Running on console/command prompt
First part of two tier
Nmap is great security tool
developed by “Fyodor”. Basically it was a *nix tool but now available on
various platforms and with GUI as well.
This tutorial is for newbie’s
and skiddies who would like to learn the proper way of using it. Geeks can use
it to brush up the things.
I would opt
the command line/console, as I love it. I won’t be going in great depth of
NMap. For that you should read some book on it. I’ll try to give examples in
I’m assuming that you are
“root”. Normal user won’t be able to execute many of its powerful scanning
techniques. So let’s start….
Let the IP address to be
scanned is 192.168.0.1. Simply it can be done as:
Few default things have also
been executed along with the above mentioned string. The actual string executed
#nmap –R –sS 192.168.0.1
Lets deal with “-R” here,
will see –sS later on.
It’s a query to DNS server
for reverse DNS name lookup i.e. requesting for some “name” attached with the
specified IP address. It’s generally the case with servers. Hence if you don’t
need the “name” desperately, avoid it using “-n” option.
#nmap –n 192.168.0.1 or #nmap
–n –sS 192.168.0.1 (both are same)
‘-n’ disables Reverse DNS.
Many DNS servers log name resolutions, so running an Nmap scan without
disabling name resolution may cause Nmap station to appear in the DNS logs it
attempts to resolve the name of every workstation it scans!
Disabling this option will speed
up the scan manifold especially if you are scanning many machines
Now you may notice that Nmap
doesn’t do anything for a while and then suddenly it comes up with result. It
actually does lot of work in that duration. To see all that you must use ‘-v’
option, called as verbose.
#nmap –v –n 192.168.0.1
For more verbosity use ‘v’
#nmap –vv –n 192.168.0.1
Scanning more than one machine
Ok, so up to here we were
scanning one host only. What will you do to scan more than one host?
There are various ways of
doing this. Let’s consider few of them, rest you should be able to think of:
Suppose you have to scan
192.168.0.1, 192.168.0.2 and 192.168.0.3
-vv –n 192.168.0.1,2,3 or
–vv –n 192.168.0.1-3
#nmap –vv –n 192.168.0.1-3,6,12-20.
It will scan 1,2,3,6 and 12
If you have to scan all the
–vv –n 192.168.0.1-254 or
–vv –n 192.168.0.* or
–vv –n 192.168.0.1/24 (you should know
subnetting for it)
–vv –n 192.168.1-2.*. It will scan 192.168.1.0 to 192.168.2.255. It can also be
#nmap –vv –n 192.168.1,2.0-255
Hope you have enough brain to
get these things.
Scanning specific ports:
Suppose you have to scan
specific ports only and not the defaults ones. You should use ‘-p’ for that
–vv –p 80 192.168.0.1. It will scan port
–vv –p 21,23,25,80-100 192.168.0.1
. It will scan port number
21, 23, 23 and 80 to 100.
–vv –n –p 21,23,25 192.168.1-2.*
Verbose mode (for
DNS lookup (speed up and doesn’t let DNS server log anything)
192.168.1.0 to 192.168.2.254 machines.
Various Scanning options:
There are many scanning
options available with Nmap. All have their advantages and disadvantages. You
should use them according to your requirements.
-sS: SYN scanning
SYN scan gather information about open ports without completing the TCP
handshake process. When an open port is identified, the TCP handshake is reset
before it can be completed. This technique is often referred to as “half open” scanning.
the default scanning technique if you are “root”. It’s the most common scan to
use because it works on all networks, across all operating systems.
TCP SYN scan never actually creates a TCP session so isn’t logged by the
destination host’s applications. And hence it’s a quiet scan.
need privileged access to the system.
# nmap –vv –n –sS 192.168.0.1
-sT: TCP connect scanning
performs the 3-way handshake.
don’t need to have privileged access.
it completes a TCP connection so apparent when application connection logs are
I would suggest you to never ever use
# nmap –vv –n –sT 192.168.0.1
-sF, -sX, –sN: FIN scan, Xmas
tree scan, NULL scan.
are called “stealth” scans. They send a single frame to a TCP port without any
TCP handshaking or additional packet transfers. They are more “stealth” than
SYN scan and must be used if the remote machine is not a Windows-based machine.
I’ll tell you why.
scans operate by manipulating the bits of the TCP header. Nmap creates TCP
headers that combine bit options that should never occur in the real world.
These purposely mangled TCP header packets are thrown at a remote device, and
nmap watches for the responses.
systems will reply with a RST frame for all queries, regardless of the status
of the specific port that was queried.
no TCP sessions are established, they are quiet stealthy.
be used against windows-based machine.
# nmap –vv –n –sF 192.168.0.1
# nmap –vv –n –sX 192.168.0.1
# nmap –vv –n –sN 192.168.0.1
-sU: UDP scan.
only scan in the arsenal of Nmap to identify UDP ports.
# nmap –vv –n –sU 192.168.0.1
-sO: Protocol scan
it has to be checked that what protocols the remote machine is running. It
locates uncommon IP protocols that may be in use on the remote system. Hence it
helps determining the type of remote device, i.e. is that router or printer or
scan will appear on any network monitoring application that identifies the IP
protocol types in use.
# nmap –vv –n –sO 192.168.0.1.
-sR: RPC scan.
used to locate and identify RPC applications. It runs automatically during a
version scan (-sV, explained later)
scan opens application sessions and hence it will be logged.
# nmap –vv –sR 192.168.0.1
-sV: Version scan
scans which we have seen by now give you the status of the port and the service
running on them. For exploiting the service you need the exact version number
of the service. Version scan gives you this.
opens sessions with the remote applications, which will often display in an
application’s log file.
# nmap –vv –sV 192.168.0.1
-sA: ACK scan
quiet useful when there is some packet filtering device or firewall. It never
locates an open port. It does the job of identifying ports that are filtered
through a firewall. It doesn’t open any application sessions and hence the
conversation between nmap and the remote device is relatively simple.
can only tell whether port is filtered or unfiltered. But can never definitively identify an open
# nmap –vv –sA 192.168.0.1
–sI: Idle scan
the stealthy most scan you can have. Tough to launch because you need a zombie
for it. It would not be justice with this great scan to be described in just
few lines. I would recommend you to read it in detail.
will never be caught.
to launch as it’s not easy to find some zombie machine.
-sP: Ping scan:
must have heard of Ping sweep. It’s Nmap’s ping sweep.
# nmap –vv –sP 192.168.0.10
check whether this machine is up or not
# nmap –vv –sP 192.168.0.*
check the whole subnet (254) machines and will tell you which are up.
Ping scan will not interoperate with any other type of
-sW: Window scan
it. As the number of operating systems vulnerable to its methodology is dwindling
as operating systems are upgraded and patched.
-sL: List scan
like to say only one line about it that you must use it if a separate
application provides nmap with a list of IP addresses. Rest read yourself.
fingerprinting and version detection
Ok, now you can use various scanning techniques to
look for open/closed or filtered/unfiltered TCP as well as UDP ports. Don’t you
want to know the remote operating system running???
# nmap –vv –O 192.168.0.1
It will tell you or at least tries its best to tell
you the remote operating system along with the version it’s using. It at least need one open and one close TCP port. In case it doesn’t, it
won’t be able to give the accurate result. In that case you should use some
third party tool.
A trained eye will quickly identify that someone is
watching the network.
As has been explained it will help you know the
version of the service running on the remote machine.
# nmap –vv –sV 192.168.0.1
Named as Additional, Advanced, and
Aggressive option. Its comprises of both the operating system fingerprinting
process (-O) and the version scanning process (-sV).
i.e following two are same:
# nmap –vv –sV –O 192.168.0.1
# nmap –vv –A 192.168.01.
Enough for part-1. Would be discussing some more advanced options in
second series of this article.