Basic use of nmap

Posted on October 7, 2011

0


I figured out I gave a light description of the hack in my previous post so I decided to give a thorough description of nmap and data tampering. Let’s start with nmap:

nmap, short for network mapper, is a free open-source security/hacking tool, developed by Gordon Lyon, that send specially crafted packets over a computer network and analyse responses in order to discover hosts (computer, printer, smartphone, etc) and services (HTTP, DNS, SSH, etc). nmap is available for Windows and UNIX (and UNIX-like), which means Windows, Linux and Mac OS X.

Installation

The first step is to download the executable file (for windows), the RPM package (for RPM-based Linux distribution) or the disk image (for Mac OS X). If you are using a Debian-based Linux, a simple apt-get install nmap should work. For other OS or if you are facing some issues, go on the official nmap install guide.

Usage

Since I’m not familiar with the Graphical User Interface (GUI) of nmap (called Zenmap) I will focus more on the command-line usage but you can basically use the command-lines straight in the command input field of the GUI. If you are using a UNIX (or UNIX-like), I recommend you to read the build-in help, man nmap or nmap -h, for further uses and for more information.

man nmap give us the way how to structure the comman-line: nmap [Scan Type(s)] [Options] {target specification}. For this tutorial I will give different nmap uses in a penetration test order.

Hosts discovery

You may have no information about your target, even not the IP address. Listing hosts on the network should be a nice start. Well for this task I would suggest you to use netdiscover, which is more convenient in my opinion (netdiscover is dedicated for this task, the output is more clear and the commands are easier), but nmap can accomplish just as well this task.

First of all, if you still don’t know what is your (private) IP address, run ifconfig if you are on UNIX(-like) or ipconfig if you are on windows in your terminal/command prompt and find which IP the DHCP server allocated you. Let’s say it is: 10.0.1.100 with the mask 255.255.255.0 (/24), this means you are in the sub-network 10.0.1.0/24 and your host number is 100 (it doesn’t really matter if you don’t understand at this point, I think I will write a tutorial about IPv4/IPv6 address).

Now that you know your IP address, you can start scanning for hosts in your (sub)network:

nmap 10.0.1.*
nmap 10.0.1.1-254
nmap 10.0.1.0/24

Each of those 3 commands execute the same tasks. When no option is set, nmap sends an ICMP echo request (ping) to each IP in the range specified. Whenever nmap find a host up, it scans all the TCP ports. In those cases the range of IP addresses is exactly the same. In the first command, * (asterisk) means from 0 to 255. In the second, you can select the range more precisely by selecting the start and the end. The last one allows you to select a whole sub-network which could be interesting when you have mask like /20. The 2 previous commands wouldn’t work if you want to scan the whole subnetwork since it goes from 10.0.0.1 to 10.0.31.254.

It may be useful to restrict the port scan to a specific port, for this purpose, you can use the option -p #port:

nmap -p 80 10.0.1.0/24

This command will scan all available host on the network 10.0.1.0/24 and check if the port 80 is open.

If you are on a network with lots of host connected, scanning ports of each host could take a while. In order to avoid this waste of time, the option -sn can be used to skip the ports scan:

nmap -sn 10.0.1.0/24

Ports scan

Now you got the list of hosts connected to your network, you can focus on one IP (let’s say 10.0.1.1) and do further scan on it. The first thing that might interest you, if it has not yet done, is a port scan. The default and faster way to do it is the TCP SYN scan (-sS). This may requires root privileges (on UNIX and UNIX-like):

sudo nmap -sS 10.0.1.1

sudo is only for UNIX(-like) users. Once again, it is possible to limit the port scan to a certain range with -p 21-80 (in this example, nmap will scan from the port 21 to the port 80). This is limited only for TCP ports, but if you want to scan UDP port (to find a TFTP server for instance), you will have to use the option -sU instead of -sS. It’s possible to get even more information about the ports open with the version detection option (-sV):

sudo nmap -sV 10.0.1.1

OS detection

Certains vulnerabilities depend on the operating system (OS) where the service is installed and there are many other reasons OS detection is useful. -O is the option for OS detection. This also need root privileges:

sudo nmap -O 10.0.1.1

All previous options can be merged. You can scan all TCP ports, looking for the version of the services open and the OS:

sudo nmap -sV -O 10.0.1.1

Aggressive scan option (shortcut)

-A is a special option in nmap that gathers several options: OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute). I didn’t write anything about script scanning because it run script considered as intrusive, that I don’t exactly know the content. About traceroute, it wasn’t relevant for this tutorial since we are scanning hosts from our own network.

If you are sure you have the permission to run this nmap command (that may harm the system scanned), this could give interesting information about your target in one command.

Other useful options

-v and -vv increase verbosity level

-oN write the output in a file (you can use -oX to format the output in XML).

Here was a short tutorial about the basic uses of nmap. I hope it was interesting, and that you learned something. Leave your comments below if you have questions, if something is wrong, or just to give a feedback.

Sources: Wikipedia and nmap.org

Advertisements
Posted in: Tutorials, Wiki