ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
This paper is the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly consented to it being hosted here on the TAZ.
NMAP v3.48 tutorial lesson 2 of ? rev 1.0 by TheHorse13
PREFACE (Will be repeated at the top of each lesson)
I’d like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.
I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.
Read Lesson one – The Basics, found in the Tutorial Forum.
IN THIS LESSON
This lesson will still be at the beginner level so those who are advanced users, look for later lessons where things like connectionless scans are covered.
We will look at some additional scanning techniques and when to use them. We will focus only on internal scans at this point. We will look at output when you hit firewalls, routers and other devices between you and your target in later lessons.
SUBNET, PORT RANGES AND MULTIPLE HOST SCANS
In lesson 1, we saw a very basic scan that produced results for a single host. Let’s take that same example and add a small twist. You now have an entire subnet that needs to be scanned to pinpoint all of the machines that have remote control services running. In the organization, PCAnywhere is the only supported remote access solution and you now have to track down those who are not in compliance. Being a vigilant security professional, you immediately grab your trusty NMAP tool and go to work.
NOTE: Some folks are quite crafty and don’t run services on the typical port associated with the service. But for now, we will make two assumptions for this example. First, all remote control services are running on the ports that are typically associated with them.
We will assume that three additional remote control services are running out there. They will be, 1) Terminal Services, 2) VNC and 3) LapLink. The subnet you will scan is a class C network so the network is 192.168.1.0 and the subnet mask is 255.255.255.0
OK, let’s create the syntax to discover these services
[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.0/24
OK, let’s look over what we are doing here.
NMAP – obviously the command
-v – I typically recommend using the verbose switch. If you leave it out, your output will only show the ordered port list and a few less details on scan time responses and other details that may be useful to you.
-sV – Since the default privileged mode scan is sS (SYN Stealth, or half-open scan- a scan where only the SYN flag is sent in the packet) -sV will cause NMAP to communicate with the box to identify the running services that it finds. This feature was added in NMAP-3.48.
-p – Ports can be expressed individually separated by commas, as ranges separated by dashes or a combination such as –p 1547,1567,3300-3350
hosts 192.168.1.0/24 – now, without starting another tutorial subject, subnet masks must be expressed as bits. For example, 255.255.255.0 is a 24 bit mask, 255.255.0.0 is a 16 bit mask, etc. A single host does not require a subnet mask but if you want to be technical, it would be 32 and would work if given as part of the command. You can also use the “*” key like this: -p 192.168.1.* This is the same as 192.168.1.0/24.
Now then, in the interest of post length, I’ll let you play with the multiple host syntax and specific port/port range functionality. You’ll notice that you will get a complete record for each host that is alive and should a host not respond, NMAP will notify you that the host appears to be down and NMAP is skipping it.
One more function that I’d like to cover is the multiple host scan syntax.
[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10,11,12
Notice that I just added additional host ID numbers separated by commas. NMAP will recognize this as a multiple host scan. You can also use the same idea when scanning a range of hosts.
[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10-15
This will tell NMAP to scan the specified ports using the IP range 192.168.1.10 thru 15. You’ll notice that port and host expressions are the same. This makes learning the command line switches a bit easier.