Questions about this topic? Sign up to ask in the talk tab.

Nmap

From NetSec
Revision as of 12:48, 16 December 2010 by ShanelZavala (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

NMAP is a network recon tool widely used in the security community. It offers everything from port scanning, to OS detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. For example:

[root@crankhandle ~]# nmap -sS -A -sV blackhatacademy.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-16 06:26 EST
Nmap scan report for blackhatacademy.org (201.218.250.220)
Host is up (0.064s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 4.6 (protocol 2.0)
| ssh-hostkey: 1024 ad:d0:2e:72:22:89:54:91:6d:ac:4a:20:b2:2b:1b:b7 (DSA)
|_1024 7d:24:f9:a1:e6:80:6e:04:1e:3b:3c:fc:f4:4a:6f:71 (RSA)
80/tcp   open   http     Apache httpd
| robots.txt: has 5 disallowed entries 
| / /~joe/docs/ /~joe/private.html /~joe/foo.html 
|_/~joe/bar.html
|_html-title: Welcome To WildCard Security
|_http-favicon: 
110/tcp  open   pop3     qpopper
|_pop3-capabilities: USER EXPIRE(NEVER) UIDL X-MANGLE APOP TOP OK(K Capability list follows) RESP-CODES X-LOCALTIME(Thu 16 Dec 2010 06 27 06 -0500) LOGIN-DELAY(0) AUTH-RESP-CODE X-MACRO
443/tcp  open   ssl/http Apache httpd
|_sslv2: server still supports SSLv2
| robots.txt: has 1 disallowed entry 
|_/
|_http-favicon: Apache on Linux
|_html-title: Site doesn't have a title (text/html).
8000/tcp closed http-alt
Device type: general purpose|WAP
Running (JUST GUESSING) : Linux 2.6.X (86%), PheeNet embedded (85%)
Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (86%), PheeNet WAP-854GP WAP (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: Host: meteor.localhost

TRACEROUTE (using port 8000/tcp)
HOP RTT      ADDRESS
1   3.41 ms  myrouter.home (192.168.1.1)
2   9.28 ms  L100.TAMPFL-VFTTP-109.verizon-gni.net (71.180.136.1)
3   11.41 ms G6-0-2-1709.TAMPFL-LCR-07.verizon-gni.net (130.81.105.128)
4   11.76 ms so-6-1-0-0.TPA01-BB-RTR1.verizon-gni.net (130.81.29.240)
5   31.72 ms so-7-3-0-0.ATL01-BB-RTR1.verizon-gni.net (130.81.19.30)
6   26.76 ms 0.xe-7-1-0.BR3.ATL4.ALTER.NET (152.63.80.73)
7   26.93 ms te7-2-10G.ar2.atl2.gblx.net (64.208.110.245)
8   94.42 ms 64.214.150.198
9   94.56 ms gsr1-wc.tcarrier.net (200.46.0.20)
10  86.89 ms 200.90.140.174
11  93.61 ms 201.218.239.246
12  86.18 ms 200.46.241.13
13  86.31 ms 201.218.218.51
14  88.79 ms 201.218.250.220

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.53 seconds

Now, not only have we found the open ports on the target machine, but we have found service versions, a possible operating system, and a nice traceroute to the target.