August 31st, 2002, 11:12 AM
I am aware that this kind of thing isn't exactly what we want all the script kiddies and so on to learn, but there are people on AntiOnline who will find this information useful from a security point of view, not from a hacking point of view. The abundance of total idiots on AntiOnline is not my problem, and I am merely providing information for those who can be responsible enough to know when to use it and when not to...
I take no responsibility for anything anyone does having read this. Its your own dumb fault. If you are reading this for illegal intentions, do not proceed beyond this point.
That said, i can post the tutorial now.
This tutorial goes through some examples of using nmap, and gives you a
rundown of the options available, and whether you need root privileges to
Nmap is perhaps the greatest port scanner of all time, and thus a very
useful tool. If someone were to launch an attack against your network,
running nmap would more than likely give them vital information. The
purpose of this tutorial is not to teach people how to run nmap against
others networks with the goal of breaking into them, it is to teach you
how you can test the security of your own network, firewall etc. with the
aim of improving your overall security.
nmap's standard TCP scan is the TCP connect() scan. This scan is usually
easy to detect by firewalls and IDS systems, however it is the best an
unprivileged user can do, nmap requires root to perform the more
sophisticated (and less easily detectable) scans.
nmap -sT target.ip.goes.here
is the standard command for a TCP Connect scan. This scan type connects
to each port between 1 and 1024, plus those listed in nmap-services which
are of interest (eg ports known to be used by trojans or other vulnerable
As well as TCP scans, nmap offers a UDP scan option, -sU:
nmap -sU ip.address.goes.here
This option scans for ports open on the UDP protocol.
The TCP SYN scan requires root privileges for raw socket support. The TCP
SYN scan doesn't establish a full connection to a host, so it is more
difficult to detect. Most modern Intrusion Detection Systems do check for
excess SYNs floating around though, and if every port is scanned in order
it doesn't take much to piece together that a portscan is going on, most
IDS' can do that.
nmap -sS ip.address.goes.here
is the typical TCP SYN scan command.
These scans are all similar to the SYN scan, in that the require root
privileges to use, but are not particularly so easy to detect (IDS's look for
SYN scans but not necessarily these ones).
-sF - FIN Scan (Sends FIN packets instead of SYN)
-sX - Xmas Tree Scan (I don't know the specifics of this one)
-sN - Null Scan (Pretty obvious I think)
These scans will *not* work against an MS Windows box due to the way Microsoft
chose to ignore the rest of the world as usual and do things their own way.
This can be useful, however, because you can vaguely determine OS type based
on running a SYN and a NULL. If the SYN shows up open ports, but NULL doesn't,
you're probably looking at a Windows box. (Of course, this usage is more or
less obsolete now with the -O OS Fingerprinting option of nmap)
nmap will ping the host to check that it is alive before scanning. Some hosts
block ICMP Echo Requests (pings), however, so the scan will fail but the host
will still be up. There is an option to not ping the target, but scan anyway.
Of course, this runs the risk of scanning a box that isn't there, but its a
risk you have to take:
nmap offers different options for timing its scans. The 'normal' option is
fine for most purposes, but to avoid detection, slower timing can be used, or
to get a scan completed quickly, faster timing can be used. the timing option
has the following format:
where <timeoption> can be any of the following:
You can use either the number or the phrase, e.g.:
nmap -sS -P0 -T 2
nmap -sS -P0 -T Polite
both of those commands do the same thing.
nmap has TCP/IP fingerprinting support, which can help determine remote OS
type, and other useful information such as uptime.
This option is simple:
You can set a series of decoy hosts, to reduce chances of being detected. The
option for these is:
which is the -D parameter, followed by a string of decoys, separated by commas
nmap's default behaviour is to scan ports 1-1024 (the so called 'reserved'
ports), plus those known to be 'interesting' (trojan ports, for example). You
can change this behaviour as follows:
nmap -sS -P0 -p 1-1024 <--- Scan 1-1024 only
nmap -sS -P0 -p 1-65535 <--- Scan all 65535 ports
nmap -sS -P0 -p 25 <--- Scan port 25 only
nmap -sS -P0 -p 25,80,110-1024 <--- Scan port 25, port 80, and ports 110-1024
nmap man pages