Nmap was created by Gordon “Fyodor” Lyon. Nmap is an extremely versatile network scanning tool. It has a vast user base from System Administrators to Penetration Testers to malicious hackers. In this article I hope to get you, the reader, more comfortable with using Nmap as well as inspire you to really check out this tool a little more in depth. We will go over scanning a local network to see what targets are available as well as issues you may run into with newer operating systems. We will also go over detecting open ports and how to detect the services that are running on them. Check out the Nmap website, Nmap.org, for examples and a higher level look at this great tool.
So you have a target network in mind that you would like to gather information on. To scan for nodes on the network use the following command:
nmap -sP [IP Range]
If the host is up Nmap will return the MAC Address (including the manufacture), DNS information from a reverse lookup (if applicable), and the latency of the check. Nmap does this by sending ICMP echo requests and a TCP packet to each host. It then listens for an ICMP echo reply and a RST bitted packet.
In our example we have scanned a single IP address to show you the responses. As you can see the host is up and the MAC address leads you to believe that the NIC is manufactured by VMware (it is a VM).
OK that is good and all but that doesn’t give me enough information. There are a number of ways we can scan for open ports including those that are behind a stateful firewall. Nmap lists the following options:
-sS: TCP SYN
sS tells Nmap to send a SYN packet to Nmap’s default port list, which includes the most common ports a service my run on. If a SYN/ACK packet is received then the port is open. If a RST packet is received then the port is closed.
sT tells Nmap to issue a connect() system call to each port in Nmap’s default port list. If the connect() call is successful then the port is open. If it fails or is blocked then the port is closed.
sA tells Nmap to send an ACK packet to Nmap’s default port list. If a RST packet has been received then those ports are marked as unfiltered. This means that there was not a stateful firewall prior to your target. If some other message is received then Nmap marks those ports as filtered.
sW tells Nmap to send an ACK packet to Nmap’s default port list just like -sA. This scan however looks at the TCP Window property. Open ports have a window size listed. Closed ports will have a 0 window size listed.
-sM: Maimon scans
sM tells Nmap to send a Fin/ACK to Nmap’s default port list. Most systems respond with a RST packet for both opened and closed ports. However, some BSD systems will drop the packet if the port is opened.
-sU: UDP Scan
sU tells Nmap to send an empty UDP packet to Nmap’s default port list. If an ICMP type 3 code 3 message is returned then the port is marked as closed. If an ICMP type 3 codes 1, 2, 9, 10, or 13 is returned then the port is labeled as filtered. If a service responds then the port is open. If a service responds and then does not respond to a second UDP packet then the port labeled as open filtered.
-sN: TCP Null
sN tells Nmap to send an empty or Null packet to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
sF tells Nmap to send a packet with the FIN bit set to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
-sX: Xmas scan
sX tells Nmap to send a packet with the FIN, PSH, and URG bits set to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
I usually use -sS when I am just broadly scanning a network as it is the fastest option when port scanning. The command looks like this:
So here you can see a few services and that gets us closer to finding exploits for our target. With this information we can assume that this particular target is more then likely running a Windows OS. To be sure we can run the -O -v switches which will give us a list of potential OS’s that the target could be. Here is what that looks like:
As you can see Nmap has detected that the target is either Windows 2000 SP0-SP2 or XP SP0-SP1. This is valuable information if you are looking for exploits against a target.
An extremely valuable resource when learning Nmap is the “Nmap Network Scanning” book by Fyodor. Information about the book can be found on the Nmap website.