Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Nmap"

From NetSec
Jump to: navigation, search
(Removed unnecessary content, added formatting. Still have to fix up the tense of the article.)
Line 2: Line 2:
 
NMAP is a [[Network_Recon|network recon]] tool widely used in the security community. It offers everything from port scanning, to [[Operating_System|OS]] detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. NMAP stands for network map.
 
NMAP is a [[Network_Recon|network recon]] tool widely used in the security community. It offers everything from port scanning, to [[Operating_System|OS]] detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. NMAP stands for network map.
  
Correct Usage:
+
==Correct Usage==
 
nmap [Scan Type(s)] [Options] {target specification}
 
nmap [Scan Type(s)] [Options] {target specification}
  
Scan Types:
+
==Scan Types==
  -sS (The advantage of a syn scan over a connect scan is that usually the connection attempt
+
* -sS  
isn't logged because nmap won't perform a 3 way handshake. Basically it goes nmap computer ->syn-> server then map computer <- synack <- server and then no ack is sent back to the server.
+
** The advantage of a syn scan over a connect scan is that usually the connection attempt isn't logged because nmap won't perform a 3 way handshake. Basically it goes nmap computer ->syn-> server then map computer <- synack <- server and then no ack is sent back to the server. A lot of modern firewalls will see the packets anyway so syn scans are good generally, this is one of a few ways to help camouflage your scans using the -sS.
A lot of modern firewalls will see the packets anyway so syn scans are good generally, this is one of a few ways to help camouflage your scans using the -sS.
+
  
  -sA (Ack Scan. These are generally pretty useless. Sometimes a service will get confused when
+
* -sA  
it recieves a random ack and send a syn or a fin. Sometimes firewalls will let random acks  
+
** Ack Scan. These are generally pretty useless. Sometimes a service will get confused when it recieves a random ack and send a syn or a fin. Sometimes firewalls will let random acks through, though it's not really guarenteed to give full results or even any. So it is suggested to not use it. Unless you know the host is up and a syn or connect scan doesn't find anything.
through, though it's not really guarenteed to give full results or even any. So it is suggested
+
to not use it. Unless you know the host is up and a syn or connect scan doesn't find anything.)
+
  
  -sF (Fin Scan. A Fin scan is very similar to an ACK scan in a lot of reguards. Sometimes a
+
* -sF  
service will get a random fin packet without any initial connection and just throw something
+
** Fin Scan. A Fin scan is very similar to an ACK scan in a lot of reguards. Sometimes a service will get a random fin packet without any initial connection and just throw something random back.
random back.)
+
  
  -sX (Xmas Scan. Nmap will send tcp packets with every flag lit up. Many firewalls will just
+
* -sX  
  ignore them and pass them through to hosts.You can get some really funky results with xmas  
+
** Xmas Scan. Nmap will send tcp packets with every flag lit up. Many firewalls will just  ignore them and pass them through to hosts.You can get some really funky results with xmas scans so it isn't recommended using them as your primary scan type but when you want to look through firewalls, or determine if there are any firewalls protecting a host, use -sX. Way better than -sA or -sF by far in that regard. Keep in mind that firewalls are starting to filter xmas packets so it might not work well in some situations.
scans so it isn't recommended using them as your primary scan type but when you want to look  
+
through firewalls, or determine if there are any firewalls protecting a host, use -sX. Way  
+
better than -sA or -sF by far in that regard. Keep in mind that firewalls are starting to filter
+
xmas packets so it might not work well in some situations.)
+
  
  -sU (Udp Scan. Udp scans are very good. Since udp isn't connection oriented it takes a very  
+
* -sU  
long time to run a full udp scan so it is recommended you know specifically what you're looking
+
** Udp Scan. Udp scans are very good. Since udp isn't connection oriented it takes a very long time to run a full udp scan so it is recommended you know specifically what you're looking for.So like: snmp = 161, ntp = 123, rpc = 111, nfs = 2049, that's all that really matters much. You can typically get rpc on tcp and it returns a list of the services from nmap, nfs/nfslock/etc. But in cases where you have ancient boxes, it'll be udp etc. One example where you can tell if there is a firewall is if you find an open port 111 and it is advertising nfs and portmap but you don't see any nfs on the host. That usually means that there's a firewall blocking nfs access.
for.So like: snmp = 161, ntp = 123, rpc = 111, nfs = 2049, that's all that really matters much.
+
You can typically get rpc on tcp and it returns a list of the services from nmap,  
+
nfs/nfslock/etc. But in cases where you have ancient boxes, it'll be udp etc. One example where
+
you can tell if there is a firewall is if you find an open port 111 and it is advertising nfs  
+
and portmap but you don't see any nfs on the host. That usually means that there's a firewall
+
blocking nfs access.
+
  
Just probe rpc instead of nfs though, even if the port is open the timeout is ridiculous, so rpc will tell you what port to look for nfs on.
+
** Just probe rpc instead of nfs though, even if the port is open the timeout is ridiculous, so rpc will tell you what port to look for nfs on. udp scans are -sU, use it with the -p option always and know what ports to scan on.  
  
udp scans are -sU, use it with the -p option always and know what ports to scan on.  
+
** I know you're wondering, "isn't the point of nmap to tell me what ports are open?" Well yes, but in the udp scan situation scanning 1000 or even 100 ports is very impractical.If you are looking for snmp though: "-sU -p161 --script=all"  will tell you which hosts are listening on snmp and if the community is public/private or not.
  
I know you're wondering, "isn't the point of nmap to tell me what ports are open?" Well yes, but in the udp scan situation scanning 1000 or even 100 ports is very impractical.
+
* -sY
 +
** SCTP scan. Now you have sctp scans. They're relatively useless unless you're scanning a telco or something. sctp is a protocol like tcp, layer 3 etc, which isused in ss7, a system used by cell phone carriers and telcos. Recently there have been other applications for it since it is a really cool protocol.
  
If you are looking for snmp though: "-sU -p161 --script=all"  will tell you which hosts are listening on snmp and if the community is public/private or not.
+
==Options==
  
  -sY (SCTP scan. Now you have sctp scans. They're relatively useless unless you're scanning a telco or something. sctp is a protocol like tcp, layer 3 etc, which isused in ss7, a system used by cell phone carriers and telcos. Recently there have been other applications for it since it is a really cool protocol.)
+
* -T
 +
**-T sets scan intensity, and is obviously, the -T flag.The range of -T flag is from 0 to 5 with 0 being highly intensive but slow and 5 being very fast but not very intense.
  
Options:
+
* --open
 +
** --open means to only show open ports on hosts. When scanning more than one host, it is suggested that you use --open, which cleans up the output of nmap significantly.
  
  -T  (-T sets scan intensity, and is obviously, the -T flag.The range of -T flag is from 0 to 5
+
* -Pn
with 0 being highly intensive but slow and 5 being very fast but not very intense.)
+
** -Pn tells nmap not to do ping scan before scanning hosts. Usually, it will take the ip's it gave you and ping them all first to see which ones are online. In previous version of nmap, -Pn was -PO and -PN.
  
  --open (--open means to only show open ports on hosts. When scanning more than one host, it is
+
* -p80
suggested that you use --open, which cleans up the output of nmap significantly.)
+
**-p80 tells nmap to only scan port 80, you can do multiple ports like so: -p80,113,135-139.
  
  -Pn (-Pn tells nmap not to do ping scan before scanning hosts. Usually, it will take the ip's
+
* -F
it gave you and ping them all first to see which ones are online. In previous version of nmap,
+
** -F will scan the 100 most popular ports based on a huge scan of the internet by the creators of nmap.
-Pn was -PO and -PN.)
+
  
  -p80 (-p80 tells nmap to only scan port 80, you can do multiple ports like so:
+
* -iR
-p80,113,135-139.)
+
** -iR scans for random hosts, so "-iR 1000" scans 1000 random ips. With the previous parameters, it's for port 80 w/ ping scan enabled. This is pretty stupid to use as it can get you in a lot of trouble if you scan the wrong thing.
  
  -F (-F will scan the 100 most popular ports based on a huge scan of the internet by the creators of nmap.)
+
* -i
 
+
** -i is internet wide, so you can do a random scan for webservers with -iR. This is useful for reducing attention to your activity as it spreads it across network blocks instead of hitting just one.
  -iR (-iR scans for random hosts, so "-iR 1000" scans 1000 random ips. With the previous parameters, it's for port 80 w/ ping scan enabled. This is pretty stupid to use as it can get you in a lot of trouble if you scan the wrong thing.)
+
 
+
  -i (-i is internet wide, so you can do a random scan for webservers with -iR. This is useful for reducing attention to your activity as it spreads it across network blocks instead of hitting just one.)
+
 
+
  -6 (Enables IPv6 scanning)
+
 
+
  -A (Aggressive scan options including -O, -sV, -sC and --traceroute)
+
 
+
  -h (Prints a help summary page)
+
 
+
  --privileged (Assumes that the user is fully privileged)
+
        When you are running nmap unprivileged, you cannot run sys scans. In unpriveleged mode, you are scanning -sT by default, that is, raw connection scanning. So nmap is doing a full 3 way handshake with each client.In privileged mode, you can run a lot more scan types such as syn scans, ack scans, fin scans, xmas scans, udp scans, sctp scans, protocol scans.
+
     
+
  -D  is for decoy. It lets you specify a few addresses like: -D 2.9.11.231,99.99.99.99.
+
nmap will forge packets with those as source addresses along with your legitimate packets and send those to remote hosts as decoys.
+
Target Specification:
+
  
 +
* -6
 +
** Enables IPv6 scanning
  
 +
* -A
 +
** Aggressive scan options including -O, -sV, -sC and --traceroute
  
 +
* -h
 +
** Prints a help summary page
  
 +
* --privileged
 +
**Assumes that the user is fully privileged. When you are running nmap unprivileged, you cannot run sys scans. In unpriveleged mode, you are scanning -sT by default, that is, raw connection scanning. So nmap is doing a full 3 way handshake with each client.In privileged mode, you can run a lot more scan types such as syn scans, ack scans, fin scans, xmas scans, udp scans, sctp scans, protocol scans.
  
 +
==Misc Tricks==   
 +
-D  is for decoy. It lets you specify a few addresses like: -D 2.9.11.231,99.99.99.99. nmap will forge packets with those as source addresses along with your legitimate packets and send those to remote hosts as decoys.
  
 +
==Target Specification==
  
 
For example:
 
For example:
Line 142: Line 125:
  
 
Now, not only have we found the open ports on the target machine, but we have found service versions, a possible [[Operating_System|operating system]], and a nice traceroute to the target.
 
Now, not only have we found the open ports on the target machine, but we have found service versions, a possible [[Operating_System|operating system]], and a nice traceroute to the target.
 
 
 
 
 
  
 
This is a good way to tell if a host tht has no open ports is alive or not. Another tip, if you are only scanning one host use -vv instead of --open.  
 
This is a good way to tell if a host tht has no open ports is alive or not. Another tip, if you are only scanning one host use -vv instead of --open.  
Line 155: Line 133:
  
  
3.0 - Script Scanning
+
==Script Scanning==
 +
 
 
So this brings me to script scanning. http://nmap.org/nsedoc/ is a very good reference.
 
So this brings me to script scanning. http://nmap.org/nsedoc/ is a very good reference.
In a script scan, --script= is used. You can set individual scripts like: "--script=auth-owners,ftp-brute,finger".  
+
In a script scan, --script= is used. You can set individual scripts like: "--script=auth-owners,ftp-brute,finger". Script scans are great, they even have scripts to probe mysql info, ircd info, etc , all kinds of data.
Script scans are great, they even have scripts to probe mysql info, ircd info, etc , all kinds of data.
+
 
You can also run groups of scripts like: "--script=auth,dos,malware,intrusive,exploit,vuln". It will run them in the order specified.
+
You can also run groups of scripts like: "--script=auth,dos,malware,intrusive,exploit,vuln". It will run them in the order specified.Note that nmap won't complete until every script finishes so you won't get pretty output until it's done.  
Note that nmap won't complete until every script finishes so you won't get pretty output until it's done.  
+
 
The other thing you can do is: "--script=all".  This isn't recommended, it tries to exploit, violate, dos, and break into remote hosts.
+
The other thing you can do is: "--script=all".  This isn't recommended, it tries to exploit, violate, dos, and break into remote hosts. Another useful command is: "--script "not intrusive"" This loads every script except for those in the intrusive category.
Another useful command is: "--script "not intrusive"" This loads every script except for those in the intrusive category.
+
  
=Conclusion=
+
==Conclusion==
 
There is no reason not to get the latest nmap sources and compile them. Whenever a new version of nmap is released even if it's beta. New scripts are included every released and it compiles and installs quick.
 
There is no reason not to get the latest nmap sources and compile them. Whenever a new version of nmap is released even if it's beta. New scripts are included every released and it compiles and installs quick.

Revision as of 16:07, 2 May 2012

NMAP is a network recon tool widely used in the security community. It offers everything from port scanning, to OS detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. NMAP stands for network map.

Correct Usage

nmap [Scan Type(s)] [Options] {target specification}

Scan Types

  • -sS
    • The advantage of a syn scan over a connect scan is that usually the connection attempt isn't logged because nmap won't perform a 3 way handshake. Basically it goes nmap computer ->syn-> server then map computer <- synack <- server and then no ack is sent back to the server. A lot of modern firewalls will see the packets anyway so syn scans are good generally, this is one of a few ways to help camouflage your scans using the -sS.
  • -sA
    • Ack Scan. These are generally pretty useless. Sometimes a service will get confused when it recieves a random ack and send a syn or a fin. Sometimes firewalls will let random acks through, though it's not really guarenteed to give full results or even any. So it is suggested to not use it. Unless you know the host is up and a syn or connect scan doesn't find anything.
  • -sF
    • Fin Scan. A Fin scan is very similar to an ACK scan in a lot of reguards. Sometimes a service will get a random fin packet without any initial connection and just throw something random back.
  • -sX
    • Xmas Scan. Nmap will send tcp packets with every flag lit up. Many firewalls will just ignore them and pass them through to hosts.You can get some really funky results with xmas scans so it isn't recommended using them as your primary scan type but when you want to look through firewalls, or determine if there are any firewalls protecting a host, use -sX. Way better than -sA or -sF by far in that regard. Keep in mind that firewalls are starting to filter xmas packets so it might not work well in some situations.
  • -sU
    • Udp Scan. Udp scans are very good. Since udp isn't connection oriented it takes a very long time to run a full udp scan so it is recommended you know specifically what you're looking for.So like: snmp = 161, ntp = 123, rpc = 111, nfs = 2049, that's all that really matters much. You can typically get rpc on tcp and it returns a list of the services from nmap, nfs/nfslock/etc. But in cases where you have ancient boxes, it'll be udp etc. One example where you can tell if there is a firewall is if you find an open port 111 and it is advertising nfs and portmap but you don't see any nfs on the host. That usually means that there's a firewall blocking nfs access.
    • Just probe rpc instead of nfs though, even if the port is open the timeout is ridiculous, so rpc will tell you what port to look for nfs on. udp scans are -sU, use it with the -p option always and know what ports to scan on.
    • I know you're wondering, "isn't the point of nmap to tell me what ports are open?" Well yes, but in the udp scan situation scanning 1000 or even 100 ports is very impractical.If you are looking for snmp though: "-sU -p161 --script=all" will tell you which hosts are listening on snmp and if the community is public/private or not.
  • -sY
    • SCTP scan. Now you have sctp scans. They're relatively useless unless you're scanning a telco or something. sctp is a protocol like tcp, layer 3 etc, which isused in ss7, a system used by cell phone carriers and telcos. Recently there have been other applications for it since it is a really cool protocol.

Options

  • -T
    • -T sets scan intensity, and is obviously, the -T flag.The range of -T flag is from 0 to 5 with 0 being highly intensive but slow and 5 being very fast but not very intense.
  • --open
    • --open means to only show open ports on hosts. When scanning more than one host, it is suggested that you use --open, which cleans up the output of nmap significantly.
  • -Pn
    • -Pn tells nmap not to do ping scan before scanning hosts. Usually, it will take the ip's it gave you and ping them all first to see which ones are online. In previous version of nmap, -Pn was -PO and -PN.
  • -p80
    • -p80 tells nmap to only scan port 80, you can do multiple ports like so: -p80,113,135-139.
  • -F
    • -F will scan the 100 most popular ports based on a huge scan of the internet by the creators of nmap.
  • -iR
    • -iR scans for random hosts, so "-iR 1000" scans 1000 random ips. With the previous parameters, it's for port 80 w/ ping scan enabled. This is pretty stupid to use as it can get you in a lot of trouble if you scan the wrong thing.
  • -i
    • -i is internet wide, so you can do a random scan for webservers with -iR. This is useful for reducing attention to your activity as it spreads it across network blocks instead of hitting just one.
  • -6
    • Enables IPv6 scanning
  • -A
    • Aggressive scan options including -O, -sV, -sC and --traceroute
  • -h
    • Prints a help summary page
  • --privileged
    • Assumes that the user is fully privileged. When you are running nmap unprivileged, you cannot run sys scans. In unpriveleged mode, you are scanning -sT by default, that is, raw connection scanning. So nmap is doing a full 3 way handshake with each client.In privileged mode, you can run a lot more scan types such as syn scans, ack scans, fin scans, xmas scans, udp scans, sctp scans, protocol scans.

Misc Tricks

-D is for decoy. It lets you specify a few addresses like: -D 2.9.11.231,99.99.99.99. nmap will forge packets with those as source addresses along with your legitimate packets and send those to remote hosts as decoys.

Target Specification

For example:

[root@crankhandle ~]# nmap -sS -A -sV blackhatacademy.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-16 06:26 EST
Nmap scan report for blackhatacademy.org (201.218.250.220)
Host is up (0.064s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 4.6 (protocol 2.0)
| ssh-hostkey: 1024 ad:d0:2e:72:22:89:54:91:6d:ac:4a:20:b2:2b:1b:b7 (DSA)
|_1024 7d:24:f9:a1:e6:80:6e:04:1e:3b:3c:fc:f4:4a:6f:71 (RSA)
80/tcp   open   http     Apache httpd
| robots.txt: has 5 disallowed entries 
| / /~joe/docs/ /~joe/private.html /~joe/foo.html 
|_/~joe/bar.html
|_html-title: Hacks
|_http-favicon: 
110/tcp  open   pop3     qpopper
|_pop3-capabilities: USER EXPIRE(NEVER) UIDL X-MANGLE APOP TOP OK(K Capability list follows) RESP-CODES X-LOCALTIME(Thu 16 Dec 2010 06 27 06 -0500) LOGIN-DELAY(0) AUTH-RESP-CODE X-MACRO
443/tcp  open   ssl/http Apache httpd
|_sslv2: server still supports SSLv2
| robots.txt: has 1 disallowed entry 
|_/
|_http-favicon: Apache on Linux
|_html-title: Site doesn't have a title (text/html).
8000/tcp closed http-alt
Device type: general purpose|WAP
Running (JUST GUESSING) : Linux 2.6.X (86%), PheeNet embedded (85%)
Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (86%), PheeNet WAP-854GP WAP (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: Host: meteor.localhost

TRACEROUTE (using port 8000/tcp)
HOP RTT      ADDRESS
1   3.41 ms  myrouter.home (192.168.1.1)
2   9.28 ms  L100.TAMPFL-VFTTP-109.verizon-gni.net (71.180.136.1)
3   11.41 ms G6-0-2-1709.TAMPFL-LCR-07.verizon-gni.net (130.81.105.128)
4   11.76 ms so-6-1-0-0.TPA01-BB-RTR1.verizon-gni.net (130.81.29.240)
5   31.72 ms so-7-3-0-0.ATL01-BB-RTR1.verizon-gni.net (130.81.19.30)
6   26.76 ms 0.xe-7-1-0.BR3.ATL4.ALTER.NET (152.63.80.73)
7   26.93 ms te7-2-10G.ar2.atl2.gblx.net (64.208.110.245)
8   94.42 ms 64.214.150.198
9   94.56 ms gsr1-wc.tcarrier.net (200.46.0.20)
10  86.89 ms 200.90.140.174
11  93.61 ms 201.218.239.246
12  86.18 ms 200.46.241.13
13  86.31 ms 201.218.218.51
14  88.79 ms 201.218.250.220

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.53 seconds

Now, not only have we found the open ports on the target machine, but we have found service versions, a possible operating system, and a nice traceroute to the target.

This is a good way to tell if a host tht has no open ports is alive or not. Another tip, if you are only scanning one host use -vv instead of --open. -vv means double verbose. Verbosity is good. You can actually change the verbosity in the middle of a running scan by typing v or V during a scan. v = increse, V = decrease. You can change the debug level as well with d and D. This is useful, when running a script scan. If you hit d 2 or 3 times usually it will tell you what a current script is doing down to the operation. You should hit D a few times afterwards to get the debug down to 0 because if it hits the end of the script, you will not like the output.


Script Scanning

So this brings me to script scanning. http://nmap.org/nsedoc/ is a very good reference. In a script scan, --script= is used. You can set individual scripts like: "--script=auth-owners,ftp-brute,finger". Script scans are great, they even have scripts to probe mysql info, ircd info, etc , all kinds of data.

You can also run groups of scripts like: "--script=auth,dos,malware,intrusive,exploit,vuln". It will run them in the order specified.Note that nmap won't complete until every script finishes so you won't get pretty output until it's done.

The other thing you can do is: "--script=all". This isn't recommended, it tries to exploit, violate, dos, and break into remote hosts. Another useful command is: "--script "not intrusive"" This loads every script except for those in the intrusive category.

Conclusion

There is no reason not to get the latest nmap sources and compile them. Whenever a new version of nmap is released even if it's beta. New scripts are included every released and it compiles and installs quick.