nmap
DESCRIPTION
networkingTRANSCRIPT
2014-Ag-8684
Introduction:N map is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.
The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or
network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for
offensive and defensive purposes.
More about nmap
From the man page:
Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine task.
such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
It was originally written by Gordon Lyon and it can answer the following questions easily:
1. What computers did you find running on the local network? 2. What IP addresses did you find running on the local network? 3. What is the operating system of your target machine? 4. Find out what ports are open on the machine that you just scanned? 5. Find out if the system is infected with malware or virus. 6. Search for unauthorized servers or network service on your network. 7. Find and remove computers which don't meet the organization's minimum level of security.
Sample setup (LAB)
Port scanning may be illegal in some jurisdictions. So setup a lab as follows:
---------+ ++--------- + | Network | +-------- +
| server1 |-----------+ swtich +--------- |server2 |+--------- + | (sw0) | +-------- +
+---- +---- +||
+--------- +---------- +| wks01 Linux/OSX |
+-------------------- +
2014-Ag-8684
Where,
wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server withfirewall [2]. Again, feel free to install few services such as a web-server, file server and so on. All three systems are connected via switch.
How do I install nmap?Downoad from File hippo.com.Instal it and check thfirst look that’s looks like this:
First we check a single IPv4 address.Scan a single host or an IP address (IPv4)192.168.1.1
Sample outputs
2014-Ag-8684
Scan a Host name:To Check the active ports:
Sample Output
Topology
2014-Ag-8684
This can also be done at cmd as:
#2: Scan multiple IP address or subnet (IPv4)For 192.168.100-120
Topology View
2014-Ag-8684
For 192.168.1.*
For 192.168.1.1/24
2014-Ag-8684
#3: Read list of hosts/networks from a file (IPv4)
The -iL option allows you to read the list of target systems using a text file. This is useful to scan
a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:
server1.cyberciti.biz192.168.1.0/24192.168.1.1/2410.1.2.3 localhost
The syntax is:
nmap -iL /tmp/test.txt
#4: Excluding hosts/networks (IPv4)
When scanning a large number of hosts/networks you can exclude hosts from a scan:
2014-Ag-8684
#5: Turn on OS and version detection scanning script (IPv4)
nmap -A 192.168.1.254 nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt
#6: Find out if a host/network is protected by a firewall
nmap -sA 192.168.1.101
#7: Scan a host when protected by the firewall
2014-Ag-8684
#8: Scan an IPv6 host/address
The -6 option enable IPv6 scanning. The syntax is:
nmap -6 IPv6-Address-Here nmap -6 server1.cyberciti.biz nmap -6 2607:f0d0:1002:51::4nmap -v A -6 2607:f0d0:1002:51::4
#9: Scan a network and find out which servers and devices are up and running
This is known as host discovery or ping scan
nmap -sP 192.168.1.0/24
Sample outputs
#10: How do I perform a fast scan?
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:06 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.015s latency).
Not shown: 96 filtered ports
2014-Ag-8684
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)Nmap done: 1 IP address (1 host up) scanned in 18.52 seconds#11: Only show open (or possibly open) ports Nmap –open 192.168.1.100
12: Show all packets sent and received 192.168.1.100
13#: Show host interfaces and routes
nmap --iflist
Sample outputs
2014-Ag-8684
#14: How do I scan specific ports?nmap -p 80 192.168.1.100
#15: How do I detect remote operating system?nmap -O -v --fuzzy --osscan-guess 192.168.1.1 nmap –O
2014-Ag-8684
#16: Scan a host using TCP ACK (PA) and TCP Syn (PS) pingnmap -PS 192.168.1.100Sample Output:Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:28 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.022s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 24.77 seconds
#17: Scan a host using IP protocol pingnmap -PO 192.168.1.100
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:29 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.031s latency).
2014-Ag-8684
Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 32.56 seconds
#18: Scan for IP protocol
This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:
nmap -sO 192.168.1.100Sample output:Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:32 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.011s latency). Not shown: 255 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 26.51 seconds
#19: Scan a firewall for security weakness
The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
nmap -sN 192.168.1.100Sample Output:Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:34 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.0090s latency).
All 1000 scanned ports on 192.168.1.100 are open|filtered
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)
2014-Ag-8684
Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds
To view overall Scanning done