View Poll Results: Will Dean win the Democratic nomination?
- Voters
- 11. You may not vote on this poll
-
Yes
-
No
-
Maybe
-
Who is Howard Dean?
-
October 31st, 2003, 07:59 PM
#1
NMAP 3.48 Tutorial Lesson 2 - More Basics
NMAP v3.48 tutorial lesson 2 of ? rev 1.0 by TheHorse13
PREFACE (Will be repeated at the top of each lesson)
======================
I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.
I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.
PREREQUISIT
======================
Read Lesson one – The Basics, found in the Tutorial Forum.
IN THIS LESSON
=====================
This lesson will still be at the beginner level so those who are advanced users, look for later lessons where things like connectionless scans are covered.
We will look at some additional scanning techniques and when to use them. We will focus only on internal scans at this point. We will look at output when you hit firewalls, routers and other devices between you and your target in later lessons.
SUBNET, PORT RANGES AND MULTIPLE HOST SCANS
=====================
In lesson 1, we saw a very basic scan that produced results for a single host. Let’s take that same example and add a small twist. You now have an entire subnet that needs to be scanned to pinpoint all of the machines that have remote control services running. In the organization, PCAnywhere is the only supported remote access solution and you now have to track down those who are not in compliance. Being a vigilant security professional, you immediately grab your trusty NMAP tool and go to work.
NOTE: Some folks are quite crafty and don’t run services on the typical port associated with the service. But for now, we will make two assumptions for this example. First, all remote control services are running on the ports that are typically associated with them.
We will assume that three additional remote control services are running out there. They will be, 1) Terminal Services, 2) VNC and 3) LapLink. The subnet you will scan is a class C network so the network is 192.168.1.0 and the subnet mask is 255.255.255.0
OK, let’s create the syntax to discover these services
[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.0/24
OK, let’s look over what we are doing here.
NMAP – obviously the command
-v – I typically recommend using the verbose switch. If you leave it out, your output will only show the ordered port list and a few less details on scan time responses and other details that may be useful to you.
-sV – Since the default privileged mode scan is sS (SYN Stealth, or half-open scan- a scan where only the SYN flag is sent in the packet) -sV will cause NMAP to communicate with the box to identify the running services that it finds. This feature was added in NMAP-3.48.
-p – Ports can be expressed individually separated by commas, as ranges separated by dashes or a combination such as –p 1547,1567,3300-3350
hosts 192.168.1.0/24 – now, without starting another tutorial subject, subnet masks must be expressed as bits. For example, 255.255.255.0 is a 24 bit mask, 255.255.0.0 is a 16 bit mask, etc. A single host does not require a subnet mask but if you want to be technical, it would be 32 and would work if given as part of the command. You can also use the “*” key like this: -p 192.168.1.* This is the same as 192.168.1.0/24.
Now then, in the interest of post length, I’ll let you play with the multiple host syntax and specific port/port range functionality. You’ll notice that you will get a complete record for each host that is alive and should a host not respond, NMAP will notify you that the host appears to be down and NMAP is skipping it.
One more function that I’d like to cover is the multiple host scan syntax.
[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10,11,12
Notice that I just added additional host ID numbers separated by commas. NMAP will recognize this as a multiple host scan. You can also use the same idea when scanning a range of hosts.
[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10-15
This will tell NMAP to scan the specified ports using the IP range 192.168.1.10 thru 15. You’ll notice that port and host expressions are the same. This makes learning the command line switches a bit easier.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
October 31st, 2003, 08:26 PM
#2
Yes, this is perfect. Continue this way.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
October 31st, 2003, 08:58 PM
#3
Excellent job horse... Looking forward to more...
"Serenity is not the absence of conflict, but the ability to cope with it."
-
October 31st, 2003, 09:03 PM
#4
Nice work Hoss..... This village idiot is getting it perfectly.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 31st, 2003, 10:37 PM
#5
Nicely explained. Can't wait for later versions though. You should create a hping2 lesson for testing firewall rulesets in the future.
-
November 1st, 2003, 02:59 AM
#6
Don't worry, Hping and Dsniff are on my tutorial list .
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 1st, 2003, 03:18 AM
#7
Originally posted here by thehorse13
Don't worry, Hping and Dsniff are on my tutorial list .
These are great, what about a paper on auditing wireless lans? I find this trivial with a *nix box, but lord help me if I've got to use M$, I can't even grab an ESID with MircoCrap.
--PuRe
-
November 1st, 2003, 03:53 PM
#8
can't wait for the hping tut horsie
-
November 1st, 2003, 09:48 PM
#9
Let's see. Hping, Dsniff, auditing wireless LANs (which I happen to have a tut I wrote for internal use on). Sounds like you guys will have me busy for quite a while.
I will post at least one tut a week. Once I am done with the NMAP series, I'll move on to the others.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 2nd, 2003, 12:26 AM
#10
Once a week, can't beat that.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|