.

Author:

NMap tutorial for beginners-part 2

 

 

It’s assumed that you are root. Many options won’t work or
better to say will switch to other kind of scans if you are not root. And
sometimes it may even not give any warning before doing that. So beware!!! You
may get logged.

 

Let’s start it with various PING
features available with Nmap.

PING is a necessary evil. I’ll
explain it later on.

 

Nmap Ping Methods:

 

First thing which should always be kept in mind is that Ping
options are used to identify whether remote machine is up or not. Determining
the open ports and services running on them is not the headache of Ping
scan. Hence do your best using various Ping options to
determine whether remote machine is up or down or being protected by some
firewall.

 

Note: If user doesn’t specifies a particular ping type, an
ICMP Echo Request (-PE) followed by TCP ACK Ping (-PA) (by default on port 80
because most packet filters allow port 80) takes place. You can confirm it
looking up the default ping options selected in the GUI Nmap.

 

Nmap provides various kinds of PING
options and note that all of them start with the letter ‘P’. Various combinations
of these Ping options can be used in order to increase
the chances of getting across packet filters and firewalls.

 

  • -PE      ICMP
    Echo Request

It’s simply the ICMP Echo request
and corresponding ICMP Echo reply packet and is best to determine the
availability of machine. Drawback is that it’s the most common protocol
filtered by firewalls/packet filters. If you get response to this ping, it’ll
indicate that there is very less filtering between you and your destination.

 

  • -PA[port number]       TCP ACK Ping

Helpful to determine
filtered/unfiltered ports, hence useful when there is some firewall protecting
the machine.

 

#nmap –vv 192.168.0.1 –PA23,110

 

Here in this example, NMap will
ping port 23 and 110 of the remote machine with ACK packets. If the remote
machine is up or unfiltered, it will respond with RST packet. But in case it’s
down or ports are filtered, there will be no response and hence the scan will
stop. Hence in order to get through firewall, try different ports.

If no port is specified, port
number 80 will be pinged (which is generally the best one to ping as most
packet filters allow traffic to port number 80).

 

These two above specified Ping
scans run by default when you don’t specify any kind of Ping
scan.

 

 

  • -PS[port number]        TCP SYN Ping

Its functionality is same as SYN
scan. Nmap machine sends SYN packet to remote machine. Open port will respond
with ACK/SYN and closed will respond with RST. Hence can be used to determine
whether remote machine is up or not. Ports can be specified, 80 is the default
one.

 

#nmap –vv –n 192.168.0.1 –PS           (will ping port number 80)

#nmap –vv –n 192.168.0.1 –PS23,110            (will ping 23 and 110 number ports)

 

 

  • -PU[port number]       TCP UDP Ping

By default it sends UDP frames at
port number 31338. UDP frames sent to closed ports responds with “ICMP port
unreachable” message. If the remote port is open, it may or may not respond,
because many UDP applications don’t send a response to any random incoming
frame. Hence it should be tried to send the UDP frame to closed port. It
heavily relies on ICMP packets, so if ICMP is filtered there may be no response
to the UDP ping.

 

#nmap –vv –n 192.168.0.1 –PU           (default port is 31338)

#nmap –vv –n 192.168.0.1 –PU<any
port which you think would be closed>

 

 

  • -PP      ICMP
    Timestamp Ping

ICMP Timestamp ping is used to
allow two separate systems to coordinate their time-of-day clocks.

Avoid using it as NTP (Network Time
Protocol) has replaced it. Hence Timestamp packets may raise eyebrows of
trained eyes.

Moreover it doesn’t works properly
when firewall is there as it relies heavily on ICMP.

 

  • -PM     ICMP
    Address Mask
    Ping

It operated by sending an ICMP
address mask request to a remote device. Most modern operating systems and
routers will not respond to this request, hence this ICMP ping type doesn’t
work on most modern systems.

Hence forget it.

 

 

 

 

Conclusion:

If some firewall or packet filter is there on the remote device, better
choice would be a non-ICMP based ping type
.

 

 

  • PO      Don’t Ping

If you know that the remote machine
is up and running, you can use this option to remain a bit stealthier. Hence
direct scanning of the target will start without pinging the machine. It should
be used when using Decoys, otherwise ping packets will reach target from your
machine only and from none of the decoys. Hence the purpose of using Decoys
will loose its essence.

But as I told “Ping
is a necessary evil”, Nmap gather some important timing information from the
ping process, so disabling the ping process will put nmap at a disadvantage
when the scan begins. Actually it determines the accurate round-trip-time
during ping.

 

 

 

 

 

Something about operating system
fingerprinting

 

The usage of –O has been discussed
in the 1st part of this tutorial. It gives the information of the
operating system running on the remote machine which is must before launching
some kind of exploit.

For this Nmap need at least one
open and one closed port. If it doesn’t get, it may not give the correct
results.

 

  • –osscan_limit

This option will abort OS
fingerprinting if both open and closed ports are not available, hence will save
a hell lot of time instead of getting incorrect results.

I personally feel that third party
tools should also be used to get the correct results about the remote machines
operating system.

 

 

  • -A (Additional, Advanced, and
    Aggressive)

Its combination of “-O” and “-sV”
i.e. operating system fingerprinting and service version scan

 

#nmap –vv –n 192.168.0.1 –O –sV

is same as

#nmap –vv –n 192.168.0.1 -A

 

 

 

 

Inclusion and Exclusion of Hosts and
Ports

 

Sometimes it may be the scenario
that you don’t want to scan particular IP address or range of IP addresses.
E.g. Government IP’s or IP’s of routers and switches of your network etc.

So here we have few options for
that:

 

  • Exclude Targets (–exclude <host 1,
    host 2, host 3….>)

The IP addresses specified will not
be scanned by Nmap.

 

#nmap –vv –n –sS 192.168.0.1/24 –exclude
192.168.0.2-4, 192.168.0.7

 

This will scan the whole subnet
except 192.168.0.2, 192.168.0.3, 192.168.0.4, and 192.168.0.7.

 

 

 

  • Exclude Targets in File (–excludefile
    <file name>)

Here instead of specified the IP
addresses which must not be scanned, user has to maintain a file including the
list of IP address, one IP address per line.

 

#nmap –vv –n -sS 192.168.*.*
–excludefile filename.txt

 

Content of filename.txt could be as
following:

192.168.0.1-4              (exclude 192.168.0.1 à
192.168.0.4)

192.168.3-5.*              (exclude 192.168.3.0 à
192.168.5.255)

192.168.6.*                 (exclude 192.168.6.0 à 192.168.6.255)

etc.

 

The benefit of –excludefile option
is that a permanent exclusion file can be made including IP address of
organizations/individuals whom you would never like to scan These IP address
may not be the part of current scan, but it won’t harm making such a permanent
exclusion file and upgrading it.

 

–excludefile and –exclude options
can’t be used on the same scan.

 

 

  • Read Targets from File (-iL
    <inputfilename>)

Instead of supplying IP address at
the command line of Nmap scan, a file can be maintained containing IP addresses
separated by tabs, spaces, or by separate lines.

 

When this option is used, any IP
address specified on the command line will be ignored without any warning
message.

 

#nmap –vv –n –iL input.txt

#nmap –vv –n –iL input.txt
192.168.1.1            (Here 192.168.1.1
will be ignored)

 

If host exclusion options,
–exclude or –excludefile, are used with –iL option, the excluded addresses
will override any inclusions on the command line or file.

 

 

 

          Scanning
Random number of Targets

 

  • -iR <number of hosts to be
    scanned>

 

You may be
looking for just web server’s or some other server’s world wide, i.e.          Random machines running a particular
service on a particular port only.

E.g. telent at
port number 23

SMTP at port
number 25

Web server at
port number 80 etc.

 

#nmap –vv –n –iR
100 –p 80

scan 100 random
machines for port number 80

 

#nmap –vv –n –iR
0 –p 80       (that’s zero and not capital
‘O’)

Scan “unlimited” number of machines
for port number 80. So here you see, Nmap will scan thousands and thousands of
machines. Scan won’t begin to report any result until 500 hosts are identified.
Hence run this type of scan with one of Nmap’s logging option (will be
discussed soon)

 

#nmap –sS –PS80
–iR 0 –p 80

It will run a
TCP SYN scan using a SYN ping on port 80 to an unlimited number           of random IP addresses. The SYN scan
only scans port 80.

 

-iL, –exclude,
–excludefile, none of them can be used with –iR option.

 

  • –randomize_hosts

      #nmap
–vv –randomize_hosts –p 80 192.168.*.*        

     

As its clear from the scan command,
nmap will randomize the hosts to be scanned.

-iL, –exclude, and –excludefile
can be used with this option.

 

      Groups
of 2,048 hosts at a time are randomly chosen, and hence makes entire scan       less conspicuous when examining traffic
patterns.

 

 

 

 

 

 

Various Logging Options

 

You may want to store the output of
Nmap. Reasons may be any of the following:

1.      You
are scanning hundreds of machines, so don’t want to stare at monitor for all
the time.

2.      You
are starting the scan in night and would like to see the result in morning.

3.      You
may want to keep the records for future reference

4.      You
want to pause/stop Nmap and at later time would like to resume the scan.

            …..and
many more reasons could be there.

 

So here are the various logging
options for NMap

 

 

  • Normal Format:

      -oN <log file name>

 

      It
saves a similar view of the output that’s displayed on the screen during an
nmap          scan. No need to assign any
extension to the output file. It will have .nmap          extension.

 

  • XML Format

      -oX <log file name>  

 

      It
presents the output of Nmap in very nice format in any browser. Actually Nmap         includes an XSL file that translates the
XML information into a viewable HTML        format
that can be displayed in any browser.

      The
output file will have .xml extension.

 

  • Grepable Format

      -oG <log file name>  

 

      The
output file will have .gnmap extension.

 

  • All Formats

      -oA <base file name>

     

      Will
produce three output files, Normal,
XML and Grepable.   

      Suppose
the name of base file is target, so you will get the following three files:

    1. target.nmap
    2. target.xml
    3. target.gnmap

 

  • Script Kiddie Format

      -oS <log file name>

     

      Output
would be in script Kiddie language

 

 

 

Resuming the scan

 

It’s a good thing to do. You may be
in the midst of a long scan when you have to turn off your computer or power
failure etc. Can be interrupted using control-C key combination.

Suppose you are scanning a subnet
of 100 machines and currently machine number 45 is getting scanned when you stop
the scan. When you resume the scan next time, all the machines which were
scanned before machine number 45 won’t be scanned again. But the scanning of
machine 45 will start from scratch again as it was interrupted in between.

Hence do not use resuming option
when you are scanning only one machine.

 

–resume <log file name>

 

This log file
has to be either in Normal format (-oN) or Grepable
(-oG) format. XML output won’t work with it.

 

If a scan is interrupted that used
the –randomize_hosts option, nmap has no method to recreate the same randomness
that was used in the initial scan. Hence it may repeat some scan and may skip
some of the hosts. So don’t use it with –randomize_hosts option.

 

 

Few options which generally should
always be included in all scans are:

-vv             verbose mode

-n               speeds
up the scan and log is maintained on the DNS servers.

-oA            to get output files so that scan can be resumed.

–excludefile           It should be update with the most
important IP addresses.

 

I’m leaving the various options of
packet tuning and timing options as they should be considered as advanced
techniques and this tutorial is for beginners specially.

 

I would write one more article in
this series containing thing which must be and must not be done using Nmap.

 

 

Reference: Nmap man pages and
“Secrets of Network Cartography” by James Messer

 

 

 

–|3O|||)–

Leave a Reply

Your email address will not be published. Required fields are marked *