Before we get started with the technical intricacies of mastering Nmap, it's a good idea to understand how Nmap itself began and evolved as a project. This tool has been around for almost twenty years, and is a well-loved and often-used component across many technical industries.
In this chapter, we will cover:
How the Nmap project began
The evolution of the tool itself
New add-ons to the Nmap suite
How to install Nmap on Windows, OS X, and Linux
Nmap started from humble beginnings. Unlike the commercial security tools that are released today, the very first Nmap was only about 2,000 lines of code—and was released in 1997 in issue 51 of Phrack, a hacker "zine" that was started in 1985. Nmap's timeline is a fascinating one, and its growth has been phenomenal. The general timeline of Nmap development is as follows:
At the time of release, Nmap did not have very many features; in fact, it was bare bones. There was no version number attached to this release of Nmap because the developers did not plan to release any future versions. Nmap was designed only to scan for open ports on a target machine, and only worked when run from a Linux host and compiled with gcc.
Only four days after the initial release of Nmap, though, a slightly improved version was released (also through Phrack)—version 1.25. It was becoming very clear, even in the infancy of the now-famous tool, that there was an extremely high demand for a high-performance port scanner. Although there had previously been ways to detect open ports, Nmap made it straightforward to assess a third-party host over the Internet or across a local network. The hacker community was intrigued.
By March 1998, about six months after the initial Nmap release, the scanner had become the de facto port scanner of the underground hacker community and blossoming information security industry. Renaud Deraison asked permission to use the scanner code in a new vulnerability assessment engine he was creating, and (after receiving permission) Nmap scanning technology became integrated with the very first version of Nessus.
By September 2003, when Nmap 3.45 was released, there had been many major changes to the project. Fyodor, the primary developer, is now working on maintaining Nmap full-time. The tool has many new features—such as service detection, OS detection, timing configuration, and optimization flags (all of which will be covered later in this book)—and has truly reached a state of maturity.
In December 2006, one of the most important aspects of the Nmap project was integrated into all Nmap builds: Nmap Scripting Engine (NSE). The NSE allows users of Nmap to write their own modules (in a programming language called Lua) to trigger on certain ports being open, or certain services—or even specific versions of services—found listening. This release allows the elevation of Nmap from a simple networking tool to a fully robust and customizable vulnerability assessment engine, suitable for a wide variety of tasks.
Although port scanning is obviously very important for security professionals—after all, without understanding what network ports are open, it would be impossible to assess the security of a system—Nmap is also very valuable for other types of information technology professionals.
System administrators use Nmap to determine which of their systems are online, so they can understand if there are problems or inconsistencies on their network. Similarly, using OS detection and service detection, these administrators are able to easily verify that all systems are running the same (hopefully current) versions of operating systems and network-enabled software.
Because of its ability to change timing, as well as set specific flags on different packets (for example, the Xmas Tree scan), developers can turn to Nmap for help in testing embedded network stacks, in order to verify that the aggressive network traffic won't have unintended outcomes that may crash a system.
Lastly—and perhaps most importantly—students of network and computer engineering are major users of Nmap. Because it is a free and open source software, there is no barrier to get the software and run it immediately. Even amateur users scanning their own small home networks can learn an immense amount about how their computers and networks work and are configured by seeing what services are online. Although there are Windows and OS X ports, Nmap is also a great introduction to running straightforward (but advanced) tools on the Linux command line.
On most modern operating systems (Windows, OS X, and most distributions of Linux), installing Nmap is a very easy task. The official Nmap website (http://insecure.org/) distributes downloadable installers for Windows and Mac OS X that are very easy to run.
For Windows, a full walk-through of the installation process is available at http://nmap.org/book/inst-windows.html.
For Mac OS X, a full walk-through of the installation process is available at http://nmap.org/book/inst-macosx.html.
To install Nmap for Linux, there are several options. The most recent "bleeding edge" builds are always available to install from source (see the following paragraph). There are RPMs that can be downloaded from the http://insecure.org/ website, but most Linux distributions already have Nmap in their standard packages' repositories.
To install from a repository on Debian/Ubuntu is very straightforward. First, run
sudo apt-get update to verify that all 'apt sources' lists are up to date. Then, it is as simple as
sudo apt-get install Nmap to download and install a working version of Nmap!
Downloading the example code
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Download the source code.
Compile the code.
Install the compiled tool.
Downloading the code with a tool such as
wget is very simple; all we need to do is type
wget http://nmap.org/dist/nmap-6.47.tar.bz2 (or whatever is the current version of Nmap).
Once the tool is downloaded, it must be removed from its tarball—or compressed—state. This is done using the
tar command by typing
tar xvf nmap-6.47.tar.bz2.
At this stage, we now have a new directory filled with Nmap source code. If we change the directory by typing
cd nmap-6.47, we are then able to compile this code. For those users that are familiar with installing tools on Linux, the next step will be familiar. We need to
./configure make and
sudo make install in order to install Nmap on our system.
The "Nmap dragon" is a famous piece of ASCII art that is displayed during the
./configure step of Nmap source code compilation.
Once Nmap is successfully installed, you can verify that it works—and see which options it was compiled with—by typing
nmap -V. We'll cover the different flags that you can pass to Nmap in the subsequent chapters.
After reading this chapter, you should have a solid understanding of the wonderful background that Nmap brings to the information security world. Starting as a small project, the Nmap project is now one of the pillars of several industries.
If you have followed the installation instructions, you should now have a fully functional copy of Nmap ready to work with throughout the rest of the chapters. If not, now would be a great time to go ahead and install the tool so that you are ready to start scanning, auditing, and assessing!
In the next chapter, we will learn the basics of TCP/IP networking in order to better understand how Nmap is able to assess open ports, and find out which services and operating systems are running.