tool nmap

11 April 2015

info

  • Nmap is short for network mapper
  • it is an open source security tool for network exploration, security scanning and auditing
  • it was designed to rapidly scan large networks
  • nmap uses raw ip packets in novel ways to determine what hosts are available on the network
  • what services (application name and version) those hosts are offering
  • what operating system (and os versions) they are running
  • what type of packet filters/firewalls are in use

reference cyberciti

sample setup (lab)

                      +---------+
+---------+           | Network |         +---------+
| server1 |-----------+ switch  +---------| server2 |
+---------+           | (sw0)   |         +---------+
                      +----+----+
                           |
                           |
                 +---------+--------+
                 | wks01 Linux/OSX  |
                 +------------------+

  • wks01 is your computer

    • running linux/os x or unix like os

    • used for scanning your local network

    • nmap command must be installed

  • server1

    • powered by linux/unix/ms-windows os

    • this is an unpatched server

    • install a few services such as a web-server, file server and so on

  • server2

    • powered by linux/unix/ms-windows os

    • this is a fully patched server with firewall

    • install a few services such as a web-server, file server and so on

  • all three systems are connected via switch sw0

scanning

  1. scan a single host or an ip address (ipv4)

    • ip address

        $ nmap 192.168.1.104

    • host name

        $ nmap server1

    • host name with more info

        $ nmap -v 192.168.1.104

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 11:24 CST
  Initiating Ping Scan at 11:24
  Scanning 192.168.1.104 [2 ports]
  Completed Ping Scan at 11:24, 1.87s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 11:24
  Completed Parallel DNS resolution of 1 host. at 11:24, 0.00s elapsed
  Initiating Connect Scan at 11:24
  Scanning 192.168.1.104 [1000 ports]
  Discovered open port 445/tcp on 192.168.1.104
  Discovered open port 139/tcp on 192.168.1.104
  Discovered open port 135/tcp on 192.168.1.104
  Discovered open port 49157/tcp on 192.168.1.104
  Discovered open port 10000/tcp on 192.168.1.104
  Discovered open port 49154/tcp on 192.168.1.104
  Discovered open port 49153/tcp on 192.168.1.104
  Discovered open port 49158/tcp on 192.168.1.104
  Discovered open port 2179/tcp on 192.168.1.104
  Discovered open port 49152/tcp on 192.168.1.104
  Discovered open port 5678/tcp on 192.168.1.104
  Completed Connect Scan at 11:24, 1.30s elapsed (1000 total ports)
  Nmap scan report for 192.168.1.104
  Host is up (0.0067s latency).
  Not shown: 989 closed ports
  PORT      STATE SERVICE
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  445/tcp   open  microsoft-ds
  2179/tcp  open  vmrdp
  5678/tcp  open  rrac
  10000/tcp open  snet-sensor-mgmt
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49157/tcp open  unknown
  49158/tcp open  unknown

  Read data files from: /usr/local/bin/../share/nmap
  Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds

  2. scan multiple ip address or subnet (ipv4)

    • nmap 192.168.1.104 192.168.1.105

        Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 11:29 CST
  Nmap scan report for 192.168.1.104
  Host is up (0.045s latency).
  Not shown: 989 closed ports
  PORT      STATE SERVICE
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  445/tcp   open  microsoft-ds
  2179/tcp  open  vmrdp
  5678/tcp  open  rrac
  10000/tcp open  snet-sensor-mgmt
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49157/tcp open  unknown
  49158/tcp open  unknown

  Nmap scan report for 192.168.1.105
  Host is up (0.00037s latency).
  Not shown: 968 closed ports, 31 filtered ports
  PORT   STATE SERVICE
  22/tcp open  ssh

  Nmap done: 2 IP addresses (2 hosts up) scanned in 5.45 seconds

    • scan using last octet of ip address

        $ nmap 192.168.1.104,105

    • scan a range of ip address

        $ nmap 192.168.1.100-110

    • scan a range of ip address using a wildcard

        $ nmap 192.168.1.*

    • scan an entire subnet

        $ nmap 192.168.1.0/24

  3. read list of hosts/networks from a file (ipv4)

    • the -iL option allows you to read the list of target systems using a text file

        $ cat /tmp/scanlist.txt
  192.168.1.104
  192.168.1.105
  server1
  server2
  localhost

  $ nmap -iL /tmp/scanlist.txt

  4. excluding hosts/networks (ipv4)

    • you can exclude hosts from a scan

        $ nmap 192.168.1.0/24 --exclude 192.168.1.104
  $ nmap 192.168.1.0/24 --exclude 192.168.1.104,192.168.1.105

    • exclude list from a file called /tmp/exclude.txt

        $ nmap -iL /tmp/scanlist.txt --exclude /tmp/exclude.txt

  5. trun on os and version detection scanning script (ipv4)

         $ nmap -v -A 192.168.1.104
     $ nmap -A -iL /tmp/scanlist.txt
     $ nmap -A 192.168.1.104

     Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 11:42 CST
     Nmap scan report for 192.168.1.104
     Host is up (0.011s latency).
     Not shown: 989 closed ports
     PORT      STATE SERVICE           VERSION
     135/tcp   open  msrpc             Microsoft Windows RPC
     139/tcp   open  netbios-ssn
     445/tcp   open  netbios-ssn
     2179/tcp  open  vmrdp?
     5678/tcp  open  rrac?
     10000/tcp open  snet-sensor-mgmt?
     | ndmp-version: 
     |_  ERROR: Failed to get host information from server
     49152/tcp open  msrpc             Microsoft Windows RPC
     49153/tcp open  msrpc             Microsoft Windows RPC
     49154/tcp open  msrpc             Microsoft Windows RPC
     49157/tcp open  msrpc             Microsoft Windows RPC
     49158/tcp open  msrpc             Microsoft Windows RPC
     Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

     Host script results:
     |_nbstat: NetBIOS name: GREE2, NetBIOS user: <unknown>, NetBIOS MAC: 00:00:00:00:00:00 (Intel Corporate)
     | smb-security-mode: 
     |   Account that was used for smb scripts: guest
     |   User-level authentication
     |   SMB Security: Challenge/response passwords supported
     |_  Message signing disabled (dangerous, but default)
     |_smbv2-enabled: Server supports SMBv2 protocol

     Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
     Nmap done: 1 IP address (1 host up) scanned in 164.58 seconds

  6. find out if a host/network is protected by a firewall

         $ nmap -sA 192.168.1.104

     You requested a scan type which requires root privileges.
     QUITTING!

     $ sudo !!

  7. scan a host when protected by the firewall

         $ nmap -PN 192.168.1.104

  8. scan an ipv6 host/network

    • the -6 option enable ipv6 scanning

        $ nmap -6 fe80::20df:21c8:e68e:7d23%17

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:04 CST
  Strange error from connect (22):Invalid argument
  Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
  Nmap done: 1 IP address (0 hosts up) scanned in 0.06 seconds

  $ nmap -6 -Pn fe80::20df:21c8:e68e:7d23%17

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:06 CST
  Strange error from connect (22):Invalid argument
  Nmap scan report for fe80::20df:21c8:e68e:7d23
  Host is up.
  All 1000 scanned ports on fe80::20df:21c8:e68e:7d23 are filtered

  Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

  $ nmap -v -A -6 fe80::20df:21c8:e68e:7d23%17

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:10 CST
  NSE: Loaded 118 scripts for scanning.
  NSE: Script Pre-scanning.
  Initiating Ping Scan at 12:10
  Scanning fe80::20df:21c8:e68e:7d23 [2 ports]
  Strange error from connect (22):Invalid argument
  Completed Ping Scan at 12:10, 0.00s elapsed (1 total hosts)
  Initiating System DNS resolution of 1 host. at 12:10
  Completed System DNS resolution of 1 host. at 12:10, 0.00s elapsed
  Nmap scan report for fe80::20df:21c8:e68e:7d23 [host down]
  NSE: Script Post-scanning.
  Read data files from: /usr/local/bin/../share/nmap
  Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
  Nmap done: 1 IP address (0 hosts up) scanned in 0.17 seconds

  9. scan a network and find out which servers and devices are up and running

    • this is known as host discovery or ping scan

        $ nmap -sP 192.168.1.0/24

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:14 CST
  Strange error from connect (65):No route to host
  Nmap scan report for 192.168.1.101
  Host is up (0.089s latency).
  Nmap scan report for 192.168.1.104
  Host is up (0.011s latency).
  Nmap scan report for 192.168.1.105
  Host is up (0.00014s latency).
  Nmap scan report for 192.168.1.253
  Host is up (0.017s latency).
  Nmap done: 256 IP addresses (4 hosts up) scanned in 16.85 seconds

  10. how do i perform a fast scan

    • single host

        $ nmap -F 192.168.1.104

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:17 CST
  Nmap scan report for 192.168.1.104
  Host is up (0.022s latency).
  Not shown: 92 closed ports
  PORT      STATE SERVICE
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  445/tcp   open  microsoft-ds
  10000/tcp open  snet-sensor-mgmt
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49157/tcp open  unknown

  Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

    • subnet

        $ nmap -F 192.168.1.0/24

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:16 CST
  Strange error from connect (65):No route to host
  Nmap scan report for 192.168.1.101
  Host is up (0.031s latency).
  All 100 scanned ports on 192.168.1.101 are closed (68) or filtered (32)

  Nmap scan report for 192.168.1.104
  Host is up (0.0067s latency).
  Not shown: 92 closed ports
  PORT      STATE SERVICE
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  445/tcp   open  microsoft-ds
  10000/tcp open  snet-sensor-mgmt
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49157/tcp open  unknown

  Nmap scan report for 192.168.1.105
  Host is up (0.00083s latency).
  Not shown: 99 closed ports
  PORT   STATE SERVICE
  22/tcp open  ssh

  Nmap scan report for 192.168.1.253
  Host is up (0.012s latency).
  Not shown: 98 filtered ports
  PORT     STATE SERVICE
  80/tcp   open  http
  1900/tcp open  upnp

  Nmap done: 256 IP addresses (4 hosts up) scanned in 5.73 seconds

  11. display the reason a port is in a particular state

         $ nmap --reason 192.168.1.104

     Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:19 CST
     Nmap scan report for 192.168.1.104
     Host is up, received conn-refused (0.036s latency).
     Not shown: 989 closed ports
     Reason: 989 conn-refused
     PORT      STATE SERVICE          REASON
     135/tcp   open  msrpc            syn-ack
     139/tcp   open  netbios-ssn      syn-ack
     445/tcp   open  microsoft-ds     syn-ack
     2179/tcp  open  vmrdp            syn-ack
     5678/tcp  open  rrac             syn-ack
     10000/tcp open  snet-sensor-mgmt syn-ack
     49152/tcp open  unknown          syn-ack
     49153/tcp open  unknown          syn-ack
     49154/tcp open  unknown          syn-ack
     49157/tcp open  unknown          syn-ack
     49158/tcp open  unknown          syn-ack

     Nmap done: 1 IP address (1 host up) scanned in 3.61 seconds

  12. only show open (or possibly open) ports

         $ nmap --open 192.168.1.104

     Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:21 CST
     Nmap scan report for 192.168.1.104
     Host is up (0.24s latency).
     Not shown: 989 closed ports
     PORT      STATE SERVICE
     135/tcp   open  msrpc
     139/tcp   open  netbios-ssn
     445/tcp   open  microsoft-ds
     2179/tcp  open  vmrdp
     5678/tcp  open  rrac
     10000/tcp open  snet-sensor-mgmt
     49152/tcp open  unknown
     49153/tcp open  unknown
     49154/tcp open  unknown
     49157/tcp open  unknown
     49158/tcp open  unknown

     Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

  13. show all packets send and received

         $ nmap --packet-trace 192.168.1.104

  14. show host interfaces and routes

    • this is useful for debugging (ip, route, netstat command)

        $ nmap --iflist

  15. how do i scan specific ports

    • scan port 80

        $ nmap -p 80 192.168.1.104

    • scan TCP port 80

        $ nmap -p T:80 192.168.1.104

    • scan UDP port 53

        $ nmap -p U:53 192.168.1.104

    • scan two ports

        $ nmap -p 80,443 192.168.1.104

    • scan port range

        $ nmap -p 80-200 192.168.1.104

    • combine all options

        $ nmap -p U:53,111,135,T:21-25,80,139,8080 192.168.1.104
  $ nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.104

    • scan all port with wildcard

        $ nmap -p "*" 192.168.1.104

    • scan top ports i.e. scan $number most common ports

        $ nmap --top-ports  5 192.168.1.104
  $ nmap --top-ports 10 192.168.1.104

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:34 CST
  Nmap scan report for 192.168.1.104
  Host is up (0.027s latency).
  PORT     STATE  SERVICE
  21/tcp   closed ftp
  22/tcp   closed ssh
  23/tcp   closed telnet
  25/tcp   closed smtp
  80/tcp   closed http
  110/tcp  closed pop3
  139/tcp  open   netbios-ssn
  443/tcp  closed https
  445/tcp  open   microsoft-ds
  3389/tcp closed ms-wbt-server

  Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds

    • scan ports consecutively

        # to don't randommize
  $ nmap -r 192.168.1.104

  16. the fastest way to scan all your devices/computers for open ports ever

         $ nmap -T5 192.168.1.0/24

  17. how do i detect remote os

    • you can identify a remote host apps and os using -O option

        $ nmap -O 192.168.1.104

  TCP/IP fingerprinting (for OS scan) requires root privileges.
  QUITTING!
  $ sudo !!
  sudo nmap -O 192.168.1.104
  Password:

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:39 CST
  Nmap scan report for 192.168.1.104
  Host is up (0.0038s latency).
  Not shown: 989 closed ports
  PORT      STATE SERVICE
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  445/tcp   open  microsoft-ds
  2179/tcp  open  vmrdp
  5678/tcp  open  rrac
  10000/tcp open  snet-sensor-mgmt
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49157/tcp open  unknown
  49158/tcp open  unknown
  MAC Address: 00:00:00:00:00:00 (Intel Corporate)
  Device type: general purpose
  Running: Microsoft Windows Vista|7|8.1
  OS CPE: cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1
  OS details: Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1
  Network Distance: 1 hop

  OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds

  $ nmap -O --osscan-guess 192.168.1.104
  $ nmap -v -O --osscan-guess 192.168.1.104

  18. how do i detect remote services (server/daemon) version numbers

         $ nmap -sV 192.168.1.104

     Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:43 CST
     Nmap scan report for 192.168.1.104
     Host is up (0.0094s latency).
     Not shown: 989 closed ports
     PORT      STATE SERVICE           VERSION
     135/tcp   open  msrpc             Microsoft Windows RPC
     139/tcp   open  netbios-ssn
     445/tcp   open  netbios-ssn
     2179/tcp  open  vmrdp?
     5678/tcp  open  rrac?
     10000/tcp open  snet-sensor-mgmt?
     49152/tcp open  msrpc             Microsoft Windows RPC
     49153/tcp open  msrpc             Microsoft Windows RPC
     49154/tcp open  msrpc             Microsoft Windows RPC
     49157/tcp open  msrpc             Microsoft Windows RPC
     49158/tcp open  msrpc             Microsoft Windows RPC
     Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

     Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
     Nmap done: 1 IP address (1 host up) scanned in 164.78 seconds

  19. scan a host using TCP ACK (PA) and TCP Syn (PS) ping

    • if firewall is blocking standard ICMP pings try the following host discovery methods

        $ nmap -PS 192.168.1.104
  $ nmap -PS 80,21,443 192.168.1.104
  $ nmap -PA 192.168.1.104
  $ nmap -PA 80,21,200-512 192.168.1.104

  20. scan a host using ip protocol ping

         $ nmap -PO 192.168.1.104

  21. scan a host using UDP ping

    • this scan bypasses firewalls and filters that only screen TCP

        $ nmap -PU 192.168.1.104

  Sorry, UDP Ping (-PU) only works if you are root (because we need to read raw responses off the wire)
  QUITTING!
  $ sudo !!
  sudo nmap -PU 192.168.1.104
  Password:

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 12:51 CST
  Nmap scan report for 192.168.1.104
  Host is up (0.0089s latency).
  Not shown: 989 closed ports
  PORT      STATE SERVICE
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  445/tcp   open  microsoft-ds
  2179/tcp  open  vmrdp
  5678/tcp  open  rrac
  10000/tcp open  snet-sensor-mgmt
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49157/tcp open  unknown
  49158/tcp open  unknown
  MAC Address: 9C:4E:36:C4:6B:C4 (Intel Corporate)

  Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds

  22. find out the most commonly used TCP ports using TCP SYN scan

    • stealthy scan

        $ nmap -sS 192.168.1.104
  You requested a scan type which requires root privileges.
  QUITTING!

    • using TCP connect scan (warning: no stealthy scan) os fingerprinting

        $ nmap -sT 192.168.1.104

    • using TCP ACK scan

        $ nmap -sA 192.168.1.104
  You requested a scan type which requires root privileges.
  QUITTING!

    • using TCP window scan

        $ nmap -sW 192.168.1.104
  You requested a scan type which requires root privileges.
  QUITTING!

    • using TCP maimon scan

        $ nmap -sM 192.168.1.104
  You requested a scan type which requires root privileges.
  QUITTING!

  23. scan a host for UDP services (UDP scan)

    • most popular services on the internet run over the TCP

    • DNS, SMTP, and DHCP are 3 of the most common UDP services

    • use the following syntax to find out UDP services

        $ nmap -sU server1
  $ nmap -sU 192.168.1.104
  You requested a scan type which requires root privileges.
  QUITTING!
  $ sudo !!
  sudo nmap -sU 192.168.1.104

  Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-11 13:02 CST
  Nmap scan report for 192.168.1.104
  Host is up (0.011s latency).
  Not shown: 993 closed ports
  PORT      STATE         SERVICE
  137/udp   open          netbios-ns
  138/udp   open|filtered netbios-dgm
  500/udp   open|filtered isakmp
  4500/udp  open|filtered nat-t-ike
  5355/udp  open|filtered llmnr
  49152/udp open|filtered unknown
  49159/udp open|filtered unknown
  MAC Address: 9C:4E:36:C4:6B:C4 (Intel Corporate)

  Nmap done: 1 IP address (1 host up) scanned in 537.03 seconds

  24. scan for IP protocol

    • to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines

        $ nmap -sO 192.168.1.104

  25. scan a firewall for security weakness

    • exploit a subtle loophole in the TCP and good for testing security of common attacks

    • TCP Null scan to fool a firewall to generate a response

        # does not set any bits (TCP flag header is o)
  $ nmap -sN 192.168.1.104

    • TCP Fin scan to check firewall

        # sets just the TCP FIN bit
  $ nmap -sF 192.168.1.104

    • TCP Xmas scan to check firewall

        # sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree
  $ nmap -sX 192.168.1.104

  26. scan a firewall for packets fragments

    • the -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets

    • the idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing

        $ nmap -f 192.168.1.104
  $ nmap -f 15 192.168.1.104

  # set your own offset size with the --mtu option
  $ nmap --mtu 32 192.168.1.104

  27. cloak a scan with decoys

    • the -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too

    • thus their IDS might report 5-10 port scans from unique IP addresses

    • but they won’t know which IP was scanning them and which were innocent decoys

        $ nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

  28. scan a firewall for MAC address spoofing

    • spoof your MAC address

        $ nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.104

    • add other option

        $ nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.104

    • use a random MAC address

        # the number 0 means nmap chooses a completely random MAC address
  $ nmap -v -sT -PN --spoof-mac 0 192.168.1.104

  29. how do i save output to a text file

         $ nmap 192.168.1.104 > output.txt
     $ nmap -oN /tmp/output.txt 192.168.1.104
     $ nmap -oN output.txt 192.168.1.104

  30. not a fan of command line tools

blog comments powered by Disqus