ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
This paper is the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly consented to it being hosted here on the TAZ.
NMAP v3.48 tutorial lesson 3 of ? rev 1.0 by TheHorse13
PREFACE (Will be repeated at the top of each lesson)
I’d like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.
I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.
Bold text – Command syntax
Underlined text – Important information
NOTE: TheHorse13 takes no responsibility in regards to your use of the information presented in the NMAP tutorial series. If you get into trouble, then obviously you aren’t as 1337 as you thought.
Read Lesson one – The Basics and Lesson 2 – More Basics, both found in the Tutorial Forum.
IN THIS LESSON
This lesson deals with typical output observed when scanning outside of your network. Note that we are still using the basic and most common command set without any of the advanced features.
OH NO, WHAT ARE FILTERED AND UNFILTERED PORTS?
Now that you have a grasp on the basic operation of NMAP and the base command line options, let’s take a look at some things that may pop up during your scans. Using NMAP internally is wonderful but the true power of the application is only seen when used *outside* of your network. The reason I say this is because there are many more potential targets…..errrrrr……..servers that need remediation out on the open internet.
Important – When you use basic NMAP functionality to perform scans against a host that is not yours, be prepared to be identified quickly. All good administrators can spot a standard port scan a mile away.
OK, let’s use a basic scan against a host and let’s take a peek at the output.
[haxor@localhost]# NMAP –v –sV -O -p 21,135,139,445,5800,5900 126.96.36.199
NOTE: Output edited for brevity
PORT STATE SERVICE
21/tcp open ftp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp open microsoft-ds
5800/tcp unfiltered vnc-http
5900/tcp filtered vnc
The result of running nmap is usually a list of interesting ports on the machine(s) being scanned (if any). The state is either “open”, “filtered”, or “unfiltered”. Open means that the target machine will accept connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no fire wall/filter seems to be interfering with nmap’s attempts to determine this.
As we can see, this person has closed down the typical NetBIOS ports but forgot to do so to the CIFS service on port 445. This poor admin could have left just enough room for an attacker to enumerate some useful information from this host. We also see that FTP is waiting cheerfully for connections, while VNC is filtered. Oh yes, the HTTP vnc service appears to be closed but nothing seems to be standing in the way. Again. Another potential chink in the armor should the service suddenly become available.
LOOKS LIKE I HIT A FIREWALL
From time to time you may see something like this:
[haxor@localhost]# NMAP –v –sV -O -p 1-65535 188.8.131.52
Starting nmap 3.48 (
) at 2003-11-04 14:50 EST
Host 184.108.40.206 appears to be up … good.
Initiating SYN Stealth Scan against 220.127.116.11 at 14:50
The SYN Stealth Scan took 186 seconds to scan 65535 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 65535 scanned ports on 18.104.22.168 are: closed
Device type: firewall|general purpose
Running (JUST GUESSING) : Cisco PIX 6.X|5.X (90%), Stratus VOS (90%)
Aggressive OS guesses: Cisco PIX 506 Firewall (90%), Cisco PIX 515 or 525 running 6.1(4) – 6.2(1) (90%), Cisco PIX Firewall Version 6.2(2) – 6.3 (90%), Cisco Secure PIX Firewall Version 5.0(2) (90%), Stratus VOS Release 14.3.1ae (90%)
No exact OS matches for host (test conditions non-ideal).
Nmap run completed — 1 IP address (1 host up) scanned in 204.288 seconds
Well, well, well, what do we have here? NMAP does an excellent job of identifying firewalls and other network gear. This scan is on the money but you’ll have to do some more probing in order to pinpoint the exact model and exact IOS in use. The problem you have now is that the firewall admin now sees that you have port scanned his/her firewall. But maybe, just maybe there are ways to probe without raising attention. We will cover these techniques in the next lesson. Lesson 4 will be the first advanced lesson in this series. It will cover anonymous scanning, connectionless scanning and other techniques that avoid detection.
As always, comments good, bad and indifferent are welcome.