|
-
October 26th, 2003, 03:54 PM
#1
NMAP Tutorial Lesson 1 - The Basics
NMAP v3.48 tutorial lesson 1 of ? rev 1.0 by TheHorse13
PREFACE
======================
I'd like to start by saying that I will be covering many of the basic functions along with
examples and explanations why you would want to use the tool in each scenario. In addition,
I will hit on several advanced features for those who are familiar with the tool but not to
the point where advanced knowledge of the application is grasped.
I will be borrowing verbage (in some cases) from the developer because I feel that the
developer has worded things in such ways that I cannot improve upon. By no means is this a
cut & paste tutorial but I would like to make everyone aware that I will be borrowing info
where it makes sense.
NMAP
=====================
NMAP is designed to allow system administrators and curious individuals to scan large
networks to determine which hosts are up and what services they are offering. nmap
supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half
open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas
Tree, SYN sweep, IP Protocol, and Null scan. See the Scan Types section for more details.
nmap also offers a number of advanced features such as remote OS detection via TCP/IP
fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel
scanning, detection of down hosts via parallel pings, decoy scanning, port filtering
detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible
target and port specification.
NMAP supported platforms
=====================
Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,
Amiga. You'll find RPMs, binaries and so on, thus, installation is very flexible.
You'll find all installation details and downloads here:
http://www.insecure.org/nmap/nmap_download.html
NMAP OPTIONS
=====================
A simple nmap -h will reveal all of the supported switches. These will vary slightly on
older builds.
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
--win_help Windows-specific features
EXAMPLES oF BASIC SCANS
=====================
Example 1 (NOTE: You must have root priviledges to run the SYN stealth scan, which is the
-sS switch)
Let's say that you want to know what ports are open on a host and you want to know what OS
is running on the host. This can be done by typing the following NMAP command. (NOTE: the
position of switches makes no difference. You can order switches any way you like.)
[root@locahost]#nmap -v -sS -O -p 1-65535 192.168.1.100
nmap - the command to run it
-v for verbose
-sS for SYN stealth scan
-p for ports you want to scan (I used all IANA ports)
-O OS detection
192.168.1.100 - the host
Here is the output from this command. Let's take a closer look at what is returned in
addition to what we have asked for.
Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2003-10-25 19:20 Eastern Daylight
Time
Host IS~TOWER (192.168.1.101) appears to be up ... good.
Initiating SYN Stealth Scan against IS~TOWER (192.168.1.101) at 19:20
Adding open port 445/tcp
Adding open port 5800/tcp
Adding open port 21/tcp
Adding open port 5900/tcp
Adding open port 1025/tcp
Adding open port 135/tcp
Adding open port 1027/tcp
Adding open port 139/tcp
The SYN Stealth Scan took 13 seconds to scan 65535 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on IS~TOWER (192.168.1.101):
(The 65527 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
5800/tcp open vnc-http
5900/tcp open vnc
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced
Server, or Windows XP
TCP Sequence Prediction: Class=random positive increments
Difficulty=8231 (Worthy challenge)
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 14.851 seconds
The first thing you'll notice is that NMAP will resolve the hostname of the box you scan if
possible. In this case, the host, 192.168.1.101 is named "IS~TOWER". The next line we see is
the type of scan we have performed. The switch -sS is a SYN Stealth scan and the duration of
the scan, which is what we have done.
You may also notice that NMAP has posted what appears to be redundant information. This is
intentional. The first section is the port scan where ports will appear in no particular
order, the second is the service scan, where the ports are arranged in ascending order along
with what NMAP feels is the associated service. It also tells you that the other ports that
you specified for scanning are closed, thus, they have been omitted. This is a good thing
because you don't need to see 65,535 closed port statements wiz down your screen.
Additionally, NMAP is telling you that it is making some assumptions while trying to
identify the remote OS. Look closely at the output and you will see that it assumes that
port 21 (FTP typically) is open and port 1 (TCP/UDP port service multiplexer) is closed and
there is no firewall in place. But what if port 21 is closed and there is a firewall in
place? NMAP will then select the first port you select as the port that it will assume is
closed (example scan ports 400-500 it will assume 400 is closed) and it will pick the first
open port it comes across as the open port used in OS identification. Now, with a firewall
in place, NMAP will not be able to properly fingerprint the OS (in most cases) so it will
warn of this fact by stating that the OS identification will be less accurate and in some
cases, if it cannot indentify the OS, it will output an NMAP "fingerprint" which we will
examine very closely in later lessons.
The Device type field is attempting to tell you what the device is used for such as a
router, etc but I have found this field less than accurate many times.
The OS indentifier field is the footprint match that NMAP has returned for the target
machine. Notice that when a windows OS is identified that it gives you a number of
possibilies and not an exact match. This is because the stack on these OSes respond the same
way, thus it is difficult to pinpoint the exact MS OS in use. The OS Details line is the one
to be concerned with when looking at your results, not "Running:"
The TCP Sequence prediction is run to see how each IP sequence number is handled during the
connection (or how NMAP feels this happens). The theory being that if you can predict the
sequence, you can poison the connection be injecting your own packets into the stream. A
good OS will always have random sequence numbers. NMAP also tells you what it feels the
difficulty is in penetrating the box. The difficulty number will be accompanied with a small
blurp which ranges from easy to good luck. The last thing it tells you is how the IPID
sequence generation is handled. Give the Nmap arguments -v -O" against a host and it should
say "IPID Sequence Generation: whatever". IPID classes Nmap understands include
"incremental" (most machines), "duplicated IPID" (mostly stupid devices like printers),
"Broken little-endian incremental" (Windows), "Randomized" (OpenBSD), and
"Random positive increments".
Well that is the end of lesson one which covers a basic scan and what the results mean. By
no means is this supposed to be perfect so if you feel I missed something or failed to
explain something with enough detail, please let me know. Also, add anything you like. :-)
Next lesson will deal exclusively with scanning options and how to form the proper syntax
for specific scans.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote