NMAP 3.48 Tutorial Lesson 2 - More Basics

View Poll Results: Will Dean win the Democratic nomination?

Voters
11. You may not vote on this poll
  • Yes

    1 9.09%
  • No

    7 63.64%
  • Maybe

    1 9.09%
  • Who is Howard Dean?

    2 18.18%
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: NMAP 3.48 Tutorial Lesson 2 - More Basics

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    NMAP 3.48 Tutorial Lesson 2 - More Basics

    NMAP v3.48 tutorial lesson 2 of ? rev 1.0 by TheHorse13


    PREFACE (Will be repeated at the top of each lesson)
    ======================
    I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.

    I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.

    PREREQUISIT
    ======================
    Read Lesson one – The Basics, found in the Tutorial Forum.

    IN THIS LESSON
    =====================
    This lesson will still be at the beginner level so those who are advanced users, look for later lessons where things like connectionless scans are covered.

    We will look at some additional scanning techniques and when to use them. We will focus only on internal scans at this point. We will look at output when you hit firewalls, routers and other devices between you and your target in later lessons.

    SUBNET, PORT RANGES AND MULTIPLE HOST SCANS
    =====================
    In lesson 1, we saw a very basic scan that produced results for a single host. Let’s take that same example and add a small twist. You now have an entire subnet that needs to be scanned to pinpoint all of the machines that have remote control services running. In the organization, PCAnywhere is the only supported remote access solution and you now have to track down those who are not in compliance. Being a vigilant security professional, you immediately grab your trusty NMAP tool and go to work.

    NOTE: Some folks are quite crafty and don’t run services on the typical port associated with the service. But for now, we will make two assumptions for this example. First, all remote control services are running on the ports that are typically associated with them.

    We will assume that three additional remote control services are running out there. They will be, 1) Terminal Services, 2) VNC and 3) LapLink. The subnet you will scan is a class C network so the network is 192.168.1.0 and the subnet mask is 255.255.255.0

    OK, let’s create the syntax to discover these services
    [haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.0/24

    OK, let’s look over what we are doing here.
    NMAP – obviously the command
    -v – I typically recommend using the verbose switch. If you leave it out, your output will only show the ordered port list and a few less details on scan time responses and other details that may be useful to you.
    -sV – Since the default privileged mode scan is sS (SYN Stealth, or half-open scan- a scan where only the SYN flag is sent in the packet) -sV will cause NMAP to communicate with the box to identify the running services that it finds. This feature was added in NMAP-3.48.
    -p – Ports can be expressed individually separated by commas, as ranges separated by dashes or a combination such as –p 1547,1567,3300-3350
    hosts 192.168.1.0/24 – now, without starting another tutorial subject, subnet masks must be expressed as bits. For example, 255.255.255.0 is a 24 bit mask, 255.255.0.0 is a 16 bit mask, etc. A single host does not require a subnet mask but if you want to be technical, it would be 32 and would work if given as part of the command. You can also use the “*” key like this: -p 192.168.1.* This is the same as 192.168.1.0/24.

    Now then, in the interest of post length, I’ll let you play with the multiple host syntax and specific port/port range functionality. You’ll notice that you will get a complete record for each host that is alive and should a host not respond, NMAP will notify you that the host appears to be down and NMAP is skipping it.

    One more function that I’d like to cover is the multiple host scan syntax.

    [haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10,11,12

    Notice that I just added additional host ID numbers separated by commas. NMAP will recognize this as a multiple host scan. You can also use the same idea when scanning a range of hosts.

    [haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10-15

    This will tell NMAP to scan the specified ports using the IP range 192.168.1.10 thru 15. You’ll notice that port and host expressions are the same. This makes learning the command line switches a bit easier.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Yes, this is perfect. Continue this way.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    350
    Excellent job horse... Looking forward to more...
    "Serenity is not the absence of conflict, but the ability to cope with it."

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nice work Hoss..... This village idiot is getting it perfectly.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    Nicely explained. Can't wait for later versions though. You should create a hping2 lesson for testing firewall rulesets in the future.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Don't worry, Hping and Dsniff are on my tutorial list .
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Originally posted here by thehorse13
    Don't worry, Hping and Dsniff are on my tutorial list .
    These are great, what about a paper on auditing wireless lans? I find this trivial with a *nix box, but lord help me if I've got to use M$, I can't even grab an ESID with MircoCrap.


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  8. #8
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    can't wait for the hping tut horsie
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Let's see. Hping, Dsniff, auditing wireless LANs (which I happen to have a tut I wrote for internal use on). Sounds like you guys will have me busy for quite a while.


    I will post at least one tut a week. Once I am done with the NMAP series, I'll move on to the others.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    Once a week, can't beat that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •