NMap tutorial for beginners – Part 1

Author:

Nmap-Part 1

(Network Mapper)

Running on console/command prompt

 

First part of two tier
tutorial.

Nmap is great security tool
developed by “Fyodor”. Basically it was a *nix tool but now available on
various platforms and with GUI as well.

This tutorial is for newbie’s
and skiddies who would like to learn the proper way of using it. Geeks can use
it to brush up the things.

I would opt
the command line/console, as I love it. I won’t be going in great depth of
NMap. For that you should read some book on it. I’ll try to give examples in
between.

I’m assuming that you are
“root”. Normal user won’t be able to execute many of its powerful scanning
techniques. So let’s start….

 

Let the IP address to be
scanned is 192.168.0.1. Simply it can be done as:

 

# nmap
192.168.0.1

 

Few default things have also
been executed along with the above mentioned string. The actual string executed
is:

 

#nmap –R –sS 192.168.0.1

 

Lets deal with “-R” here,
will see –sS later on.

It’s a query to DNS server
for reverse DNS name lookup i.e. requesting for some “name” attached with the
specified IP address. It’s generally the case with servers. Hence if you don’t
need the “name” desperately, avoid it using “-n” option.

 

#nmap –n 192.168.0.1 or #nmap
–n –sS 192.168.0.1 (both are same)

 

‘-n’ disables Reverse DNS.
Many DNS servers log name resolutions, so running an Nmap scan without
disabling name resolution may cause Nmap station to appear in the DNS logs it
attempts to resolve the name of every workstation it scans!

Disabling this option will speed
up the scan manifold especially if you are scanning many machines
simultaneously.

 

Now you may notice that Nmap
doesn’t do anything for a while and then suddenly it comes up with result. It
actually does lot of work in that duration. To see all that you must use ‘-v’
option, called as verbose.

 

#nmap –v –n 192.168.0.1

 

For more verbosity use ‘v’
twice

 

#nmap –vv –n 192.168.0.1

 

 

 

Scanning more than one machine

Ok, so up to here we were
scanning one host only. What will you do to scan more than one host?

There are various ways of
doing this. Let’s consider few of them, rest you should be able to think of:

Suppose you have to scan
192.168.0.1, 192.168.0.2 and 192.168.0.3

 

# nmap
-vv –n 192.168.0.1,2,3 or

 

# nmap
–vv –n 192.168.0.1-3

 

generalizing further

 

#nmap –vv –n 192.168.0.1-3,6,12-20.

It will scan 1,2,3,6 and 12
to 20.

 

If you have to scan all the
254 machines:

# nmap
–vv –n 192.168.0.1-254 or

# nmap
–vv –n 192.168.0.*  or

# nmap
–vv –n 192.168.0.1/24   (you should know
subnetting for it)

  

# nmap
–vv –n 192.168.1-2.*. It will scan 192.168.1.0 to 192.168.2.255. It can also be
written as

#nmap –vv –n 192.168.1,2.0-255

Hope you have enough brain to
get these things.

 

 

 

 

Scanning specific ports:

Suppose you have to scan
specific ports only and not the defaults ones. You should use ‘-p’ for that

 

# nmap
–vv –p 80 192.168.0.1.  It will scan port
80

 

# nmap
–vv –p 21,23,25,80-100 192.168.0.1

. It will scan port number
21, 23, 23 and 80 to 100.

 

# nmap
–vv –n –p 21,23,25 192.168.1-2.*

·       
Verbose mode (for
interactive mode)

·       
Disabled reverse
DNS lookup (speed up and doesn’t let DNS server log anything)

·       
Scanning specific
ports

·       
Scanning
192.168.1.0 to 192.168.2.254 machines.

 

 

Various Scanning options:

There are many scanning
options available with Nmap. All have their advantages and disadvantages. You
should use them according to your requirements.

 

·       
-sS: SYN scanning

TCP
SYN scan gather information about open ports without completing the TCP
handshake process. When an open port is identified, the TCP handshake is reset
before it can be completed. This technique is often referred to as “half open” scanning.

It’s
the default scanning technique if you are “root”. It’s the most common scan to
use because it works on all networks, across all operating systems.

 

ADV:

The
TCP SYN scan never actually creates a TCP session so isn’t logged by the
destination host’s applications. And hence it’s a quiet scan.

DISADV:

You
need privileged access to the system.

 

# nmap –vv –n –sS 192.168.0.1

 

·       
-sT: TCP connect scanning

It
performs the 3-way handshake.

 

ADV:

You
don’t need to have privileged access.

DISADV:

Since
it completes a TCP connection so apparent when application connection logs are
examined.

I would suggest you to never ever use
this scan
.

 

# nmap –vv –n –sT 192.168.0.1

 

·       
-sF, -sX, –sN: FIN scan, Xmas
tree scan, NULL scan
.

These
are called “stealth” scans. They send a single frame to a TCP port without any
TCP handshaking or additional packet transfers. They are more “stealth” than
SYN scan and must be used if the remote machine is not a Windows-based machine.
I’ll tell you why.

These
scans operate by manipulating the bits of the TCP header. Nmap creates TCP
headers that combine bit options that should never occur in the real world.
These purposely mangled TCP header packets are thrown at a remote device, and
nmap watches for the responses.

Window-based
systems will reply with a RST frame for all queries, regardless of the status
of the specific port that was queried.

 

ADV:

Since
no TCP sessions are established, they are quiet stealthy.

 

DISADV:

Can’t
be used against windows-based machine.

 

# nmap –vv –n –sF 192.168.0.1

# nmap –vv –n –sX 192.168.0.1

# nmap –vv –n –sN 192.168.0.1

 

·       
-sU: UDP scan.

The
only scan in the arsenal of Nmap to identify UDP ports.

 

# nmap –vv –n –sU 192.168.0.1

 

 

 

·       
-sO: Protocol scan

Sometimes
it has to be checked that what protocols the remote machine is running. It
locates uncommon IP protocols that may be in use on the remote system. Hence it
helps determining the type of remote device, i.e. is that router or printer or
workstation etc.

 

DISADV:

This
scan will appear on any network monitoring application that identifies the IP
protocol types in use.

 

# nmap –vv –n –sO 192.168.0.1.

 

·       
-sR: RPC scan.

It’s
used to locate and identify RPC applications. It runs automatically during a
version scan (-sV, explained later)

 

DISADV:

RPC
scan opens application sessions and hence it will be logged.

 

# nmap –vv –sR 192.168.0.1

 

·       
-sV: Version scan

The
scans which we have seen by now give you the status of the port and the service
running on them. For exploiting the service you need the exact version number
of the service. Version scan gives you this.

 

DISADV:

It
opens sessions with the remote applications, which will often display in an
application’s log file.

 

# nmap –vv –sV 192.168.0.1

 

·       
-sA: ACK scan

Its
quiet useful when there is some packet filtering device or firewall. It never
locates an open port. It does the job of identifying ports that are filtered
through a firewall. It doesn’t open any application sessions and hence the
conversation between nmap and the remote device is relatively simple.

 

DISADV:

It
can only tell whether port is filtered or unfiltered.  But can never definitively identify an open
port.

 

# nmap –vv –sA 192.168.0.1

 

·       
sI: Idle scan

It’s
the stealthy most scan you can have. Tough to launch because you need a zombie
for it. It would not be justice with this great scan to be described in just
few lines. I would recommend you to read it in detail.

 

ADV:

You
will never be caught.

 

DISADV:

Tough
to launch as it’s not easy to find some zombie machine.

 

·       
-sP: Ping scan:

You
must have heard of
Ping sweep. It’s Nmap’s ping sweep.

 

# nmap –vv –sP 192.168.0.10

will
check whether this machine is up or not

 

# nmap –vv –sP 192.168.0.*

will
check the whole subnet (254) machines and will tell you which are up.

 

          DISADV:

          Ping scan will not interoperate with any other type of
scan.

 

·       
-sW: Window scan

Forget
it. As the number of operating systems vulnerable to its methodology is dwindling
as operating systems are upgraded and patched.

 

·       
-sL: List scan

Would
like to say only one line about it that you must use it if a separate
application provides nmap with a list of IP addresses. Rest read yourself.

 

 

O/S
fingerprinting and version detection

 

Ok, now you can use various scanning techniques to
look for open/closed or filtered/unfiltered TCP as well as UDP ports. Don’t you
want to know the remote operating system running???

 

-O:

Operating
system fingerprinting.

 

# nmap –vv –O 192.168.0.1

It will tell you or at least tries its best to tell
you the remote operating system along with the version it’s using. It at least need one open and one close TCP port. In case it doesn’t, it
won’t be able to give the accurate result. In that case you should use some
third party tool.

 

DISADV:

A trained eye will quickly identify that someone is
watching the network.

 

-sV:

Version
detection

As has been explained it will help you know the
version of the service running on the remote machine.

 

# nmap –vv –sV 192.168.0.1

 

 

-A:

Named as Additional, Advanced, and
Aggressive option.
Its comprises of both the operating system fingerprinting
process (-O) and the version scanning process (-sV).

i.e following two are same:

 

# nmap –vv –sV –O 192.168.0.1
and

# nmap –vv –A 192.168.01.

 

 

 

 

Enough for part-1. Would be discussing some more advanced options in
second series of this article.

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *