Nmap: How to Use it

Nmap stands for “Network Mapper”. It’s been seen in many films like the Matrix Reloaded, Bourne Ultimatum, Die Hard 4, etc. When Nmap was created, it could only be used on the Linux Platform but now it supports all the major OSes like Linux, UNIX, Windows, and Mac OS platforms


From the beginning its only job was to be a port scanner, but now it can do the following things: remote OS detection, Time based Scanning, Firewall Evasion Technique, The Scripting Engine, Multi-probe Ping Scanning, etc…

Installation of Nmap

For the installation of Nmap, go to http://nmap.org/download.html. On this page you can find the following options:

• Downloading Nmap

• Source Code Distribution (in case you wish to compile Nmap yourself)

• Microsoft Windows Binaries

• Linux RPM Source and Binaries

• Mac OS X Binaries

• Other Operating System

Installation on Windows Select options as per your operating system. First, we’ll see how to install it in Windows. Go to the Microsoft Windows Binaries. Now you can use Nmap in graphical mode as well as command-line. For the command Line download click on

Latest command-Line zipfile nmap-6.01-win32.zip +

For the Graphical Version click on:

Latest command-Line self-installer nmap-6.01-setup.exe +

When the download is completed, you can find the folder named nmap-6.0. First unzip the folder. After unzipping, you can find the 3 directories and 26 files. In the three directories named License, nselib and scripts, there are now four executable files: nmap, winpcapnmap-4.12, vcedist2008 _ x86, vcredist _ x86.  The fifth important file is nmap _ performance.reg file and the others are supporting files for running nmap (there is also ncat, ndiff, nmapupdate, nping but now we are not going to discuss them).

Figure 1

Figure 2

After that first of all run the winpcap-nmap-4.12 and install the winpcap. Winpcap is a packet capture library. Then install vcedist2008_x86, vcredist_x86 and at last, double-click on the nmap_performance.reg file. This file is used for the entry in [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]

“MaxUserPort”=dword:0000fffe +

In the Parameters section there will be an entry of dword:0000fffe, which is a hexadecimal value. In the binary it’s 65534, which means the maximum user port is 65534:

“TcpTimedWaitDelay”=dword:0000001e + Tcp Timed

wait delay is 30, + “StrictTimeWaitSeqCheck”=dword:

00000001 and nmap is wait for the seq check is 1. +

Now you can use nmap in Windows. Go into the installed directory and give the simple command nmap 10.0.0.5. In the figure below, you can see the result.

Figure 3

Figure 4

Installation on Ubuntu

Step 1: downloading from GUI

Visit the http://nmap.org/download.html for Linux – you can download it from the shell and from the GUI interface. Go to the 4th option, Linux RPM Source and Binaries, shown in Figure 4. Click on nmap-6.01-1.i386.rpm. Now it will download and you can see the 4.2 MB size.

Step 2: downloading from GUI

Go to the terminal and give the following command as shown in Figure 5.

Figure 5

wget http://nmap.org/dist/nmap-6.00.tar.bz2 +

After the download finishes, you can see the file named nmap-6.00.tar.bz2.

Now you have to unzip this file by giving the command in Figure 6.

Command is bzip2 -cd nmap-6.00.tar.bz2 | tar xvf

Figure 6

And then you have to run these commands ./configure, make, make install as a root.

Basic Scanning Technique

In the basic technique, we use Nmap without any switch. In this section we can see the flexibility of Nmap because it supports classless Inter-Domain Routing (CIDR) notation, octet ranges, DNS names, IPv6 addresses. So how can we scan multiple IPs?

Nmap gives the result in three titles. The first is PORT; it displays the port number or protocol. The second is STATE. There are six states that Nmap can result in:

  • Open – Open State that means the application listening is active for TCP & UDP connection.
  • Close – Close State means the application is not listening but they are accessible.
  • Filtered – Filtered Filtered State means the port Responding is blocked by a packet filter; because of that it’s hard to identify if the port is Open or not.
  • Unfiltered – it’s hard to determine for Nmap port if it is open or closed but they are accessible.
  • Open – Filtered – this is the mutual state where you don’t know if the port is open or not. You have to scan with techniques like Null, Fin, Xmas.
  • Close – Filtered – Even in this state Nmap is not able to identify if the port is open or Closed. For information you have to scan the IP. ID idle scan only is the way to know more

This is the status of the port – Open or Closed. The third is SERVICE – which type of service is running on the port. In the last Nmap is shown a MAC address of the scanned system; how many hosts are up; how many times Nmap is consumed during scanning–most of this result shows in seconds.

Scanning a Single IP/Host/Domain

See Figure 7 & 8. Example:

#nmap <Live Domain/hostname/IP/Range of IP/Subnet>

#nmap 10.0.0.1

#nmap 10.0.0.1,2,3,4,5

#nmap 10.0.0.1-5

#nmap 10.0.0.0/8

#nmap 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5

#nmap spider

#nmap spidernet.co.in

Figure 7

Figure 8

By default, Nmap scans the 1000 most commonly used TCP/IP ports. If you can compare the result then you can see that in Figure 7 when we scan the system it shows a MAC address of the LAN Card. In Figure 8, you can see there are so many ports Opened and Closed but it could not be shown as a MAC address here. Next, we will scan Multiple IPs with the use of different shorthand notation.

Multiple IP Scanning

You can scan multiple IPs in different ways. The first is by providing full IP addresses as seen in Figure 9. You can also provide the range of IP addresses (see Figure 10), or by giving comma of every IP address (see Figure 11). The result is shown in the figures.

Figure 9

Figure 10

Figure 11

Host Discovery Scanning Technique / Ping Scanning Technique

Host Discovery OR Ping Scanning Technique is very useful. When we ping any host, we get information about whether the host system is live or not. In large organizations many administrators have blocked ICMP ping, so it’s difficult to know if the system is live or not. Let’s see an example. This is the 2003 Enterprise server. In this server if we do not start the firewall (you can see in Figure 12) then you get the pinging. So it’s easy for us to find out whether the system is live or not. You can see the response of ping.  replay in Figure 13. But if we activate the firewall then afterwards if we ping the system, it’s very hard to find out whether the host is live or not. As per Figure 14, you can see if we activate the firewall after that we are unable to ping the system as we do not get any response of ICMP echo request see Figure 15.

Figure 12

Figure 13

Figure 14

Figure 15

Ping Scan

In this condition, it’s hard to know if the host is up or not here. Nmap is performing an important role. If you want to ping only and know that the system is live, then use -sP command. Also refer to Figure 16.

Figure 16

Syntax

# nmap -sP <IP / Hostname > #nmap -sP 192.168.1.100

This option is also termed a Ping sweep. This is the most useful option for administrators if they want to check the network they use with CIDR also. This command is valuable because it’s not going to do further query like Port Scanning, Service, OS detection, etc. It’s also easy to use.

Host List Scanning

Syntax

# nmap -sL <IP / Hostname / Domainname > #nmap -sL www.spidernet.co.in

In every Nmap’s switch commands are easy to remember because of the short form (like -sL, which means scan List or List Scan). When you give the command -sL then you tell nmap to scan the reverse DNS lookup to the host / IP range / or from specific domain in the above Figure 17. You can see the spidernet.co.in in all lists of the NS Server. Really important information is revealed after the option -sL. You can find the purpose the IP address is used for and the location of the IP. When the command is executed nmap -sL that means it’s not to send any packet to the target system. It works like a thief – it steals the information without an alert on the host IDS system and simply prints it.

Figure 17-18

Scanning Without Ping

When you ping the target host, our machine sends thousands of packets and also receives the thousands of packets (see Figure 18) to the system. This internal process is time consuming. This option is useful, for example, if the administrator knows the system is up in his list then there is no point to ping. If he uses the -PN option then he will get all of the ports’ information and he will save time.

This is also shown in Figure 19.

Figure 19-20

Syntax

# nmap -PN <IP / Hostname / Domainname > #nmap -PN www.spidernet.co.in

TCP SYN Ping

This ping is based on a particular port based ping. The option of -PS is used with any port. It is referred to as a TCP Syn ping because the SYN Flag is going to tell the target system that the connection establishment is in process. If the port is closed then the packet is sent back, but if the port is open, then it will proceed further. The Target system will send the ACK packet back to us, SYN will probe to the port 80, and a reply will be received from that port. You can see in Figure 20 that the 2003 server ICMP is blocked. In this situation, if we try to identify whether the machine is up or not and we ping the target Machine, then we get “Request time out” (see Figure 15). In this case if the ICMP is blocked but the WEB Server is running on PORT 80 and the site is up (see Figure 21), then our work will be easy. We send to Nmap the option -PS80 and we’ll know whether the target host is available or not.

Syntax

# nmap -PS <Any Port> <IP / Hostname / Domainname > #nmap -PS80 192.168.1.100

Here we also use -sP for ping scan. Nmap gives so much flexibility in the use of different options simultaneously.

TCP ACK Ping

Similarly, TCP ACK Ping is also available in Nmap options. ACK ping is the same but there is a small difference between that and SYN ping.

Syntax

# nmap -PA <Any Port> <IP / Hostname / Domainname > #nmap -PA80 192.168.1.100

Nmap has these two options because there is a chance to bypass the firewall. If SYN ping does not work and admin blocks that, then ACK is useful in this case.

Figure 21-22

UDP Ping

UDP is a discovery option that sends the empty packet to the target host and admin only filters the TCP packet in the firewall. If it’s poorly configured then you will get the response that it will allow you to get the information from the host. UDP ping uses the default probe port 31.338. You can also change this option in Nmap.

Syntax

# nmap -PU<Any Port> <IP / Hostname / Domainname > #nmap -PU 192.168.1.100

Three different ICMP Ping Scans

There are three different ICMP ping scans available in Nmap: 1) ICMP echo ping with option -PE; 2) ICMP Timestamp Ping with -PP; 3) ICMP Address Mask Ping -PM

1) ICMP echo ping -PE option is best in LAN and Internet by default. If you are not given any ping option, then -PE is applied.

2) ICMP Timestamp ping uses ICMP code 14. Some improperly configured systems may still reply to the ICMP timestamp.

3) ICMP address Mask ping uses ICMP code 18.

ICMP Echo Ping Syntax

# nmap -PE <IP / Hostname / Domainname >

#nmap -PE 192.168.1.100

ICMP Timestamp Syntax

# nmap -PP <IP / Hostname / Domainname >

#nmap -PP 192.168.1.100

ICMP Address mask Syntax

# nmap -PM <IP / Hostname / Domainname >

#nmap -PM 192.168.1.100

IP Protocol Ping

Here you can see the tremendous flexibility of Nmap; -PO option is used for IP protocol scanning (for instance if you want to scan ICMP, IGMP, or other). The default is ICMP-1, IGMP-2 and IP in IP-4. (see Figure 23).

Figure 23-24

Syntax

# nmap -PO1,2,4 <IP / Hostname / Domainname >

#nmap -PO 192.168.1.100

Other Important option for Host Discovery technique

Nmap is really in-depth so it’s not possible to see all the options in practice. Here, I’ll show you some important Nmap switches. All of these options are used for host discovery techniques – you can use them as per your requirements:

–packet-trace

In Figure 18: Packet Tracing, you can find out how many packets are sent by nmap and received; you can even find the information about sequence number, Time to Live values, and TCP flag information.

–data-length <length>

If the Intrusion Detection System detects your scan, then you can also use this option because from –data-length switch you can control the length of bytes of data to every packet. This option also works with connectionless and connectionoriented protocols like TCP, UDP and ICMP also.

-n

-n option is used for disabling all DNS resolutions

-R

-R option enables all DNS Queries against the host. If the target host is down then it does not matter.

–dns-servers <dns server1> {, <server2>[,. . . ]}

dns server1 – this is used for reverse query. This switch will directly go to the registry if the system is a Windows server, and if it’s a Linux system, then it will try to read the resolve.conf file to obtain some important information about the dns server.

Advanced Scanning Techniques

TCP Connect Scan -sT

TCP Connect scan is an advanced scanning technique. First, it will request the target host for the connection sending by the SYN packet on any port like port 22, then, if the port is open, the host sends back an acknowledgment that it is open.

Again the system is going to connect with the target system, once the connection is finished then nmap -sT will start scanning the system. When all processes are done, the connection will be closed. In this technique there is also a drawback included. If the target system has an IDS, then it will catch you and generate a log after scanning, allowing the admin to easily see which IP scanned his system. You can see the below Figure 24 to understand how the connection is established and closed. This is the disadvantage that they developed the TCP SYN / Stealth Scan -sS for. It’s opposite the -sT option. You can see the result of -sT in Figure 25.

figure 25-26

Syntax

# nmap -sT <IP / Hostname / Domainname > #nmap -sT 192.168.1.100

TCP SYN Scan -sS

This type of scan needs a root privilege for the scanning. It’s also called a stealthy scan because it does not need a full-fledged connection to the remote host. By default, it’s a scan that is most common. Thousands of used TCP ports per second do not give any opportunity attention to the firewall.

Syntax

# nmap -sS <IP / Hostname / Domainname > #nmap -sS 192.168.1.100

UDP Scan -sU

User Datagram Protocol (UDP) Services are scanned and enabled by the -sU switch. It is slower if we compare it with the TCP scan but it’s more important because it’s more complex than TCP. Many admins ignore this port because of its greater difficulty than TCP; it’s a big mistake because some attackers are used to scanning this port which you can see in Figure 26. Once we scan the 2003 server, we can see that ports 53, 123, and others are open.

Syntax

# nmap -sU <IP / Hostname / Domainname > #nmap -sU 192.168.1.100

UDP sends an empty header to every port. UDP shows four states: Open, Open|filtered, Closed, and Filtered.All are different. Open means any UDP is responding from host. Open|filtered means you can’t get any response, even retransmission. Closed means the ICMP echo request is unreachable. Filtered means the ICMP is unreachable with different code and type. By default, the UDP scan is slow but if you want to speed the UDP scan then you have to put in a different option with -sU. You can also control the slow host by putting -host-timeout option, -v option for the enabled verbosity mode, etc.

TCP Xmas, Null, and Fin Scans with –scanflags

Before we understand Xmas, Null and Fin Scan, we need to know what happens when a connection is established with SYN, FIN, ACK, URG, PUSH and RESET flag. SYN and Fin Flags are used for connection establishment and close the TCP Connection. ACK flag is set so that the acknowledgment field is valid, and gets the attention from the target system. The URG flag narrates the Segment containing urgent data, while the PUSH flag terms as a sender invoke the push operation, which indicates to the receiving side of TCP that it should notify the receiving process of this fact. Finally, the RESET flag is denoted, as the receiver has become confused and wants to abort the connection. Now, let’s see what the Xmas Scan can do. This scan is turned On or Off by sending bytes much like the Christmas tree. A closed port is a response to an Xmas tree scan with RST as you can see in Figure 27.

Figure 27-28

Syntax

# nmap -sX <IP / Hostname / Domainname > #nmap -sX 192.168.1.100

TCP Fin Scan

In this scan, TCP Fin bit is active when packets are sent in an attempt to solicit a TCP ACK from the destination target host. This is another choice for Scanning and gathering information from the Target system which is protected by Firewall.

Figure 32

Syntax

# nmap -sF <IP / Hostname / Domainname > #nmap -sF 192.168.1.100

TCP Null Scan

TCP Null scanning is fast compared to other Port scanning options. From this scan, the TCP flags are enabled and you can find that the packet header is 0. If the Port is closed on the target machine then the Null scan will not send flags in the packet header. Its reply will be by the RST Packets. This type of scanning has a major advantage of scanning through stateless firewalls or ACL filters.

Syntax

# nmap -sN <IP / Hostname / Domainname> #nmap -sN 192.168.1.100

You can find similarity in all Figures of the TCP scan FIN, Null and Xmas observed in Figures 28, 29, 30 as you see that the result is the same. You can customize these three scans with the -scanflags. This option provides a lot of flexibility in scanning.

Figure 29-31

Syntax

# nmap –scanflags FINACKURGPSH <IP / Hostname /

Domainname> #nmap –scanflags FINACKURGPSH 192.168.1.100

TCP ACK Scan

First we have to understand the result that the ACK scan gives. Unfiltered -(TCP RST response) means special rules apply on the target’s firewall. Filtered -(ICMP unreachable error OR No response) means the system is protected by the firewall. You can see in Figure 32 that “All 1000 scanned ports on 192.168.1.100 are unfiltered.”

Syntax

# nmap -sA <IP / Hostname / Domainname > #nmap -sA 192.168.1.100

Other Important options for Advanced Scanning techniques

In advanced scanning there are so many options that are available but we will not cover them all.

–send-eth

This option tells Nmap to bypass the IP layer on your system and send raw Ethernet packets on the data link layer. It’s a rarely used option.

Syntax

# nmap -send-eth <IP / Hostname / Domainname> #nmap -sendeth 192.168.1.100

-sO

This option is used for Scanning Protocol. From this scan you know which protocol is running on the target host. The most common protocol is TCP, UDP and ICMP. You can see Figure 33 while the 2003 server is scanning.

send-ip

These options forcefully tell Nmap to scan using the local system’s IP stack instead of generating raw Ethernet packets. It is used in rare cases.

Name Based Port Scanning

Multiple use of -p

-p option has multiple uses because you can scan based on the service name like smtp, pop2 etc, and you can also scan on the port number like 53, 25 etc. This is the most flexible option ever because if you want to scan with the UDP or TCP port, then you have to simply define the U:[Port number] or T:[Port number]. You can also use the wildcard with -p “*”. This tells Nmap to scan all ports.

Syntax

# nmap -p [port number with comma or range] <IP / Hostname

/ Domainname>

#nmap -p 25,80,53-200 192.168.1.100

# nmap -p [name] <IP / Hostname / Domainname>

#nmap -p smtp,http 192.168.1.100

# nmap -p U: [port number] T: [port number] <IP

/ Hostname / Domainname> #nmap -p U:53,T:25 192.168.1.100

# nmap -p “*” <IP / Hostname / Domainname> #nmap -p “*”

192.168.1.100

OS & Service Scanning

Operating System Detection

For OS detection mostly one port is open or one port is closed. -O option is used for knowing which operating system is running on the target system. You can see in Figure 34. This is the Windows 2003 server and in Figure 35 Ubuntu is installed.

Figure 34

Figure 35-36

Syntax

# nmap -O <IP / Hostname / Domainname> #nmap -O 192.168.1.100

Service Detection

Service Detection option is used as the -sV option. From this option you can find which service is running on the target host.

Syntax

# nmap -sV <IP / Hostname / Domainname> #nmap -sV 192.168.1.100

Guess Unknown OS

This scan shows you the possible matches for the target OS system. For this scan, you can use -osscan-guess option.

Syntax

# nmap -osscan-guess <IP / Hostname / Domainname>

#nmap -osscan-guess 192.168.1.100

Firewall Evasion Technique

Spoof MAC address

In this example, you can see that Nmap generates a fake MAC address used for scanning. There are three options for spoofing MAC addresses. The first one is to give 0; -nmap will then generate random MAC addresses of any company like 3com or other. You can even specify the MAC Address, and you can give the Vendor name also.

Syntax

# nmap -spoof-mac [vendor | MAC | 0] <IP

/ Hostname / Domainname> #nmap -spoof-mac 0 192.168.1.100

Figure 37-38

Decoy Use

Decoy option gives the best performance during scanning because it generates additional packets and creates a virtualization that the system is scanned by multiple systems. From this option, it is hard to trace which system is scanning OR where the scanning is coming from. You can specify the decoys like decoys1, decoys2, etc., see Figure 38.

Syntax

# nmap -D RND:Number of Decoy <IP / Hostname

/ Domainname> #nmap -D RND:10 192.168.1.100

Nmap Scripting Engine

*nmap –script smb-os-discovery 192.168.1.100* + smbos-discovery gives you the result (which OS is running on the target system).

Syntax

# nmap –script smb-os-discovery <IP / Hostname

/ Domainname> #nmap –script smb-os-discovery 192.168.1.100~

Figure 39: -smb-os-discovery 2) *nmap –script smb-system-

info 192.168.1.100* –script smb-system-info is giving

the information about the system.

Figure 39

Syntax

# nmap –script smb-system-info <IP / Hostname

/ Domainname> # nmap –script smb-system-info 192.168.1.100~

Nmap is very complex. There is also a time based scanning technique that is available and an Nmap Scripting Engine which is a very useful option in Nmap. Using this option, you can find all the information on users, shares, etc. NSE scripts define a list of categories they belong to. Currently defined categories are auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. Category names are not case-sensitive, NSE scripts consist of a handful of descriptive fields, a rule defining when the script should be executed, and an action function containing the actual script instructions. Values can be assigned to the descriptive fields just as you would assign any other Lua variables.


SAHIL KHAN

SAHIL KHAN aka “Makbulkhan” is the founder and director of Spider. net Institute. Sahil lives in Palanpur, North Gujarat. He states that teaching and management are his passions, and that he is addicted to computers. He started his career in 1998 in APTECH and Dollhans Company. After giving up his dream of becoming a Team Leader and Sr. System Administrator, he has committed himself to doing something for his motherland -specifically, opening up a Computer Hardware Networking Institute which shapes students into engineers, who will work for top international technological companies.

 

ESG Labs: TrueNAS Technical Report
Download Enterprise Storage Guide Button
iXsystems values privacy for all visitors. Learn more about how we use cookies and how you can control them by reading our Privacy Policy.