Damn! Getting Nmap to function flawlessly in WINDOWS

[Showtime8000]

Damn! Getting Nmap to function flawlessly on WINDOWS
In Ten Simple Steps
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

For the past several weeks, I have been experimenting/testing/cursing with the Windows port of nmap, a “free open source utility for network exploration or security auditing.” (insecure.org/nmap) Nmap’s plethora of scanning options makes it the choice for network admins everywhere. But until recently, us unfortunate Windows users had to do without, as Fyodor had originally authored the program for Linux users only.

Now that the Windows port is out, managing its many functions truly becomes a task. Nmap has been known to default on Windows systems; personally, I experienced random reboots about half the time I used it to scan a remote system. This can be very frustrating. Using various methods, though, I was able to minimize errors and improve performance dramatically. I compiled a list of several suggestions that helped me run nmap flawlessly on XP.

NOTE: This may not work on all systems. I tested under XP, with WinPcap 3.0 installed, nmap v3.48. The Windows version of nmap will never perform better than the original, so if you care that much, try an operating system, not windows!

Tip 1: If you are experienced problems via the command-line, try installing cygwin, a Linux-like emulation for Windows. (http://www.cygwin.com/) I recommend you install ALL packages (may take several hundred MBs). After installation, locate the nmap executable (were still working with the W32 port of nmap), and try bashing/running/executing it there, via the cygwin line.

Tip 2: Don’t resolve IPs. This may seem needlessly arcane, but it can reduce scanning times DRAMATICALLY. The tag is “-n” (w/o quotes). You might also want to apply the performance registry patch that’s included in the .zip file.

Tip 3: Download and install the latest version of WinPcap. This is nmap’s lifeblood, so to speak. If you have the latest version, you will notice that BSODS/reboots occur less often. (http://winpcap.polito.it/) At the time of this writing, v3.01 alpha is out. I haven’t tried it, so if anyone has any experiences/flames about it, feel free to post them here.

NOTE: Are you getting the line: ‘Note: Host seems down. If it is really up, but blocking our ping probes, try -P0’? Reportedly, Dave Smith, who had the same problem, uninstalled WinPcap 3.0 and reinstalled the older 2.4 version. “I then tried the latest 3.0 drivers from winpcap and they still don't work so I went back to the 2.4.”

Tip 4: Verify that you have the latest drivers for your NIC. Don’t trust Windows Update entirely; check your vendor’s website for any new updates. If you still get a BSOD or random rebooting, try firing up Dr. Watson and examining what was running at the time (software and hardware, like NICs, protocols, services etc).From these clues, you should make out what is causing the problems.

Tip 5: Grab the latest Windows binary of nmap. At the time of this writing, 3.48 is out, featuring complex version scanning. Fyodor continues to refine nmap and resolve compatibility issues. http://download.insecure.org/nmap/di...3.48-win32.zip

Tip 6: Install the Network Monitor Driver. Control Panel>>Network Connections, then bring up the Properties of your active internet/network connection. Click “Install”, and from the list of component types, select “Protocol” then choose Network Monitor Driver. Install it, reboot, whatever. It was recommended on the nmap mailing list, and it seemed to improve functionality.

Tip 7: This is kind of a given, but make sure your firewall is disabled, as it can hinder packet transfer.

Tip 8: Our own TheHorse13 was able to hack the original Linux source code and run it on a cygwin shell, so if you’re a C guru, its definitely possible to modify the code to work on a Windows box, although it may be very difficult. Do him a favor and don’t ask him how, it’s a time-consuming process that’s only for the 31337. And don’t even THINK about asking me, I don’t even know how to comb my hair right. J

Tip 9: Frequent the nmap-dev mailing list. A LOT of good tips/suggestions/advice can be found, and some of the tips I have written about came directly from the list. Again, always check for the latest version.

Tip 10: Screw Windows and fire up your favorite Linux distro! At one point, I too was afraid of Linux, but after an almost flawless installation of RH9, I cant go back. PHLAK comes bundled with nmap (along with a whole plethora of security-tools) and can be found at http://www.phlak.org/

SOURCES: http://www.insecure.org/, http://www.google.com/ ,and a big thanks to TheHorse13 for helping me with everything life has to ask.

Well, that’s it folks. Feel free to add anything, and if I have made a blunder anywhere, do me a favor and PM me. Have fun and remember, don’t drink and drive.

-ST8K

[lekt0r]

Excellent! I have wanted to try out the nmap win32 port on my XP pc for a while now. This will prove to be very useful, it has already answered a few of my questions. Thanks.

[thehorse13]

Very good post.

For all those people who use Cygwin, you are better off using the command line Win32 build of NMAP with your Cygwin install. My Frankenstien build does have some issues and I'm currently in process of getting a build of NMAP for cygwin via an RPM ready for testing. If all goes well, I will send it over to Fyodor and perhaps he will pop it up on the Insecure site.

Hey, if anyone is interested, I can post a tut on the most common (and rare) NMAP switches, what they do and examples. Let me know if anyone here is interested. NMAP can be *VERY* powerful when used properly.

[n01100110]

Hey, if anyone is interested, I can post a tut on the most common (and rare) NMAP switches, what they do and examples. Let me know if anyone here is interested. NMAP can be *VERY* powerful when used properly.

I think that sounds great ! , id be sure to add it to Negative's list of tutorials...

[catch]

You can also use eEye's nMapNT found at:

http://www.eeye.com/html/Research/Tools/nmapnt.html

This software is more functional, less buggy than the insecure.org port. Additionally the eEye's nMapNT features performance on par with the original nMap. (it is integrated in parts within eEye's Retina and Iris scanners which actually do a few types of network scans actually faster than the nMap.)

catch

[sysmin770]

I am sure that everyone agrees that Nmap works best in its native enviornment. I have found that when scanning with Windows the same functionality is not there as it would be when using it on a Linux machine. You might want to scan with Nmap on a Linux machine and use SuperScan from Foundstone when on a Windows machine. They have made some nice enhancements to SuperScan in thier newest version.

[catch]

sysmin770, have you used eEye's nMapNT or did you just use the insecure.org version?
They are different programs and the insecure.org port, quite frankly sucks bad. I was very disappointed when I first tried it, until I discovered the eEye program.

catch

[HTRegz]

I personally keep a Mandrake VM on this machine just so I can use nmap from it. I have tried both nMapNT and the insecure.org port and I've yet to find either of them completely satisfying. IMO nMapNT is a POS. It refuses to even find a suitable interface by default, at least the insecure.org port will run a simple scan. I used to have no problems with the initial insecure.org ports, however at the time I was on a cable connection, since my switch to PPPoE i've had issues with anything that requires winpcap. Some of you on DSL may know what I'm talking about, and are frustrated about the same thing. I've found the only fix for this is to always scan with -sT -P0. I find -sS to be my most common scan type on nix but in windows it'll return 0 ports for me, however if i run the same scan using the -sT flag.. I'll get a list of open ports. Same with -P0, if I don't use it, it will always tell me the host is down. Hopefully these will help someone out there with problems. After all partial functionality is better than no functionality.

btw thehorse13, a tutorial on the advanced features of nmap would be great

[Network Enforce]

Originally posted here by thehorse13
Very good post.

For all those people who use Cygwin, you are better off using the command line Win32 build of NMAP with your Cygwin install. My Frankenstien build does have some issues and I'm currently in process of getting a build of NMAP for cygwin via an RPM ready for testing. If all goes well, I will send it over to Fyodor and perhaps he will pop it up on the Insecure site.

Hey, if anyone is interested, I can post a tut on the most common (and rare) NMAP switches, what they do and examples. Let me know if anyone here is interested. NMAP can be *VERY* powerful when used properly.

Definetly. I believe it would be something that everyone would benefit from.

[sysmin770]

Catch,
I have heard good things about the eEye version of Nmap. Honestly I have never used it. I only used the Insecure version. I don't use windows that often when scanning or evaluation my networks although I do like to see the contrast between the two operation systems and how different tools perform on each of them. I might have to go visit the site and download the eEye version. Thanks.