A basic NMAP tut.

View Poll Results: Who do you hate the most on the net?

Voters
27. You may not vote on this poll
  • Morons on AOL that see the net as nothing more then a chat place

    8 29.63%
  • Idiots who cyber hump every leg they see

    3 11.11%
  • Packet monkeys

    2 7.41%
  • People takin credit for others work

    6 22.22%
  • kids who dont even have pubes talkin down apon u

    8 29.63%
Results 1 to 5 of 5

Thread: A basic NMAP tut.

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    276

    Post A basic NMAP tut.

    The tutorial was written by thran and the original (as far as I know) can be found on NewOrder.box.sk. (And please remember, everything can be used in two ways. So use your common sense /Pooh-Bear)

    YANT - Yet Another NMAP Tutorial.
    Alright then, this will be my first article posted to Neworder. Thanks Clayman for passing out some good ideas on what to put on the front page
    Anyways, This will be a manual explaining the different usages of nmap and netcat for those that dont have the time to wad through difficult and fairly boring manuals. So this means I will not discuss little-to-nothing of the technical terms that come with these manuals.

    Alright partner, lets start with nmap. I will basicly try to explain the different usages and options of nmap. Dont know what nmap is? Your not from this world? Check out www.insecure.org/nmap

    A basic scan :
    thran@CC67447-B:~$ nmap 127.0.0.1

    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
    Interesting ports on localhost (127.0.0.1):
    (The 1544 ports scanned but not shown below are in state: closed)
    Port State Service
    113/tcp open auth
    515/tcp open printer
    1024/tcp open kdm
    3000/tcp open ppp
    3306/tcp open mysql


    Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

    This is a very basic TCP scan, like most other port scanners out there. It shows us which ports are open, and which services 'probably' run on these ports. I use 'probably' because port 3000 on my server is not the
    PPP Protocol (for use with modems) but a local webserver I run. These scans are very loud, meaning they will easily be picked up by firewalls and such and thus logged. Note: This is called a Vanilla scan and its the same as scanning using the -sT switch.

    Lets try something different, lets say I simply want to find out what kind of OS they are running. For this we use the -O switch. (We need to be root
    to use this switch!)

    root@CC67447-B:~$ nmap -O 127.0.0.1

    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
    Interesting ports on localhost (127.0.0.1):
    (The 1544 ports scanned but not shown below are in state: closed)
    Port State Service
    113/tcp open auth
    515/tcp open printer
    1024/tcp open kdm
    3000/tcp open ppp
    3306/tcp open mysql

    No exact OS matches for host (If you know what OS is running on it, see
    http://$TCP/IP fingerprint:
    SInfo(V=2.54BETA30%P=i586-pc-linux-gnu%D=12/10%Time=3C14ACFC%O=113%C=1)
    TSeq(Class=RI%gcd=1%SI=187D86%IPID=Z%TS=100HZ)
    TSeq(Class=RI%gcd=1%SI=187DCB%IPID=Z%TS=100HZ)
    TSeq(Class=RI%gcd=1%SI=187DF3%IPID=Z%TS=100HZ)
    T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
    T2(Resp=N)
    T3(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
    T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
    T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
    T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
    PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

    Uptime 0.010 days (since Mon Dec 10 13:24:53 2001)

    Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds

    Well, that sure printed out some stuff. First notice that nmap still starts with a portscan! Then it tries to figure out my OS by sending specially crafted strings to two ports! One open port and one closed. This due the fact that different kind of OS' respond differently to these
    probes. It also shows us info to exploit the TCP prediction vulnerability, but since this is not a technical guide I will not explain it (Perhaps for
    future articles) As you can see nmap had trouble predicting my machine which is a Slackware 8.0 Box. But if correctly guessed, this info can greatly aid the attacker/defender. Ai Partner, Next up, stealth scanning!

    Alright, some of the reasons why nmap is such a great scanning tool is the fact it allows 'stealthy' portscans. Again I put stealthy between '' because of the fact that it can still be picked up by some firewalls or packet filters. We will be using the TCP SYN stealth scan, so
    use switch -sS. Again, you have to be root to use this option.

    root@CC67447-B:~$ nmap -sS 127.0.0.1

    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
    Interesting ports on localhost (127.0.0.1):
    (The 1544 ports scanned but not shown below are in state: closed)
    Port State Service
    113/tcp open auth
    515/tcp open printer
    1024/tcp open kdm
    3000/tcp open ppp
    3306/tcp open mysql


    Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

    Looks the same without the -sS switch huh? However, this time, nmap used an half-open scan. I will not discuss this as of reasons I mentioned earlier. If you want to know more, read up on the Three-Way-Handshake.

    Now, what if the remote server has no TCP ports open? Hmm, perhaps the open ports are hiding as UDP. Lets check it out. We use the -sU switch to scan for open UDP ports. And yes, we have to be root for this type of scan.

    root@CC67447-B:~$ nmap -sU 127.0.0.1

    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
    All 1452 scanned ports on localhost (127.0.0.1) are: closed

    Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

    Awww, what a shame, I have no UDP ports open.
    We can also check if hosts are online or offline. nmap checks by either using a TCP probe on port 80 of the remote host, or the usual ICMP ping.If you want to check using ICMP use the -PI switch. If you think that the
    ICMP scans are being dropped because of packet filters or firewalls, you can try to see if the host is up by using the -PT flag. nmap will now send a TCP probe to port 80 of the remote host to check wether its up. Of
    course, the host may be up, use packet filters and not running any webserver so you can also specify different ports, for instance : -PT65530 , will probe port 65530. Some packet filters allow packets with the ACK
    flag to high numbered ports. To do both a TCP and ICMP probe, use the -PB flag. If you dont want to probe at all, use the -P0 flag (for servers that use packet filtering software or particular firewall rulesets)

    Now what if we want to specify a range of ports to scan? For instance we only want to check ports 1-1024, where some of the more important daemons are running. We use the -p switch for this.

    thran@CC67447-B:~$ nmap 127.0.0.1 -p 1-1024

    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
    Interesting ports on localhost (127.0.0.1):
    (The 1021 ports scanned but not shown below are in state: closed)
    Port State Service
    113/tcp open auth
    515/tcp open printer
    1024/tcp open kdm

    The FIN (-sF), NULL (-sN) and XMAS (-sX) scans are all the same and not really worth mentioning. They rely on RFC-compliance and thus wont work on windows machines.

    Now for more interesting scans. The -sI flag allows a blind TCP port scan on the remote host. Quoted from the manpage :

    'Instead, a unique side-channel attack
    exploits predictable "IP fragmentation ID" sequence generation on the zombie host to glean information about the open ports on the target.'

    Sounds impressive huh Basicly, it allows you to spoof your real IP by using Zombie hosts. These hosts have to match certain criteria. It works by using a trust-relationship between hosts. Darn, I had to go a bit
    technical again. I wouldnt really suggest this type of scan unless you have to be really really anonymous.

    The -sA flag allows ACK Scanning. Its used to map out firewall rulesets. In basic words, it sends a probe. If the probe is dropped, the port is called filtered. If the probe returns, its called unfiltered. Filtered ports will show up with this type of scan, unfiltered will not. Filtered means that sometimes the port is open, but the firewall doesnt allow your probe to get through, thus dropping it.

    Using the -sW flag is called the windows scan. Its almost similar to the ACK scan, but it sometimes detects open ports as well as filtered/nonfiltered ports.

    Nmap allows you to scan for RPC services too, using the -sR flag. I wont explain what a RPC daemon is or does, but do know that they are vulnerable to many buffer overflow attacks. First it scans all the TCP and UDP ports and then it determines if the open ports run some kind of RPC service.

    If the remote host is running identd, which allows you to check the identity of various daemons you can use the -I flag to get some more info about certain daemons on the host, for example, if they are run as root or not. => nmap -I -p 80 127.0.0.1 This would scan the webserver on my box
    and try to get more info. Would love to show you a working example but I dont run identd

    If you scan a host for ports, dont forget to log it, unless you enjoy defacing logfiles with your ip!
    There are several methods, one is => nmap 127.0.0.1 > test.txt , or using the -oN switch => nmap 127.0.0.1 -oN test.txt Also, if you want it to log it in XML form, use the -oX switch. Want in grepable form? use the -oG switch. And if your one of those persons that just has to have every version, use the -oA switch. And for the 31337 h4x0r5 0u7 7h353, 7h3 -oS 5w17ch 4110w5 70 10g 1n 31337
    f05m. (it logs in elite form) If you cancelled a scan, while it was logging to a file, use the --resume
    switch to continue logging just before it got cancelled.

    There is also an option for script kiddies and for those that are just curious. The -iR switch creates hosts for you! It will create an ip and scan it, on and on. Basicly, this lasts forever until it runs out of ip's duh

    Decoy Scanning! The -D switch allows you to pass decoy servers to nmap. Basicly, it will scan using multiple ip's with one of them being your real IP ! Its just another method to remain anonymous.

    Whats more to tell? There are more flags and switches you can pass with nmap but there are simply too many, and some are too boring to tell you about Want to know more about nmap's capabilities?
    http://www.insecure.org/nmap , or man nmap.

    Alright partner, go get 'em!

    *sigh* ok ok, ill write down some greetings.
    hi zerostealth, hi cd, hi rattlesnake, hi cube, hi clayman, hi pool, hi, shell, hi mom, hi dad, and all the admins at neworder gettin crowdy
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile
    Share on Google+

  2. #2
    Junior Member
    Join Date
    Jul 2001
    Posts
    11

    Thumbs up thanx

    good info, please post more.
    All that we see or seem is but a dream within a dream.
    <=Edgar Allan Poe=>
    Share on Google+

  3. #3
    Member
    Join Date
    Oct 2001
    Posts
    74

    Thumbs up

    Great Tutorial, this is the kind of stuff that I would like to see more of here. I know alot of the tuts are available elsewhere on the web it is nice to have them in one spot.
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Good job! Not bad for a Swede, anyway
    That nmap program seems to be very quick, my windows portscanner take forever and ever. I think there is an nmap program for windows as well, and I'm gonna find it.
    ---
    proactive
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    276

    Thanks :)

    My thought are the same as yours V3RIZON, yes there are good tuts alover the place but I prefer to have them in one place. Besides, this way one can chose which ones are good and not.
    Well thanks proactive, even if ya got a duck for avatar your posts a nice

    Is there anyone that want an extensive one on Unix bash?
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides