Nmap Fundamentals

Exclusive offer: get 50% off this eBook here
Nmap 6: Network Exploration and Security Auditing Cookbook

Nmap 6: Network Exploration and Security Auditing Cookbook — Save 50%

A complete guide to mastering Nmap 6 and its scripting engine, covering practical tasks for penetration testers and system administrators with this book and ebook.

$26.99    $13.50
by Paulino Calderón Pale | November 2012 | Cookbooks Open Source

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities.

In this article by Paulino Calderon Pale, author of Nmap 6: Network exploration and security auditing Cookbook, we will cover:

  • Downloading Nmap from the official source code repository
  • Compiling Nmap from source code
  • Listing open ports on a remote host
  • Fingerprinting services of a remote host
  • Finding live hosts in your network
  • Scanning using specific port ranges

(For more resources related to this topic, see here.)

Nmap (Network Mapper)

Nmap (Network Mapper) is an open-source tool specialized in network exploration and security auditing, originally published by Gordon "Fyodor" Lyon. The official website (http://nmap.org) describes it as follows:

Nmap (Network Mapper) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

There are many other port scanners out there, but none of them even comes close to offering the flexibility and advanced options of Nmap.

The Nmap Scripting Engine (NSE) has revolutionized the possibilities of a port scanner by allowing users to write scripts that perform custom tasks using the host information collected by Nmap.

Additionally, the Nmap Project includes other great tools:

  • Zenmap: A graphical interface for Nmap
  • Ndiff: A tool for scan result comparison
  • Nping: An excellent tool for packet generation and traffic analysis
  • Ncrack: An Nmap-compatible tool for brute forcing network logins
  • Ncat: A debugging utility to read and write data across networks

Needless to say, it is essential that every security professional and network administrator master this tool to conduct security assessments, monitor, and administer networks efficiently.

Nmap's community is very active, and new features are added every week. I encourage you to always keep an updated copy in your arsenal, if you haven't done this already; and even better, to subscribe to the development mailing list at http://cgi.insecure.org/mailman/listinfo/nmap-dev.

Downloading Nmap from the official source code repository

This section describes how to download Nmap's source code from the official subversion repository. By doing so, users can compile the latest version of Nmap and keep up with the daily updates that are committed to the subversion repository.

Getting ready

Before continuing, you need to have a working Internet connection and access to a subversion client. Unix-based platforms come with a command-line client called subversion (svn). To check if its already installed in your system, just open a terminal and type:

$ svn

If it tells you that the command was not found, install svn using your favorite package manager or build it from source code. The instructions for building svn from source code are out of the scope of this book, but they are widely documented online. Use your favorite search engine to find specific instructions for your system.

If you would rather work with a graphical user interface, RapidSVN is a very popular, crossplatform alternative. You can download and install RapidSVN from http://rapidsvn.tigris.org/.

How to do it...

Open your terminal and enter the following command:

$ svn co --username guest https://svn.nmap.org/nmap/

Downloading the example code

You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.

Wait until svn downloads all the files stored in the repository. You should see the list of the added files as it finishes, as shown in the following screenshot:

When the program returns/exits, you will have Nmap's source code in your current directory.

How it works...

$ svn checkout https://svn.nmap.org/nmap/

This command downloads a copy of the remote repository located at https://svn.nmap.org/nmap/. This repository has world read access to the latest stable build, allowing svn to download your local working copy.

There's more...

If you are using RapidSVN then follow these steps:

  1. Right-click on Bookmarks.
  2. Click on Checkout New Working Copy.
  3. Type https://svn.nmap.org/nmap/ in the URL field.
  4. Select your local working directory.
  5. Click on OK to start downloading your new working copy.

Experimenting with development branches

If you want to try the latest creations of the development team, there is a folder named nmapexp that contains different experimental branches of the project. Code stored there is not guaranteed to work all the time, as the developers use it as a sandbox until it is ready to be merged into the stable branch. The full subversion URL of this folder is https://svn.nmap.org/nmap-exp/.

Keeping your source code up-to-date

To update a previously-downloaded copy of Nmap, use the following command inside your working directory:

$ svn update

You should see the list of files that have been updated, as well as some revision information.

Compiling Nmap from source code

Precompiled packages always take time to prepare and test, causing delays between releases. If you want to stay up-to-date with the latest additions, compiling Nmap's source code is highly recommended.

This recipe describes how to compile Nmap's source code in the Unix environment.

Getting ready

Make sure the following packages are installed in your system:

  • gcc
  • openssl
  • make

Install the missing software using your favorite package manager or build it from source code.

How to do it...

  1. Open your terminal and go into the directory where Nmap's source code is stored.
  2. Configure it according to your system:

    $ ./configure

    An ASCII dragon warning you about the power of Nmap will be displayed (as shown in the following screenshot) if successful, otherwise lines specifying an error will be displayed.

  3. Build Nmap using the following command:

    $ make

    If you don't see any errors, you have built the latest version of Nmap successfully. You can check this by looking for the compiled binary Nmap in your current directory.

    If you want to make Nmap available for all the users in the system, enter the following command:

    # make install

How it works...

We used the script configure to set up the different parameters and environmental variables affecting your system and desired configuration. Afterwards, GNUs make generated the binary files by compiling the source code.

There's more...

If you only need the Nmap binary, you can use the following configure directives to avoid installing Ndiff, Nping, and Zenmap:

  • Skip the installation of Ndiff by using --without-ndiff
  • Skip the installation of Zenmap by using --without-zenmap
  • Skip the installation of Nping by using --without-nping

OpenSSL development libraries

OpenSSL is optional when building Nmap. Enabling it allows Nmap to access the functions of this library related to multiprecision integers, hashing, and encoding/decoding for service detection and Nmap NSE scripts.

The name of the OpenSSL development package in Debian systems is libssl-dev.

Configure directives

There are several configure directives that can be used when building Nmap. For a complete list of directives, use the following command:

The name of the OpenSSL development package in Debian systems is libssl-dev.

$ ./configure --help

Precompiled packages

There are several precompiled packages available online (http://nmap.org/download. html) for those who don't have access to a compiler, but unfortunately, it's very likely you will be missing features unless its a very recent build. Nmap is continuously evolving. If you are serious about harnessing the power of Nmap, keep your local copy up-to-date with the official repository.

Nmap 6: Network Exploration and Security Auditing Cookbook A complete guide to mastering Nmap 6 and its scripting engine, covering practical tasks for penetration testers and system administrators with this book and ebook.
Published: November 2012
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Listing open ports on a remote host

This recipe describes the simplest way of using Nmap to determine the port states on a remote host, a process used to identify running services commonly referred as port scanning.

How to do it...

  1. Open a terminal.
  2. Type the following command:

    $ nmap scanme.nmap.org

The scan results should appear on the screen, showing the interesting ports and their states. The ports marked as open are of special interest as they represent services running on the target host.

How it works...

The following command checks the state of the most popular ports on the host scanme.nmap.org by launching a TCP port scan:

$ nmap scanme.nmap.org

The results contain host information such as the IPv4 address and PTR record, and port information such as a service name and port state.

There's more...

Even for this simplest port scan, Nmap does a lot of things in the background, and these can be configured as well.

Nmap begins by converting the hostname to an IPv4 address using DNS. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use-n if you wish to skip this step, as follows:

$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org

Afterwards, it pings the target address to check if the host is alive. To skip this step use –PN as follows:

$ nmap -PN scanme.nmap.org

Nmap then converts the IPv4 address back to a hostname by using a reverse DNS call. Use -n to skip this step as follows:

$ nmap -n scanme.nmap.org

Finally, it launches a TCP port scan. To specify a different port range, use -p[1-65535], or -p- for all possible TCP ports, as shown in the following command:

$ nmap -p1-30 scanme.nmap.org

Privileged versus unprivileged

Running nmap <TARGET> as a privileged user launches the SYN Stealth Scan. For unprivileged accounts that can't create raw packets, the TCP Connect Scan is used.

The difference between these two is that a TCP Connect Scan uses the high-level system call connect to obtain information about the port state. This means that each TCP connection is fully completed and, therefore, is slower and more likely to be detected and recorded in system logs. SYN Stealth Scans use raw packets to send specially-crafted TCP packets that detect port states more reliably.

Port states

Nmap categorizes ports into the following states:

The type of packets sent depends on the scanning technique(s) used.

  • Open: This indicates that an application is listening for connections on this port.
  • Closed: This indicates that the probes were received but there is no application listening on this port.
  • Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
  • Unfiltered: This indicates that the probes were received but a state could not be established.
  • Open/Filtered: This indicates that the port was filtered or open but Nmap couldn't establish the state.
  • Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state.

Port scanning techniques supported by Nmap

We showed the simplest way of performing a port scan, but Nmap has a vast number of advanced scanning techniques available. Use nmap -h or visit http://nmap.org/book/man-port-scanning-techniques.html to learn more about them.

Fingerprinting services of a remote host

Version detection is one of the most popular features of Nmap. Knowing the exact version of a service is highly valuable for penetration testers who use this service to look for security vulnerabilities, and for system administrators who wish to monitor their networks for any unauthorized changes. Fingerprinting a service may also reveal additional information about a target, such as available modules and specific protocol information.

This recipe describes how to fingerprint the services of a remote host by using Nmap.

How to do it...

Open a terminal and type the following command:

$ nmap -sV scanme.nmap.org

The result of this command is a table containing an additional column named VERSION, displaying the specific service version, if identified. Additional information will be enclosed in parenthesis. Refer to the following screenshot:

How it works...

The flag -sV enables service detection, which returns additional service and version information.

Service detection is one of the most loved features of Nmap, as it's very useful in many situations such as identifying security vulnerabilities or making sure a service is running on a given port.

This feature basically works by sending different probes from nmap-service-probes to the list of suspected open ports. The probes are selected based on how likely it is that they can be used to identify a service.

There is very detailed documentation on how the service detection mode works, and the file formats used, at http://nmap.org/book/vscan.html.

There's more...

You can set the amount of probes to use by changing the intensity level of the scan with the argument –-version-intensity [0-9], as follows:

# nmap -sV –-version-intensity 9

Aggressive detection

Nmap has a special flag to activate aggressive detection, namely -A.Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) Needless to say this mode sends a lot more probes and it is more likely to be detected, but provides a lot of valuable host information. You can see this by using one of the following commands:

# nmap -A <target>

Or

# nmap -sC -sV -O <target>

Submitting service fingerprints

Nmap's accuracy comes from a database that has been collected over the years through user submissions. It is very important that we help keep this database up-to-date. If Nmap does not identify the service correctly, please submit your new service fingerprint or correction to http://insecure.org/cgi-bin/submit.cgi?.

Nmap 6: Network Exploration and Security Auditing Cookbook A complete guide to mastering Nmap 6 and its scripting engine, covering practical tasks for penetration testers and system administrators with this book and ebook.
Published: November 2012
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Finding live hosts in your network

Finding live hosts in a network is often used by penetration testers to enumerate active targets, and by system administrators to count or monitor the number of active hosts.

This recipe desc ribes how to perform a ping scan, to find live hosts in a network by using Nmap.

How to do it...

Open your terminal and enter the following command:

$ nmap -sP 192.168.1.1/24

The result shows hosts that are online and responded to the ping sweep.

Nmap scan report for 192.168.1.102 Host is up. Nmap scan report for 192.168.1.254 Host is up (0.0027s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 256 IP addresses (2 hosts up) scanned in 10.18 seconds

In this case, we found two live hosts in the network. Nmap has also found the MAC address, and it identified the vendor of a home router.

How it works...

Nmap uses the -sP flag for ping scanning. This type of scan is very useful for enumerating the hosts in a network. It uses a TCP ACK packet and an ICMP echo request if executed as a privileged user, or a SYN packet sent via connect() syscall if run by users who can't send raw packets.

CIDR /24 in 192.168.1.1/24 is used to indicate that we want to scan all the 256 IPs in our network.

There's more...

ARP requests are used when scanning a local Ethernet network as a privileged user, but you can override this behavior by including the flag --send-ip.

# nmap -sP --send-ip 192.168.1.1/24

Traceroute

Use --traceroute to include a path between your machine and each host that was found.

Nmap scan report for 192.168.1.101 Host is up (0.062s latency). MAC Address: 00:23:76:CD:C5:BE (HTC) TRACEROUTE HOP RTT ADDRESS 1 61.70 ms 192.168.1.101 Nmap scan report for 192.168.1.102 Host is up. Nmap scan report for 192.168.1.254 Host is up (0.0044s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) TRACEROUTE HOP RTT ADDRESS 1 4.40 ms 192.168.1.254 Nmap done: 256 IP addresses (3 hosts up) scanned in 10.03 seconds

NSE scripts

Ping scanning does not perform port scanning or service detection, but the Nmap Scripting Engine can be enabled for scripts depending on host rules, such as the cases of sniffer-detect and dns-brute.

# nmap -sP --script discovery 192.168.1.1/24 Pre-scan script results: | broadcast-ping: |_ Use the newtargets script-arg to add the results as targets Nmap scan report for 192.168.1.102 Host is up. Host script results: |_dns-brute: Can't guess domain of "192.168.1.102"; use dns-brute.domain script argument. Nmap scan report for 192.168.1.254 Host is up (0.0023s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Host script results: |_dns-brute: Can't guess domain of "192.168.1.254"; use dns-brute.domain script argument. |_sniffer-detect: Likely in promiscuous mode (tests: "11111111") Nmap done: 256 IP addresses (2 hosts up) scanned in 14.11 seconds

Scanning using specific port ranges

There are situations when a system administrator is looking for infected machines that use a specific port to communicate, or when users are only looking for a specific service or open port and don't really care about the rest. Narrowing down the port ranges used also optimizes performance, which is very important when scanning multiple targets.

This recipe describes how to use port ranges when performing Nmap scans.

How to do it...

Open your terminal and enter the following command:

# nmap -p80 192.168.1.1/24

A list of hosts with the state of port 80 will appear in the results.

Nmap scan report for 192.168.1.102 Host is up (0.000079s latency). PORT STATE SERVICE 80/tcp closed http Nmap scan report for 192.168.1.103 Host is up (0.016s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 00:16:6F:7E:E0:B6 (Intel) Nmap scan report for 192.168.1.254 Host is up (0.0065s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 256 IP addresses (3 hosts up) scanned in 8.93 seconds

How it works...

Nmap uses the flag -p for setting the port ranges to be scanned. This flag can be combined with any scanning method. In the previous example, we used the argument -p80 to indicate to Nmap that we are only interested in port 80.

The CIDR /24 in 192.168.1.1/24 is used to indicate that we want to scan all of the 256 IPs in our network.

There's more...

There are several accepted formats for the argument -p:

  • Port list:

    # nmap -p80,443 localhost

  • Port range:

    # nmap -p1-100 localhost

  • All ports:

    # nmap -p- localhost

  • Specific ports by protocols:

    # nmap -pT:25,U:53 <target>

  • Service name:

    # nmap -p smtp<target>

  • Service name wildcards:

    # nmap -p smtp* <target>

  • Only ports registered in Nmap services:

    # nmap -p[1-65535] <target>

Summary

In this article, we've examined the most common tasks for Downloading, Compiling, Listing open ports, Fingerprinting services, Finding live hosts and scanning numerous hosts. It also introduced Ndiff, Nping, and Zenmap.

Resources for Article :


Further resources on this subject:


About the Author :


Paulino Calderón Pale

Paulino Calderón Pale (@calderpwn) is a very passionate software developer and penetration tester from a Caribbean island near México called Cozumel. He learned how to write code and administer IT infrastructures early in his life, skills that came in handy when he joined the information security industry. Today, he loves learning about new technologies, pen-testing, conducting data gathering experiments, developing software, contributing to the open source community, and speaking and giving workshops at IT security conferences.

In the summer of 2011, Paulino joined Google's Summer of Code program to work on the Nmap project as an NSE (Nmap Scripting Engine) developer. He focused on improving the web scanning capabilities of Nmap, and since then has produced over 30 scripts for gathering information and detecting and exploiting security vulnerabilities.

Paulino is the co-founder of Websec, an information security company focused on web security operating in México (http://websec.mx) and Canada (http://websec.ca), where they help companies in different industries secure their IT infrastructures.

He has also written the book Nmap 6: Network Exploration and Security Auditing Cookbook. He maintains a blog where you can find out more about him at http://calderonpale.com.

Books From Packt


 WordPress 3 Ultimate Security
WordPress 3 Ultimate Security

 OpenVPN: Building and Integrating Virtual Private Networks
OpenVPN: Building and Integrating Virtual Private Networks

CISSP in 21 Days
CISSP in 21 Days

BackTrack 5 Wireless Penetration Testing Beginner’s Guide
BackTrack 5 Wireless Penetration Testing Beginner’s Guide

Joomla! Web Security
Joomla! Web Security

 Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

 BackTrack 4: Assuring Security by Penetration Testing
BackTrack 4: Assuring Security by Penetration Testing

 Metasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software