Write For Us

Submit Tips

Subscribe to Print Edition

Search

HOME

REVIEWS

HOW-TOS

CODING

INTERVIEWS

FEATURES

OVERVIEW

BLOGS

SERIES

IT ADMIN

Learning Nmap: The Basics

By Rajesh Deodhar on August 1, 2010 in How-Tos, Tools / Apps 1 Comment

Search for:

Search

Get Connected RSS Feed Twitter

Nmap, the network mapping tool, is the starting point when analysing any network. It is an exciting tool compact and power-packed. This article looks at the range of functions and options it supports.
The Nmap man page describes it as a security/network exploration tool and port-scanner. Nmap (Network Mapper) is a versatile open source tool, which systems administrators cant do without. Some of its interesting features include: Its fast! Uses raw IP packets in various innovative ways for scanning. Can detect operating system versions (and if its unable to detect, it requests the user to send the scan signature to the developer, for incorporation in future versions of Nmap). Provides various interesting options to scan the network. Caution: While using Nmap, be warned regarding the following information! Under the stringent rules of the Indian Cyber Law 2000 and its further amendments till date, even a port scan on a public IP may land you in jail. Do not scan computers that you do not own, or run scans over networks that you do not own, without written permission from the owners. You may also scan the scanme.nmap.org website for testing. This permission only includes scanning via Nmap, and you are not allowed to test exploits and/or denial of service attacks. Dont forget to follow the rules listed in the Nmap man page. Abuse of this service will be reported to the government by the site owners. Use Nmap very carefully, and only for discovery/audits of your network. As well see in this article, it is a very powerful tool, and could cause disruption/damage to the target system or network. Fully understand what you are doing, even with scripted scans, before you do it. Ignorance will not excuse anybody from being prosecuted under the law. Also note that if you have a website of your own, either hosted at a hosting provider or on a rented physical server, the server and network do NOT belong to you even though you own the websites content. You should ideally obtain permission from such hosting providers/server owners to carry out even testing probes of your own website.

LINUX For You on

The basic command line syntax to invoke Nmap is as follows:
n m a p[ s c a nt y p e ( s ) ][ o p t i o n s ]{ t a r g e ts p e c i f i c a t i o n }

Follow

+2,513

Nmap has a huge list of command-line options, generally categorised into target specification, host listing, port specifications, service identification, scan technique, scripted scans and output options. Some of the Nmap switches only work when run as the root (superuser). Lets look at some of the basic Nmap commands:
n m a ps L1 9 2 . 1 6 8 . 1 0 . 0 / 2 4 Lists all the hosts scanned (all responding IPs in the subnet
Find us on Facebook

Open Source For You

Like 254,829 people like Open Source For You.

from 192.168.10.1 to 192.168.10.254).

n m a pp 8 0 , 4 4 31 9 2 . 1 6 8 . 1 0 . 1 0 2 0 Scans the IP address range looking for open ports

80 and 443.
n m a ppT : 8 0 , 8 0 8 0 , 6 5 8 8 , 8 0 01 7 2 . 1 6 . 0 . 1 / 2 2 Scans all hosts between 172.16.0.1 and

172.16.3.254, looking for open TCP ports 80, 8080, 6588 and 800 (the default listening ports for various proxy servers).
n m a ps P1 9 2 . 1 6 8 . 1 0 . 1 0 , 2 0 Ping scans two hosts in a fast scan. n m a pP N1 9 2 . 1 6 8 . 1 0 . 0 / 2 9 Scans all the hosts in the 192.168.10.1 to 192.168.10.6
F acebook social plugin

range. Sometimes, host-based firewalls deny ping requests, and it is difficult to scan such hosts. The P Nscan is useful in such cases; it scans the hosts assuming them to be online.
n m a pAF1 9 2 . 1 6 8 . 1 0 . 1 Detects target OS and services running on it, in fast-scan
Popular Comments Tag cloud

mode. These basic commands are useful for standard scans in any network, and serve a variety of purposes including checking open ports; whether unintended services (like terminal services, VNC, FTP, etc) are running on important hosts; obtaining a list of IP addresses to be scanned, and so on. However, these simple and straightforward scans may not fulfil all requirements. Sometimes, for example, special scans are required in order to test intrusion detection/prevention systems. There might also be the need to conceal the identity of the scanner from the target host. Nmap does indeed provide various ways to conceal your IP address (you can also conceal your MAC address by spoofing) though you have to be careful while using these commands. They require an in-depth knowledge of TCP/IP protocols, and may disrupt the systems/network or cause damage if not run properly. Lets look at some stealth techniques to conceal the identity of the scanning system.

August 13, 2013 42 Comments Diksha P Gupta

India has immense under-utilised talent in the cloud security space

May 6, 2013 6 Comments Priyanka Sarkar

PHP Development: A Smart Career Move

June 20, 2013 3 Comments sophie-samuel

New and amazing features of Linux

June 20, 2013 3 Comments Priyanka Sarkar

What it Takes to be an Open Source Expert

May 6, 2013 1 Comments Deepti Sharma

A Simple guide to building your own Linux Kernel

Idlescan
n m a p v s I 1 9 2 . 1 6 8 . 1 0 . 1 0 0 1 9 2 . 1 6 8 . 1 0 . 1 0 5

This scan will probe 192.168.10.105 while pretending that the scan packets come from another host; the targets logs will show that the scan originated from 192.168.10.100. This is called a zombie host. In our networking context, zombie hosts are those controlled by other hosts on the network. Not all hosts can be used as zombies, as certain conditions are required to be met before this is possible. (Using packages like h p i n gmay enable you to find a zombie host on the network.) The
vswitch increases the verbosity of the output.

Decoy host
n m a ps SP 0D1 9 2 . 1 6 8 . 1 0 . 2 0 1 , 1 9 2 . 1 6 8 . 1 0 . 2 0 2 , 1 9 2 . 1 6 8 . 1 0 . 2 0 31 9 2 . 1 6 8 . 1 0 . 5 0

This command is especially useful while testing IDS/IPS. The s Soption will perform a SYN scan on the target host. While doing so, it will spoof the packet contents to make the target host see them as coming from the specified (D ) decoy hosts. The s Iand Dswitches cant be combined, for obvious reasons. Now, a word of caution: be careful not to cause an unintended Denial of Service (DoS) attack while using the Doption. To understand how this could happen, we need to know how a TCP handshake operates. TCP, being a connection-oriented protocol that guarantees delivery of packets, operates with a three-way handshake: The client initiates the communication by a SYN The server acknowledges with a SYN-ACK The client again sends an ACK, and now they can communicate

If the Dswitch is used, and there is a live host at the decoy IP address, then the SYN-ACK reaches the actual host at the decoy IP address, and not the host running the Nmap scan. Since the real host at the decoy address did not initiate the connection, it closes the connection by sending a TCP Reset (RST). Theres no problem with this. However, a problem occurs if the decoy IP address is not active on the network there is no RST sent to the scan target, which keeps the connection open. As Nmap continues to generate more and more requests to the target with the decoy IP as the source, the scan target has a growing list of open connections for which it maintains the connection initiated state. This ends up consuming more and more resources on the target, and may cause a DoS to other, legitimate hosts and communications.

Other interesting command-line options

Nmaps creators have considered many possibilities while designing it. One case in point is the t t loption. To understand its use, lets once again go into some detail on the IP protocol. Packet

headers contain a field called TTL (Time To Live). The TTL field is set by the machine from which the packet originates. Every machine that receives and relays it on the route towards its destination, decrements the TTL field value by some amount. If the TTL field value falls to zero before the packet arrives at its destination, then the packet is dropped, and an ICMP error is sent back to the sender. This mechanism is intended to prevent packets that could not be delivered to the target from remaining in circulation on the network and swamping the network resources. Although TTL was originally meant to be a measure of time, as indicated by its name, in practice, its value is reduced by one on each hop (relaying of the packet) and not by some number of seconds. Thus, the value of the TTL field actually determines the maximum number of hops for which the packet can be relayed without being discarded. A typical default value for TTL on many operating systems is 128. However, Nmaps t t loption lets you define a custom value for scan packets, which is a very useful feature. This includes, for example, ensuring that the packet is not relayed from your LAN onto the WAN/Internet. Fantastic, isnt it? Some of the other important Nmap command-line options that require an understanding of the TCP/IP protocol include: Fragmentation of packets (fand f foptions) Using the FTP bounce technique to scan via FTP servers (b ) Changing the scan delay (s c a n _ d e l a yis especially useful if the target has IDS/IPS, and blocks scan requests) Timing policies (T ) Scripted scans

Listing active hosts on the network

A common sequence in network testing is to first generate a list of all active hosts in a network. The list can be used as an input to other applications, which lack the capacity to scan for active hosts but must be given one or more target IP address. Here is a short command sequence that does this:
n m a ps Pno Gh o s t l i s t1 9 2 . 1 6 8 . 1 0 . 0 / 2 4 c u td""f 2h o s t l i s t>i p l i s t

The first command executes a ping scan (s P ) and generates a list of active hosts in the target range/network. This list will be stored in the file h o s t l i s tin g r e p pable format (o G ). The second command reads the data from the file, splits each line into fields based on a space character delimiter, and outputs the second field (the IP address), thus generating a new file,
i p l i s t , which is simply the list of active IP addresses/hosts in the given range.

The Zenmap GUI

Nmap has a huge list of command-line options that are difficult to remember and use, even for experienced administrators. Zenmap, a GUI for Nmap, simplifies this considerably. It even provides ready-made scan profiles from which you can choose. The commands you generate in the GUI can also be run at a command line, if required. The GUI also has a very important added function a graphical display of discovered hosts, and the hops required to reach each host! A sample output from this feature is shown in Figure 1.

Figure1: Sample Zenmap discovered hosts display (click to enlarge)

We hope that the few important concepts about the TCP/IP protocol, the power of Nmap, and the other ideas interested you!

References
Nmap Network Scanning, the official guide to the Nmap Security Scanner Nmapin the Enterprise: Your Guide to Network Scanning, by Angela Orebaugh and Becky Pinkard

Related Posts:
Advanced Nmap: Scanning Techniques Continued Advanced NMap: Some Scan Types Advanced Nmap: A Recap Advanced Nmap: FIN Scan & OS Detection Advanced Nmap: Scanning Firewalls Continued
Tags: ACK, Advanced Nmap Series, Angela Orebaugh, Becky Pinkard, cyber law, denial of service, denial of service attacks, DOS, exploration tools, ICMP, IDS, IP addresses, LAN, LFY August 2010, MAC address, network exploration, network mapper, network mapping, network mapping tool, network security, NMap, port scan, port scanner, Security, TCP/IP protocol, TCP/IP protocols, TTL, WAN, Zenmap

Article written by:

Rajesh Deodhar
The author is BE (Industrial Electronics), CISA (Certified Information Systems Auditor) and DCL (Diploma in Cyber Law). He has more than 15 years of experience in the field of computer hardware, networking, firewalls and IS auditing. He is a director at Omega Systems and Services, Pune. Connect with him: Website

Previous Post

Next Post

Thinking Beyond Unit Testing

Securing Apache, Part 1: The Basics

1 comment Leave a message...

Newest Community Geek s t er
11 months ago

Share

nice explaination
Reply Share

C o m m e n t fe e d

Su b s cri b e vi a e m a i l

Reviews

How-Tos

Coding

Interviews

Features

Overview

Blogs

Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems

For You & Me Developers Sysadmins Open Gurus CXOs Columns

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.