ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
This paper is the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly consented to it being hosted here on the TAZ.
NMAP v3.48 tutorial lesson 1 of ? rev 1.0 by TheHorse13
I’d like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.
I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.
NMAP is designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering. nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas
Tree, SYN sweep, IP Protocol, and Null scan. See the Scan Types section for more details.
Nmap also offers a number of advanced features such as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification.
NMAP supported platforms
Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,
Amiga. You’ll find RPMs, binaries and so on, thus, installation is very flexible.
You’ll find all installation details and downloads here:
A simple nmap -h will reveal all of the supported switches. These will vary slightly on
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: ‘1-1024,1080,6666,31337’
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don’t ping hosts (needed to scan
* -Ddecoy_host1,decoy2[,…] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use ‘-‘ for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
–interactive Go into interactive mode (then press h for help)
–win_help Windows-specific features
EXAMPLES oF BASIC SCANS
Example 1 (NOTE: You must have root priviledges to run the SYN stealth scan, which is the
Let’s say that you want to know what ports are open on a host and you want to know what OS is running on the host. This can be done by typing the following NMAP command. (NOTE: the position of switches makes no difference. You can order switches any way you like.)
[root@locahost]#nmap -v -sS -O -p 1-65535 192.168.1.100
nmap – the command to run it
-v for verbose
-sS for SYN stealth scan
-p for ports you want to scan (I used all IANA ports)
-O OS detection
192.168.1.100 – the host
Here is the output from this command. Let’s take a closer look at what is returned in addition to what we have asked for.
Starting nmap 3.48 (
) at 2003-10-25 19:20 Eastern Daylight
Host IS~TOWER (192.168.1.101) appears to be up … good.
Initiating SYN Stealth Scan against IS~TOWER (192.168.1.101) at 19:20
Adding open port 445/tcp
Adding open port 5800/tcp
Adding open port 21/tcp
Adding open port 5900/tcp
Adding open port 1025/tcp
Adding open port 135/tcp
Adding open port 1027/tcp
Adding open port 139/tcp
The SYN Stealth Scan took 13 seconds to scan 65535 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on IS~TOWER (192.168.1.101):
(The 65527 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
5800/tcp open vnc-http
5900/tcp open vnc
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced
Server, or Windows XP
TCP Sequence Prediction: Class=random positive increments
Difficulty=8231 (Worthy challenge)
IPID Sequence Generation: Incremental
Nmap run completed — 1 IP address (1 host up) scanned in 14.851 seconds
The first thing you’ll notice is that NMAP will resolve the hostname of the box you scan if possible. In this case, the host, 192.168.1.101 is named “IS~TOWER”.
The next line we see is the type of scan we have performed. The switch -sS is a SYN Stealth scan and the duration of the scan, which is what we have done.
You may also notice that NMAP has posted what appears to be redundant information. This is intentional. The first section is the port scan where ports will appear in no particular order, the second is the service scan, where the ports are arranged in ascending order along with what NMAP feels is the associated service.
It also tells you that the other ports that you specified for scanning are closed, thus, they have been omitted. This is a good thing because you don’t need to see 65,535 closed port statements wiz down your screen.
Additionally, NMAP is telling you that it is making some assumptions while trying to identify the remote OS. Look closely at the output and you will see that it assumes that port 21 (FTP typically) is open and port 1 (TCP/UDP port service multiplexer) is closed and there is no firewall in place.
But what if port 21 is closed and there is a firewall in place?
NMAP will then select the first port you select as the port that it will assume is closed (example scan ports 400-500 it will assume 400 is closed) and it will pick the first open port it comes across as the open port used in OS identification.
Now, with a firewall in place, NMAP will not be able to properly fingerprint the OS (in most cases) so it will warn of this fact by stating that the OS identification will be less accurate and in some cases, if it cannot indentify the OS, it will output an NMAP “fingerprint” which we will examine very closely in later lessons.
The Device type field is attempting to tell you what the device is used for such as a router, etc but I have found this field less than accurate many times.
The OS indentifier field is the footprint match that NMAP has returned for the target machine. Notice that when a windows OS is identified that it gives you a number of possibilies and not an exact match. This is because the stack on these OSes respond the same way, thus it is difficult to pinpoint the exact MS OS in use. The OS Details line is the one to be concerned with when looking at your results, not “Running:”
The TCP Sequence prediction is run to see how each IP sequence number is handled during the connection (or how NMAP feels this happens). The theory being that if you can predict the sequence, you can poison the connection be injecting your own packets into the stream.
A good OS will always have random sequence numbers. NMAP also tells you what it feels the difficulty is in penetrating the box. The difficulty number will be accompanied with a small blurp which ranges from easy to good luck.
The last thing it tells you is how the IPID sequence generation is handled. Give the Nmap arguments -v -O” against a host and it should say “IPID Sequence Generation: whatever”. IPID classes Nmap understands include “incremental” (most machines), “duplicated IPID” (mostly stupid devices like printers), “Broken little-endian incremental” (Windows), “Randomized” (OpenBSD), and “Random positive increments”.
Well that is the end of lesson one which covers a basic scan and what the results mean. By no means is this supposed to be perfect so if you feel I missed something or failed to explain something with enough detail, please let me know. Also, add anything you like.
Next lesson will deal exclusively with scanning options and how to form the proper syntax for specific scans.