Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: NMAP Tutorial Lesson 1 - The Basics

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    NMAP Tutorial Lesson 1 - The Basics

    NMAP v3.48 tutorial lesson 1 of ? rev 1.0 by TheHorse13

    PREFACE
    ======================
    I'd like to start by saying that I will be covering many of the basic functions along with

    examples and explanations why you would want to use the tool in each scenario. In addition,

    I will hit on several advanced features for those who are familiar with the tool but not to

    the point where advanced knowledge of the application is grasped.

    I will be borrowing verbage (in some cases) from the developer because I feel that the

    developer has worded things in such ways that I cannot improve upon. By no means is this a

    cut & paste tutorial but I would like to make everyone aware that I will be borrowing info

    where it makes sense.

    NMAP
    =====================
    NMAP is designed to allow system administrators and curious individuals to scan large

    networks to determine which hosts are up and what services they are offering. nmap

    supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half

    open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas

    Tree, SYN sweep, IP Protocol, and Null scan. See the Scan Types section for more details.

    nmap also offers a number of advanced features such as remote OS detection via TCP/IP

    fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel

    scanning, detection of down hosts via parallel pings, decoy scanning, port filtering

    detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible

    target and port specification.

    NMAP supported platforms
    =====================
    Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,

    Amiga. You'll find RPMs, binaries and so on, thus, installation is very flexible.
    You'll find all installation details and downloads here:

    http://www.insecure.org/nmap/nmap_download.html

    NMAP OPTIONS
    =====================
    A simple nmap -h will reveal all of the supported switches. These will vary slightly on

    older builds.

    * -sS TCP SYN stealth port scan (default if privileged (root))
    -sT TCP connect() port scan (default for unprivileged users)
    * -sU UDP port scan
    -sP ping scan (Find any reachable machines)
    * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
    -sV Version scan probes open ports determining service & app names/versions
    -sR/-I RPC/Identd scan (use with other scan types)
    Some Common Options (none are required, most can be combined):
    * -O Use TCP/IP fingerprinting to guess remote operating system
    -p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
    -F Only scans ports listed in nmap-services
    -v Verbose. Its use is recommended. Use twice for greater effect.
    -P0 Don't ping hosts (needed to scan www.microsoft.com and others)
    * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
    -6 scans via IPv6 rather than IPv4
    -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
    -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
    -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
    -iL <inputfile> Get targets from file; Use '-' for stdin
    * -S <your_IP>/-e <devicename> Specify source address or network interface
    --interactive Go into interactive mode (then press h for help)
    --win_help Windows-specific features

    EXAMPLES oF BASIC SCANS
    =====================

    Example 1 (NOTE: You must have root priviledges to run the SYN stealth scan, which is the

    -sS switch)

    Let's say that you want to know what ports are open on a host and you want to know what OS

    is running on the host. This can be done by typing the following NMAP command. (NOTE: the

    position of switches makes no difference. You can order switches any way you like.)

    [root@locahost]#nmap -v -sS -O -p 1-65535 192.168.1.100

    nmap - the command to run it
    -v for verbose
    -sS for SYN stealth scan
    -p for ports you want to scan (I used all IANA ports)
    -O OS detection
    192.168.1.100 - the host

    Here is the output from this command. Let's take a closer look at what is returned in

    addition to what we have asked for.

    Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2003-10-25 19:20 Eastern Daylight

    Time
    Host IS~TOWER (192.168.1.101) appears to be up ... good.
    Initiating SYN Stealth Scan against IS~TOWER (192.168.1.101) at 19:20
    Adding open port 445/tcp
    Adding open port 5800/tcp
    Adding open port 21/tcp
    Adding open port 5900/tcp
    Adding open port 1025/tcp
    Adding open port 135/tcp
    Adding open port 1027/tcp
    Adding open port 139/tcp
    The SYN Stealth Scan took 13 seconds to scan 65535 ports.
    For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
    Interesting ports on IS~TOWER (192.168.1.101):
    (The 65527 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    21/tcp open ftp
    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1027/tcp open IIS
    5800/tcp open vnc-http
    5900/tcp open vnc
    Device type: general purpose
    Running: Microsoft Windows 95/98/ME|NT/2K/XP
    OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced

    Server, or Windows XP
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=8231 (Worthy challenge)
    IPID Sequence Generation: Incremental

    Nmap run completed -- 1 IP address (1 host up) scanned in 14.851 seconds

    The first thing you'll notice is that NMAP will resolve the hostname of the box you scan if

    possible. In this case, the host, 192.168.1.101 is named "IS~TOWER". The next line we see is

    the type of scan we have performed. The switch -sS is a SYN Stealth scan and the duration of

    the scan, which is what we have done.

    You may also notice that NMAP has posted what appears to be redundant information. This is

    intentional. The first section is the port scan where ports will appear in no particular

    order, the second is the service scan, where the ports are arranged in ascending order along

    with what NMAP feels is the associated service. It also tells you that the other ports that

    you specified for scanning are closed, thus, they have been omitted. This is a good thing

    because you don't need to see 65,535 closed port statements wiz down your screen.
    Additionally, NMAP is telling you that it is making some assumptions while trying to

    identify the remote OS. Look closely at the output and you will see that it assumes that

    port 21 (FTP typically) is open and port 1 (TCP/UDP port service multiplexer) is closed and

    there is no firewall in place. But what if port 21 is closed and there is a firewall in

    place? NMAP will then select the first port you select as the port that it will assume is

    closed (example scan ports 400-500 it will assume 400 is closed) and it will pick the first

    open port it comes across as the open port used in OS identification. Now, with a firewall

    in place, NMAP will not be able to properly fingerprint the OS (in most cases) so it will

    warn of this fact by stating that the OS identification will be less accurate and in some

    cases, if it cannot indentify the OS, it will output an NMAP "fingerprint" which we will

    examine very closely in later lessons.

    The Device type field is attempting to tell you what the device is used for such as a

    router, etc but I have found this field less than accurate many times.

    The OS indentifier field is the footprint match that NMAP has returned for the target

    machine. Notice that when a windows OS is identified that it gives you a number of

    possibilies and not an exact match. This is because the stack on these OSes respond the same

    way, thus it is difficult to pinpoint the exact MS OS in use. The OS Details line is the one

    to be concerned with when looking at your results, not "Running:"

    The TCP Sequence prediction is run to see how each IP sequence number is handled during the

    connection (or how NMAP feels this happens). The theory being that if you can predict the

    sequence, you can poison the connection be injecting your own packets into the stream. A

    good OS will always have random sequence numbers. NMAP also tells you what it feels the

    difficulty is in penetrating the box. The difficulty number will be accompanied with a small

    blurp which ranges from easy to good luck. The last thing it tells you is how the IPID

    sequence generation is handled. Give the Nmap arguments -v -O" against a host and it should

    say "IPID Sequence Generation: whatever". IPID classes Nmap understands include

    "incremental" (most machines), "duplicated IPID" (mostly stupid devices like printers),

    "Broken little-endian incremental" (Windows), "Randomized" (OpenBSD), and
    "Random positive increments".

    Well that is the end of lesson one which covers a basic scan and what the results mean. By

    no means is this supposed to be perfect so if you feel I missed something or failed to

    explain something with enough detail, please let me know. Also, add anything you like. :-)

    Next lesson will deal exclusively with scanning options and how to form the proper syntax

    for specific scans.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Junior Member
    Join Date
    Oct 2002
    Posts
    20
    10x man. this helps a lot. I'm allready w8ing for the next step.
    If you want to lead the people you must follow them.

    www.homomultimedia.com

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Instead of adding a survey, please tell me if this format is helpful. I can add more techinical details, less or keep it exactly as I have it in upcomming lessons. You guys tell me what you want.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    TheHorse13,

    How about some formatting and losing the doublespace? Also, the page word-wraps on it's own so you don't need to add in line returns.

    MsMittens felt very old all of a sudden reading in doublespace

    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Hehehe, I like, Tho, perhaps taking advantage of the Quote box to singel out overly technical information, so that people who do not wish to read all of it can simply skip the boxes. Nice work, Submit an Article! lol

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  6. #6
    Junior Member
    Join Date
    Oct 2003
    Posts
    3
    Hi
    It's really ver good.

  7. #7
    Thanks. I'll put this to the acid test this next week. I want to set up nmap on a new Linux machine. I may need to go beyond the basics real-soon-now. No pressure!

  8. #8
    Senior Member
    Join Date
    Sep 2003
    Posts
    554
    Ok here's a Question.
    I'm currently on a win 98se system and i've installed Nmap, and when i click the exe file, it keeps coming up with error.
    Or sometimes i get lucky and it just does nothing at all.

    And when i install the same file onto another machine running Linux It works fine.
    I brought the Cd as the Sales person told me that i COULD use it on win 98Se.
    So why ain't the Damn thing working.........?

    Sorry people but i've asked this question before and no one could answer me.
    I've tried returning the Cd but the Sales person basically laughed in my face, so now i'm stuck with a Useless Cd that i paid for with money that coulda went to some much needed new equipment.

    So please i'm begging could someone please just help me.
    I'm about ready to snap the blasted Cd and just cry.

    cheers.

  9. #9
    Senior Member
    Join Date
    Feb 2003
    Posts
    193
    for more information about nmap
    type
    info nmap

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I'm currently on a win 98se system and i've installed Nmap, and when i click the exe file, it keeps coming up with error.
    Or sometimes i get lucky and it just does nothing at all.
    There is a Win32 version of NMAP available on www.insecure.com/nmap. The most stable version is the command line version, don't bother with the GUI because it is complete crap.

    This should solve your issue.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •