Nmap
NMAP is a network recon tool widely used in the security community. It offers everything from port scanning, to OS detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. NMAP stands for network map.
Contents
Correct Usage
nmap [Scan Type(s)] [Options] {target specification}
Scan Types
- -sS
- SYN Scan. The advantage over other scans is that a 3 way handshake isn't performed. This results in a lower chance of logging. A syn packet is sent to the server and a synack is sent in response back to the program with no ack replied. This is therefore a useful scan type for camouflaging scans.
- -sA
- ACK Scan. Using an ACK scan is essentially mapping the firewall rules to try and see what ports a firewall is attempting to protect, by determining whether the port is filtered or unfiltered, as opposed to closed or open.
- -sF
- FIN Scan. Using a FIN scan should return a RST packet on closed ports, but may not return anything on open ports, and will likely be discarded.
- -sX
- Xmas Scan. Nmap will send tcp packets with every flag lit up. Many firewalls will just ignore them and pass them through to hosts. You can get some really funky results with xmas scans so it isn't recommended using them as your primary scan type but when you want to look through firewalls, or determine if there are any firewalls protecting a host, use -sX. Way better than -sA or -sF by far in that regard. Keep in mind that firewalls are starting to filter xmas packets so it might not work well in some situations.
- -sU
- UDP Scan. UDP scans are very good. Since UDP is not a stateful protocol, and has no delivery confirmation like TCP, it takes a very long time to run a full UDP scan. It is recommended you know specifically what you're looking for. For example: SNMP = 161, NTP = 123, RPC = 111, NFS = 2049 You can typically get RPC on TCP, and it returns a list of the services from nmap, nfs/nfslock/etc. But, in cases where you have ancient boxes, it will more than likely be UDP. One example where you can tell if there is a firewall or not, is if you find an open port 111 and it is advertising nfs and portmap but you don't see any NFS on the host. That usually means that there's a firewall blocking nfs access.
- Just probe RPC instead of NFS, even if the port is open. The timeout is ridiculous, so RPC will tell you what port to look for NFS on. UDP scans are -sU, use it with the -p option always and know what ports to scan on.
- I know you're wondering, "isn't the point of nmap to tell me what ports are open?" Well yes, but in the udp scan situation scanning 1000 or even 100 ports is very impractical.If you are looking for snmp though: "-sU -p161 --script=all" will tell you which hosts are listening on snmp and if the community is public/private or not.
- -sY
- SCTP scan. Now you have sctp scans. They're relatively useless unless you're scanning a telco or something. sctp is a protocol like tcp, layer 3 etc, which is used in SS7, a system used by cell phone carriers and telcos. Recently there have been other applications for it since it is a really cool protocol.
Options
- -T
- -T sets scan intensity, and is obviously, the -T flag.The range of -T flag is from 0 to 5 with 0 being highly intensive but slow and 5 being very fast but not very intense.
- --open
- --open means to only show open ports on hosts. When scanning more than one host, it is suggested that you use --open, which cleans up the output of nmap significantly.
- -Pn
- -Pn tells nmap not to do ping scan before scanning hosts. Usually, it will take the ip's it gave you and ping them all first to see which ones are online. In previous version of nmap, -Pn was -PO and -PN.
- -p80
- -p80 tells nmap to only scan port 80, you can do multiple ports like so: -p80,113,135-139.
- -F
- -F will scan the 100 most popular ports based on a huge scan of the internet by the creators of nmap.
- -iR
- -iR scans for random hosts, so "-iR 1000" scans 1000 random ips. With the previous parameters, it's for port 80 w/ ping scan enabled. This is pretty stupid to use as it can get you in a lot of trouble if you scan the wrong thing.
aximum Transmit Unit, it allows you to specify
- -i
- -i is internet wide, so you can do a random scan for webservers with -iR. This is useful for reducing attention to your activity as it spreads it across network blocks instead of hitting just one.
- -6
- Enables IPv6 scanning
- -A
- Aggressive scan options including -O, -sV, -sC and --traceroute
- -h
- Prints a help summary page
- --privileged
- Assumes that the user is fully privileged. When you are running nmap unprivileged, you cannot run sys scans. In unpriveleged mode, you are scanning -sT by default, that is, raw connection scanning. So nmap is doing a full 3 way handshake with each client.In privileged mode, you can run a lot more scan types such as syn scans, ack scans, fin scans, xmas scans, udp scans, sctp scans, protocol scans.
Evasion Techniques
- -D (decoy)
- It lets you specify a few addresses like: -D 2.9.11.231,99.99.99.99. nmap will forge packets with those as source addresses along with your legitimate packets and send those to remote hosts as decoys.
- -f (fragment)
- Allows for the fragmentation of packets going towards target, it's useful for avoiding firewalls with built in packet inspection methods.
- --mtu (maximum transmission unit)
- In much the same way as the fragment operator works, the MTU specifies the maximum transmission unit for a packet. Nmap will then fragment it's packets to the size of the MTU specified. NOTE:the MTU must be a multiple of 8.
- --data-length
- Helps to bypass IDP Systems, that have a default rule for nmap packets to be disallowed (which is often the case). These rules will look for packets that match certain criteria, and packet size is often one of them. Thusly, adding padding to the packet to increase it's size will often bypass common IDP Techniques.
Target Specification
For example:
[root@crankhandle ~]# nmap -sS -A -sV blackhatacademy.org Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-16 06:26 EST Nmap scan report for blackhatacademy.org (201.218.250.220) Host is up (0.064s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.6 (protocol 2.0) | ssh-hostkey: 1024 ad:d0:2e:72:22:89:54:91:6d:ac:4a:20:b2:2b:1b:b7 (DSA) |_1024 7d:24:f9:a1:e6:80:6e:04:1e:3b:3c:fc:f4:4a:6f:71 (RSA) 80/tcp open http Apache httpd | robots.txt: has 5 disallowed entries | / /~joe/docs/ /~joe/private.html /~joe/foo.html |_/~joe/bar.html |_html-title: Hacks |_http-favicon: 110/tcp open pop3 qpopper |_pop3-capabilities: USER EXPIRE(NEVER) UIDL X-MANGLE APOP TOP OK(K Capability list follows) RESP-CODES X-LOCALTIME(Thu 16 Dec 2010 06 27 06 -0500) LOGIN-DELAY(0) AUTH-RESP-CODE X-MACRO 443/tcp open ssl/http Apache httpd |_sslv2: server still supports SSLv2 | robots.txt: has 1 disallowed entry |_/ |_http-favicon: Apache on Linux |_html-title: Site doesn't have a title (text/html). 8000/tcp closed http-alt Device type: general purpose|WAP Running (JUST GUESSING) : Linux 2.6.X (86%), PheeNet embedded (85%) Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (86%), PheeNet WAP-854GP WAP (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 14 hops Service Info: Host: meteor.localhost TRACEROUTE (using port 8000/tcp) HOP RTT ADDRESS 1 3.41 ms myrouter.home (192.168.1.1) 2 9.28 ms L100.TAMPFL-VFTTP-109.verizon-gni.net (71.180.136.1) 3 11.41 ms G6-0-2-1709.TAMPFL-LCR-07.verizon-gni.net (130.81.105.128) 4 11.76 ms so-6-1-0-0.TPA01-BB-RTR1.verizon-gni.net (130.81.29.240) 5 31.72 ms so-7-3-0-0.ATL01-BB-RTR1.verizon-gni.net (130.81.19.30) 6 26.76 ms 0.xe-7-1-0.BR3.ATL4.ALTER.NET (152.63.80.73) 7 26.93 ms te7-2-10G.ar2.atl2.gblx.net (64.208.110.245) 8 94.42 ms 64.214.150.198 9 94.56 ms gsr1-wc.tcarrier.net (200.46.0.20) 10 86.89 ms 200.90.140.174 11 93.61 ms 201.218.239.246 12 86.18 ms 200.46.241.13 13 86.31 ms 201.218.218.51 14 88.79 ms 201.218.250.220 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.53 seconds
Now, not only have we found the open ports on the target machine, but we have found service versions, a possible operating system, and a nice traceroute to the target.
This is a good way to tell if a host that has no open ports is alive or not. Another tip, if you are only scanning one host use -vv instead of --open. -vv means double verbose. Verbosity is good. You can actually change the verbosity in the middle of a running scan by typing v or V during a scan. v = increse, V = decrease. You can change the debug level as well with d and D. This is useful, when running a script scan. If you hit d 2 or 3 times usually it will tell you what a current script is doing down to the operation. You should hit D a few times afterwards to get the debug down to 0 because if it hits the end of the script, you will not like the output.
Script Scanning
So this brings me to script scanning. http://nmap.org/nsedoc/ is a very good reference. In a script scan, --script= is used. You can set individual scripts like: "--script=auth-owners,ftp-brute,finger". Script scans are great, they even have scripts to probe mysql info, ircd info, etc , all kinds of data.
You can also run groups of scripts like: "--script=auth,dos,malware,intrusive,exploit,vuln". It will run them in the order specified.Note that nmap won't complete until every script finishes so you won't get pretty output until it's done.
The other thing you can do is: "--script=all". This isn't recommended, it tries to exploit, violate, dos, and break into remote hosts. Another useful command is: "--script "not intrusive"" This loads every script except for those in the intrusive category.
Conclusion
There is no reason not to get the latest nmap sources and compile them. Whenever a new version of nmap is released even if it's beta. New scripts are included every released and it compiles and installs quick.