NMAP 3.48 Tutorial - Lesson 3 - Common Output
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 39

Thread: NMAP 3.48 Tutorial - Lesson 3 - Common Output

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    NMAP 3.48 Tutorial - Lesson 3 - Common Output

    NMAP v3.48 tutorial lesson 3 of ? rev 1.0 by TheHorse13


    PREFACE (Will be repeated at the top of each lesson)
    ======================
    I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.

    I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.

    Bold text - Command syntax
    Underlined text – Important information

    NOTE: TheHorse13 takes no responsibility in regards to your use of the information presented in the NMAP tutorial series. If you get into trouble, then obviously you aren’t as 1337 as you thought.

    PREREQUISIT
    ======================
    Read Lesson one – The Basics and Lesson 2 - More Basics, both found in the Tutorial Forum.

    IN THIS LESSON
    =====================
    This lesson deals with typical output observed when scanning outside of your network. Note that we are still using the basic and most common command set without any of the advanced features.

    OH NO, WHAT ARE FILTERED AND UNFILTERED PORTS?
    ====================
    Now that you have a grasp on the basic operation of NMAP and the base command line options, let’s take a look at some things that may pop up during your scans. Using NMAP internally is wonderful but the true power of the application is only seen when used *outside* of your network. The reason I say this is because there are many more potential targets…..errrrrr……..servers that need remediation out on the open internet.

    Important – When you use basic NMAP functionality to perform scans against a host that is not yours, be prepared to be identified quickly. All good administrators can spot a standard port scan a mile away.

    OK, let’s use a basic scan against a host and let’s take a peek at the output.

    [haxor@localhost]# NMAP –v –sV -O -p 21,135,139,445,5800,5900 207.96.37.20

    NOTE: Output edited for brevity


    PORT STATE SERVICE
    21/tcp open ftp
    135/tcp filtered msrpc
    139/tcp filtered netbios-ssn
    445/tcp open microsoft-ds
    5800/tcp unfiltered vnc-http
    5900/tcp filtered vnc


    The result of running nmap is usually a list of interesting ports on the machine(s) being scanned (if any). The state is either "open", "filtered", or "unfiltered". Open means that the target machine will accept connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no fire wall/filter seems to be interfering with nmap's attempts to determine this.

    As we can see, this person has closed down the typical NetBIOS ports but forgot to do so to the CIFS service on port 445. This poor admin could have left just enough room for an attacker to enumerate some useful information from this host. We also see that FTP is waiting cheerfully for connections, while VNC is filtered. Oh yes, the HTTP vnc service appears to be closed but nothing seems to be standing in the way. Again. Another potential chink in the armor should the service suddenly become available.

    LOOKS LIKE I HIT A FIREWALL
    ======================
    From time to time you may see something like this:

    [haxor@localhost]# NMAP –v –sV -O -p 1-65535 207.96.37.21


    Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-04 14:50 EST
    Host 207.96.37.198 appears to be up ... good.
    Initiating SYN Stealth Scan against 207.96.37.21 at 14:50
    The SYN Stealth Scan took 186 seconds to scan 65535 ports.
    Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    All 65535 scanned ports on 207.96.37.198 are: closed
    Device type: firewall|general purpose
    Running (JUST GUESSING) : Cisco PIX 6.X|5.X (90%), Stratus VOS (90%)
    Aggressive OS guesses: Cisco PIX 506 Firewall (90%), Cisco PIX 515 or 525 running 6.1(4) - 6.2(1) (90%), Cisco PIX Firewall Version 6.2(2) - 6.3 (90%), Cisco Secure PIX Firewall Version 5.0(2) (90%), Stratus VOS Release 14.3.1ae (90%)
    No exact OS matches for host (test conditions non-ideal).

    Nmap run completed -- 1 IP address (1 host up) scanned in 204.288 seconds


    Well, well, well, what do we have here? NMAP does an excellent job of identifying firewalls and other network gear. This scan is on the money but you’ll have to do some more probing in order to pinpoint the exact model and exact IOS in use. The problem you have now is that the firewall admin now sees that you have port scanned his/her firewall. But maybe, just maybe there are ways to probe without raising attention. We will cover these techniques in the next lesson. Lesson 4 will be the first advanced lesson in this series. It will cover anonymous scanning, connectionless scanning and other techniques that avoid detection.

    As always, comments good, bad and indifferent are welcome.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Damn Hoss.... You type like you've used this "in anger"......

    Nice work, waiting for the "juicy stuff" to appear.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    once again, excellent job horse.....I like many other people enjoy the way your doing these tutorials..The syntax is great and i like the firewall scenario in this one..Waiting for the more detailed expressions..Keep up the good work..
    "Serenity is not the absence of conflict, but the ability to cope with it."

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Well the next tut will have things that I'm sure you are looking for. We will look at what your scan returns and what the admin sees on his end.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    Excellent tutorial indeed. But first how do I install nmap in linux redhat 9? I am competelty new to linux I dont **** with linux help me

  6. #6
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    Computernerd22,

    Open Google, type in the search window " nmap" , go to the first link and search the download section, get the binary and read the instructions on that page.


    If you're really lazy or lame, I'm just good enough to give you this link : http://www.insecure.org/nmap/nmap_download.html
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  7. #7
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    Computernerd22: Im sure you probably got it installed by now from shrekkies link, but usually you can just use the *.bz2 file and compile it from source..
    "Serenity is not the absence of conflict, but the ability to cope with it."

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I have found that compiling from the source code works much better (especially when upgrading) than the RPM install. In the past, I had to use the "--force" switch to get NMAP to install from an RPM which is a bit of a pain in the ass.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Nmap is cool. This is the tool used by Trinity to port scan in Matrix Reloaded.

    I am going to watch Matrix Revolution tomorrow evening.


  10. #10
    Member
    Join Date
    Apr 2003
    Posts
    51
    Thanks for the info, this is always useful. Specially to me.
    Now get off your bum and download it! www.linuxISO.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •