50 (http://insecure.org) at 2007-12-28 12:24 EST
Interesting protocols on 192.168.22.3:
Not shown: 250 closed protocols
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open|filtered tcp
17 open udp
47 open|filtered gre
50 open|filtered esp
MAC Address: 00:11:25:D6:DA:C7 (IBM)
Nmap done: 1 IP address (1 host up) scanned in 1.649 seconds


9) Advance Port Scan

-sN TCP Null scan
-sF TCP FIN scan
-sX Xmas scan
-sA TCP ACK scan
-sW TCP Window scan
-sI Idle scan; The idle allows you to specify another system to use in the scanning, known as a zombie host.


10) Defining Ports

  • To specify ports, use the -p <port range> command-line option. The port range parameter can be a single port or a range of ports. To scan for hosts with port 80 you could use the following:

#nmap –p 80 192.168.10.0/24

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 12:58 Eastern
Standard Time
Interesting ports on 192.168.10.1:
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:14:6C:19:F8:45 (Netgear)
Interesting ports on 192.168.10.2:
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:30:65:0D:28:29 (Apple Computer)

  • You can also specify a range of ports to scan. The following only scans ports 130 to 140

# nmap -p 130–140 192.168.12.3

Starting Nmap 4.50 (http://insecure.org) at 2010-12-28 13:05 EST
Interesting ports on 192.168.12.3:
PORT STATE SERVICE
130/tcp closed cisco-fna
131/tcp closed cisco-tna
132/tcp closed cisco-sys
133/tcp closed statsrv
134/tcp closed ingres-net
135/tcp open msrpc
136/tcp closed profi le
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
140/tcp closed emfi s-data
MAC Address: 00:11:25:D6:DA:65 (IBM)

  • Nmap also includes notation to scan from port 1 to a specifi ed port. The following example scans from port 1 to port 100:

#nmap –p -100 192.168.10.0/24

Nmap done: 1 IP address (1 host up) scanned in 0.158 seconds
Nmap done: 256 IP addresses (3 hosts up) scanned in 28.291 seconds

  • Keeping in similar syntax, Nmap can scan from a specifi ed port to port 65535. The following example scans from port 60000 to port 65535:

#nmap –p 60000- 192.168.100.0/24

  • Combining syntax allows you to scan all 65535 ports by using the following:

#nmap –p– 192.168.100.0/24

  • Nmap also supports wildcards (* and ?) in port names. The following scans the FTP port and all HTTP ports:

#nmap –p ftp,http* 192.168.130.0/24

https 443/tcp # secure http (SSL)
http-alt 591/tcp # FileMaker, Inc. – HTTP Alternate
http-rpc-epmap 593/tcp # HTTP RPC Ep Map
http-alt 8000/tcp # A common alternative http port
http-proxy 8080/tcp # Common HTTP proxy/second web server port
https-alt 8443/tcp # Common alternative https port


11) Detecting OS

To enable OS detection with your port scan use the -O command-line option. For example:

# nmap -O 192.168.100.2

Starting Nmap 4.50 (http://insecure.org) at 2010-01-03 21:40 EST
Interesting ports on 192.168.100.2:
Not shown: 1709 closed ports
PORT STATE SERVICE
631/tcp open ipp
1033/tcp open netinfo
Device type: general purpose
Running: Apple Mac OS X 10.4.X
OS details: Apple Mac OS X 10.4.8 – 10.4.10 (Tiger) (Darwin 8.8.0 – 8.10.2)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at
http://insecure.
org/nmap/submit/.
Nmap done: 1 IP address (1 host up) scanned in 11.844 seconds