Nmap is a security tool written by Fyodor. It is an opensource security tool which is licensed under the GNU GPL. Nmap is what is called a network scanner. It is not a vulnerablility scanner like nessus.
A decent analogy would be if you had an address to a particular house and wanted to figure out what type of house it was and what windows and doors were open. However, Nmap could also be used to tell you the addresses of all houses in a particular neighborhood in addition to the other information. It is essentially an easy way to look at a machine (or group of machines) and determine if it is up and what services are running. Usually, nmap can also tell you what type of operating system is running on the box as well.
Nmap is portable, meaning it runs on multiple operation systems. It typically comes in two flavors, a command line executable and a gui executable. I will be focusing on the command line version for several reasons. The first, is that it is more common. If you have nmap installed you are going to have the command line, you may not have the gui. Second, it is more powerful (in my opinion). If you can do it via command line, you should be able to figure out the gui. Third, and this is the selfish reason, it is easier to write this article telling you what command to type vs. having to tell you to click in several places and take screen shots.
So, lets go back to our analogy about the server being a particular house. This house has an address, just like a server. In addition, this house sits on a street, which you can think of as the network. Now, to get to a house, you need a street number, a street name, a city name, and a state name (plus, the zipcode, but usually this can be derived from the city/state).
For the server, we need to know the IP address. Most networks today (including the Internet) utilize a set of protocols called TCP/IP. Machines are then assigned IP addresses to allow them to communicated over TCP/IP. IP addresses are 32 bits in length (for IPv4). They are then broken into four pieces of 8 bits in length. In base 10 format this is usually represented as XXX.XXX.XXX.XXX. Each block of XXX can be a number from 0 to 255. There are certain numbers that cannot be used, however that is beyond the discussion of this article. You can find much more information about IP addresses here. An IP address is made up of two things, the network address and the host address.
For simplicity sakes, we are going to refer to the network address as the first three octect and the host address as the last octet (this is the most common setup). Whereas a house address is usually listed as: 1600 Pennsylvania Ave, Washington, DC – an IP address is the reverse. The network comes first and then the host. So the White House’s address would look more like: DC.Washington.Pennsylvania Ave.1600. A thoretical IP address would look like 192.168.1.100. 192.168.1 is the network and 100 is the host.
So, now that we know what an IP address is and we have an IP address of a host that we want to scan, we can see what type of information we can get by using Nmap. The easiest way to do this is just type namp and the IP address:
nmap 192.168.1.50
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on adams (192.168.1.50):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
Nmap run completed — 1 IP address (1 host up) scanned in 3 seconds
Here you can see there are four services running on 192.168.1.50. Keep mind that Nmap is not checking to see if that is really a web server on the box, it just knows that port 80 is a http server.
This is all well and good. But, we want to know more information about the server we are scanning. So, we can tell Nmap to be more verbose. You can do this by adding -v command line options. I usually use vv to provide information.
nmap -vv 192.168.1.50
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don’t want to portscan (and just want to see what hosts are up).
Machine 192.168.1.50 MIGHT actually be listening on probe port 80
Host (192.168.1.50) appears to be up … good.
Initiating Connect() Scan against (192.168.1.50)
Adding open port 80/tcp
Adding open port 7000/tcp
Adding open port 22/tcp
Adding open port 7001/tcp
Adding open port 3306/tcp
The Connect() Scan took 1 second to scan 1601 ports.
Interesting ports on (192.168.1.50):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
Nmap run completed — 1 IP address (1 host up) scanned in 2 seconds
So, we got some more information. We were told how many ports were scanned and how long it took. However, nothing really new at this point. However, you can see where it says that it is using a default scan. This means that the administrator viewing his logs (like all good security administrators do) will easily see the connections generated from Nmap scan.
Nmap provides for several mechanisms to try to avoid detection of the scan. However, you need to have administrator access on the box that you are using to scan from. This is called "TCP SYN stealth port scan". From the Nmap home page, this is the information they give regarding this type of scan:
This technique is often referred to as half-open scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is received.
Under normal network connections (and the first scan we did), a three way handshake happens. The scanner sends an SYN packet, the server sends a SYN/ACK packet back, then the scanner sends a final SYN packet. This opens the connection. Under the stealth scan, the scanner sends the SYN packet, the server sends the SYN/ACK packet, however, the scanner does not respond with anything. A real connection is never opened. We can do this by utilizing the -sS options flag. For example:
sudo nmap -sS -vv 192.168.1.50
Password:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.1.50) appears to be up … good.
Initiating SYN Stealth Scan against (192.168.1.50)
Adding open port 22/tcp
Adding open port 7000/tcp
Adding open port 80/tcp
Adding open port 7001/tcp
Adding open port 3306/tcp
The SYN Stealth Scan took 1 second to scan 1601 ports.
Interesting ports on (192.168.1.50):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
Nmap run completed — 1 IP address (1 host up) scanned in 2 seconds
Notice that our results are not any different. However, this is harder to detect on the server side.
Now, suppose we want to know what type of operating system is being used by the server. Nmap more likely than not can tell us this by watching how the OS responds. You do this by using the -O option flag:
sudo nmap -sS -O -vv 192.168.1.50
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.1.50) appears to be up … good.
Initiating SYN Stealth Scan against (192.168.1.50)
Adding open port 22/tcp
Adding open port 7001/tcp
Adding open port 7000/tcp
Adding open port 3306/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 2 seconds to scan 1601 ports.
For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled
Interesting ports on (192.168.1.50):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
Remote operating system guess: Linux 2.4.19-pre4 on Alpha
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=40DA00%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Uptime 2.692 days (since Sat Apr 22 22:13:56 2006)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4250112 (Good luck!)
TCP ISN Seq. Numbers: B403CEB6 B361F76D B39D6D67 B3A2E3EC
IPID Sequence Generation: All zeros
Nmap run completed — 1 IP address (1 host up) scanned in 7 seconds
Notice we got a lot more information back this time. It guesses that the OS of the server is Linux 2.4.19-pre4 on a Alpha chip. However, it is actually a Linux 2.6.12 running on an AMD Sempron64 chip. So, close, but not quite exact. It also shows us the uptime of the box, which is correct. It also shows us the TCP Sequence Prediction, which it lists as a pretty high difficulty. So, we have a decent amount of information about a server that we have not logged onto.
Now, lets look back at our house and street analogy. What if we wanted to know the addresses and type of house of every house on the street? This would be knowing information about every machine on a network. Again, we are just going to just use a simple 24 bit network. To do this, we are going to give Nmap a network address, instead of an individual machine address. For this example, it would be 192.168.1.0/24. An example of a huge network would be 10.0.0.0/8. This would result in a network scan of over 16million hosts vs. the 256 hosts in the following example:
sudo nmap -sS -O 192.168.1.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.1.0) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Interesting ports on foundation (192.168.1.1):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
53/tcp open domain
80/tcp open http
443/tcp open https
Remote operating system guess: Linux Kernel 2.4.0 – 2.5.20
Uptime 3.197 days (since Sat Apr 22 10:43:49 2006)
Interesting ports on (192.168.1.10):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
80/tcp open http
515/tcp open printer
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=powerpc-apple-darwin7.5.0%D=4/25%Time=444E8651%O=21%C=1)
TSeq(Class=TD%gcd=64%SI=1%IPID=I%TS=U)
TSeq(Class=TD%gcd=190%SI=0%IPID=RD%TS=U)
TSeq(Class=TD%gcd=32%SI=3%IPID=I%TS=U)
T1(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=)
T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Interesting ports on (192.168.1.50):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
Remote operating system guess: Linux 2.4.19-pre4 on Alpha
Uptime 2.718 days (since Sat Apr 22 22:13:55 2006)
Insufficient responses for TCP sequencing (3), OS detection may be less accurate
Insufficient responses for TCP sequencing (3), OS detection may be less accurate
Insufficient responses for TCP sequencing (3), OS detection may be less accurate
Interesting ports on (192.168.1.100):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
6000/tcp open X11
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=powerpc-apple-darwin7.5.0%D=4/25%Time=444E8677%O=6000%C=1)
T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
Host (192.168.1.255) seems to be a subnet broadcast address (returned 3 extra pings). Skipping host.
Nmap run completed — 256 IP addresses (4 hosts up) scanned in 92 seconds
So, you can see that we have 4 hosts that are responding. Plus, we have a decent idea of what they are. Notice, I turned off the -vv, this will give you a line item for every host that is down. This is just a brief look at what you can use Nmap for. Obviously, much more infomation can be found at Nmap’s web site. Also, note that I am using Nmap 3. The newer version has more capabilities than what I have shown here. However, everything I have talked about here should work with no problems in the newer versions.
Post a Comment