NMAP 3.48 Tutorial - Lesson 3 - Common Output

[thehorse13]

NMAP v3.48 tutorial lesson 3 of ? rev 1.0 by TheHorse13


PREFACE (Will be repeated at the top of each lesson)
======================
I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.

I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.

Bold text - Command syntax
Underlined text – Important information

NOTE: TheHorse13 takes no responsibility in regards to your use of the information presented in the NMAP tutorial series. If you get into trouble, then obviously you aren’t as 1337 as you thought.

PREREQUISIT
======================
Read Lesson one – The Basics and Lesson 2 - More Basics, both found in the Tutorial Forum.

IN THIS LESSON
=====================
This lesson deals with typical output observed when scanning outside of your network. Note that we are still using the basic and most common command set without any of the advanced features.

OH NO, WHAT ARE FILTERED AND UNFILTERED PORTS?
====================
Now that you have a grasp on the basic operation of NMAP and the base command line options, let’s take a look at some things that may pop up during your scans. Using NMAP internally is wonderful but the true power of the application is only seen when used *outside* of your network. The reason I say this is because there are many more potential targets…..errrrrr……..servers that need remediation out on the open internet.

Important – When you use basic NMAP functionality to perform scans against a host that is not yours, be prepared to be identified quickly. All good administrators can spot a standard port scan a mile away.

OK, let’s use a basic scan against a host and let’s take a peek at the output.

[haxor@localhost]# NMAP –v –sV -O -p 21,135,139,445,5800,5900 207.96.37.20

NOTE: Output edited for brevity


PORT STATE SERVICE
21/tcp open ftp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp open microsoft-ds
5800/tcp unfiltered vnc-http
5900/tcp filtered vnc


The result of running nmap is usually a list of interesting ports on the machine(s) being scanned (if any). The state is either "open", "filtered", or "unfiltered". Open means that the target machine will accept connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no fire wall/filter seems to be interfering with nmap's attempts to determine this.

As we can see, this person has closed down the typical NetBIOS ports but forgot to do so to the CIFS service on port 445. This poor admin could have left just enough room for an attacker to enumerate some useful information from this host. We also see that FTP is waiting cheerfully for connections, while VNC is filtered. Oh yes, the HTTP vnc service appears to be closed but nothing seems to be standing in the way. Again. Another potential chink in the armor should the service suddenly become available.

LOOKS LIKE I HIT A FIREWALL
======================
From time to time you may see something like this:

[haxor@localhost]# NMAP –v –sV -O -p 1-65535 207.96.37.21


Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-04 14:50 EST
Host 207.96.37.198 appears to be up ... good.
Initiating SYN Stealth Scan against 207.96.37.21 at 14:50
The SYN Stealth Scan took 186 seconds to scan 65535 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 65535 scanned ports on 207.96.37.198 are: closed
Device type: firewall|general purpose
Running (JUST GUESSING) : Cisco PIX 6.X|5.X (90%), Stratus VOS (90%)
Aggressive OS guesses: Cisco PIX 506 Firewall (90%), Cisco PIX 515 or 525 running 6.1(4) - 6.2(1) (90%), Cisco PIX Firewall Version 6.2(2) - 6.3 (90%), Cisco Secure PIX Firewall Version 5.0(2) (90%), Stratus VOS Release 14.3.1ae (90%)
No exact OS matches for host (test conditions non-ideal).

Nmap run completed -- 1 IP address (1 host up) scanned in 204.288 seconds

Well, well, well, what do we have here? NMAP does an excellent job of identifying firewalls and other network gear. This scan is on the money but you’ll have to do some more probing in order to pinpoint the exact model and exact IOS in use. The problem you have now is that the firewall admin now sees that you have port scanned his/her firewall. But maybe, just maybe there are ways to probe without raising attention. We will cover these techniques in the next lesson. Lesson 4 will be the first advanced lesson in this series. It will cover anonymous scanning, connectionless scanning and other techniques that avoid detection.

As always, comments good, bad and indifferent are welcome.

[Tiger Shark]

Damn Hoss.... You type like you've used this "in anger"......

Nice work, waiting for the "juicy stuff" to appear.....

[n01100110]

once again, excellent job horse.....I like many other people enjoy the way your doing these tutorials..The syntax is great and i like the firewall scenario in this one..Waiting for the more detailed expressions..Keep up the good work..

[thehorse13]

Well the next tut will have things that I'm sure you are looking for. We will look at what your scan returns and what the admin sees on his end.

--TH13

[Computernerd22]

Excellent tutorial indeed. But first how do I install nmap in linux redhat 9? I am competelty new to linux I dont **** with linux help me

[Shrekkie]

Computernerd22,

Open Google, type in the search window " nmap" , go to the first link and search the download section, get the binary and read the instructions on that page.


If you're really lazy or lame, I'm just good enough to give you this link : http://www.insecure.org/nmap/nmap_download.html

[n01100110]

Computernerd22: Im sure you probably got it installed by now from shrekkies link, but usually you can just use the *.bz2 file and compile it from source..

[thehorse13]

I have found that compiling from the source code works much better (especially when upgrading) than the RPM install. In the past, I had to use the "--force" switch to get NMAP to install from an RPM which is a bit of a pain in the ass.

--TH13

[Shakira]

Nmap is cool. This is the tool used by Trinity to port scan in Matrix Reloaded.

I am going to watch Matrix Revolution tomorrow evening.

[Girl_for_Tech]

Thanks for the info, this is always useful. Specially to me.