Learning Nmap: The Basics
The Nmap man page describes it as a security/network exploration tool and port-scanner. Nmap (Network Mapper) is a versatile open source tool, which systems administrators can’t do without. Some of its interesting features include:
- It’s fast!
- Uses raw IP packets in various innovative ways for scanning.
- Can detect operating system versions (and if it’s unable to detect, it requests the user to send the scan signature to the developer, for incorporation in future versions of Nmap).
- Provides various interesting options to scan the network.
|Caution: While using Nmap, be warned regarding the following information!|
|Under the stringent rules of the Indian Cyber Law 2000 and its further amendments till date, even a port scan on a public IP may land you in jail. Do not scan computers that you do not own, or run scans over networks that you do not own, without written permission from the owners.You may also scan the scanme.nmap.org website for testing. This permission only includes scanning via Nmap, and you are not allowed to test exploits and/or denial of service attacks. Don’t forget to follow the rules listed in the Nmap man page. Abuse of this service will be reported to the government by the site owners.
Use Nmap very carefully, and only for discovery/audits of your network. As we’ll see in this article, it is a very powerful tool, and could cause disruption/damage to the target system or network.
Fully understand what you are doing, even with scripted scans, before you do it. Ignorance will not excuse anybody from being prosecuted under the law.
Also note that if you have a website of your own, either hosted at a hosting provider or on a rented physical server, the server and network do NOT belong to you even though you own the website’s content. You should ideally obtain permission from such hosting providers/server owners to carry out even “testing” probes of your own website.
The basic command line syntax to invoke Nmap is as follows:
Nmap has a huge list of command-line options, generally categorised into target specification, host listing, port specifications, service identification, scan technique, scripted scans and output options.
Some of the Nmap switches only work when run as the root (superuser). Let’s look at some of the basic Nmap commands:
nmap -sL 192.168.10.0/24— Lists all the hosts scanned (all responding IPs in the subnet from 192.168.10.1 to 192.168.10.254).
nmap -p80,443 192.168.10.10-20— Scans the IP address range looking for open ports 80 and 443.
nmap -p T:80,8080,6588,800 172.16.0.1/22— Scans all hosts between 172.16.0.1 and 172.16.3.254, looking for open TCP ports 80, 8080, 6588 and 800 (the default listening ports for various proxy servers).
nmap -sP 192.168.10.10,20— Ping scans two hosts in a fast scan.
nmap -PN 192.168.10.0/29— Scans all the hosts in the 192.168.10.1 to 192.168.10.6 range. Sometimes, host-based firewalls deny ping requests, and it is difficult to scan such hosts. The
-PNscan is useful in such cases; it scans the hosts assuming them to be online.
nmap -A -F 192.168.10.1— Detects target OS and services running on it, in fast-scan mode.
These basic commands are useful for standard scans in any network, and serve a variety of purposes including checking open ports; whether unintended services (like terminal services, VNC, FTP, etc) are running on important hosts; obtaining a list of IP addresses to be scanned, and so on.
However, these simple and straightforward scans may not fulfil all requirements. Sometimes, for example, special scans are required in order to test intrusion detection/prevention systems. There might also be the need to conceal the identity of the scanner from the target host.
Nmap does indeed provide various ways to conceal your IP address (you can also conceal your MAC address by spoofing) though you have to be careful while using these commands. They require an in-depth knowledge of TCP/IP protocols, and may disrupt the systems/network or cause damage if not run properly. Let’s look at some stealth techniques to conceal the identity of the scanning system.
This scan will probe 192.168.10.105 while pretending that the scan packets come from another host; the target’s logs will show that the scan originated from 192.168.10.100. This is called a zombie host.
In our networking context, zombie hosts are those controlled by other hosts on the network. Not all hosts can be used as zombies, as certain conditions are required to be met before this is possible. (Using packages like
hping may enable you to find a zombie host on the network.) The
-v switch increases the verbosity of the output.
This command is especially useful while testing IDS/IPS. The
-sS option will perform a SYN scan on the target host. While doing so, it will spoof the packet contents to make the target host see them as coming from the specified (
-D) decoy hosts. The
-D switches can’t be combined, for obvious reasons.
Now, a word of caution: be careful not to cause an unintended Denial of Service (DoS) attack while using the
-D option. To understand how this could happen, we need to know how a TCP handshake operates. TCP, being a connection-oriented protocol that guarantees delivery of packets, operates with a three-way handshake:
- The client initiates the communication by a SYN
- The server acknowledges with a SYN-ACK
- The client again sends an ACK, and now they can communicate
-D switch is used, and there is a live host at the decoy IP address, then the SYN-ACK reaches the actual host at the decoy IP address, and not the host running the Nmap scan. Since the real host at the decoy address did not initiate the connection, it closes the connection by sending a TCP Reset (RST). There’s no problem with this.
However, a problem occurs if the decoy IP address is not active on the network — there is no RST sent to the scan target, which keeps the connection open. As Nmap continues to generate more and more requests to the target with the decoy IP as the source, the scan target has a growing list of open connections for which it maintains the “connection initiated” state. This ends up consuming more and more resources on the target, and may cause a DoS to other, legitimate hosts and communications.
Other interesting command-line options
Nmap’s creators have considered many possibilities while designing it. One case in point is the
-ttl option. To understand its use, let’s once again go into some detail on the IP protocol. Packet headers contain a field called TTL (Time To Live). The TTL field is set by the machine from which the packet originates. Every machine that receives and relays it on the route towards its destination, decrements the TTL field value by some amount.
If the TTL field value falls to zero before the packet arrives at its destination, then the packet is dropped, and an ICMP error is sent back to the sender. This mechanism is intended to prevent packets that could not be delivered to the target from remaining in circulation on the network and swamping the network resources.
Although TTL was originally meant to be a measure of time, as indicated by its name, in practice, its value is reduced by one on each hop (relaying of the packet) and not by some number of seconds. Thus, the value of the TTL field actually determines the maximum number of hops for which the packet can be relayed without being discarded.
A typical default value for TTL on many operating systems is 128. However, Nmap’s
-ttloption lets you define a custom value for scan packets, which is a very useful feature. This includes, for example, ensuring that the packet is not relayed from your LAN onto the WAN/Internet. Fantastic, isn’t it?
Some of the other important Nmap command-line options that require an understanding of the TCP/IP protocol include:
- Fragmentation of packets (
- Using the “FTP bounce” technique to scan via FTP servers (
- Changing the scan delay (
-scan_delayis especially useful if the target has IDS/IPS, and blocks scan requests)
- Timing policies (
- Scripted scans
Listing active hosts on the network
A common sequence in network testing is to first generate a list of all active hosts in a network. The list can be used as an input to other applications, which lack the capacity to scan for active hosts but must be given one or more target IP address. Here is a short command sequence that does this:
The first command executes a ping scan (
-sP) and generates a list of active hosts in the target range/network. This list will be stored in the file
greppable format (
-oG). The second command reads the data from the file, splits each line into fields based on a space character delimiter, and outputs the second field (the IP address), thus generating a new file,
iplist, which is simply the list of active IP addresses/hosts in the given range.
The Zenmap GUI
Nmap has a huge list of command-line options that are difficult to remember and use, even for experienced administrators. Zenmap, a GUI for Nmap, simplifies this considerably. It even provides ready-made scan profiles from which you can choose. The commands you generate in the GUI can also be run at a command line, if required. The GUI also has a very important added function — a graphical display of discovered hosts, and the hops required to reach each host! A sample output from this feature is shown in Figure 1.
Figure1: Sample Zenmap discovered hosts display (click to enlarge)
We hope that the few important concepts about the TCP/IP protocol, the power of Nmap, and the other ideas interested you!
- Nmap Network Scanning, the official guide to the Nmap Security Scanner
- Nmapin the Enterprise: Your Guide to Network Scanning, by Angela Orebaugh and Becky Pinkard