1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
|
<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Tools of the Trade: nmap LG #56</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="eyler.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_toc56.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_frontpage.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue56/flechtner.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="giraldo.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Tools of the Trade: nmap</font></H1>
<H4>By <a href="mailto:jafgon@bright.net">Josh Flechtner</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<H1>nmap - the Network MAPper</H1>
<p><b>Author</b>: Fyodor
<p><b>Required</b>: <tt>flex, bison</tt>
<pre><b>Homepage</b>: <a href="http://www.insecure.org/nmap">http://www.insecure.org/nmap</a></pre>
<b>Current stable release</b>: 2.53
<p><b>License</b>: GPL
<p><b>Platform ports</b>: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, IRIX,
BSDI, SunOS, HP-UX, AIX, Digital UNIX, Cray UNICOS and Windows NT.
<H1>I. Introduction</H1> <p> The intent of this article is to
familiarize the reader with the network scanner nmap. As Lamont Grandquist (an
nmap contributor/developer) points out, nmap does three things: It will ping a
number of hosts to determine if they are up. It will portscan hosts to
determine what services they are offering and it will attempt to determine the
OS (operating system) of host(s). Nmap allows the user to scan networks as
small as a two node LAN (Local Area Network) or as large as a 500 node LAN and
even larger. Nmap also allows you to customize your scanning techniques.
Sometimes a simple ICMP (Internet Control Message Protocol) ping sweep may be
all you need. If not, then maybe you're looking for a stealth scan giving
back reports on UDP (User Datagram Protocol) and TCP (Transmission Control
Protocol) ports that are available and as to what operating system the host is
using? Still want more? You can do all that and log the data into either
human-readable or machine-parsable format. In this article I will be covering
some basic to intermediate scanning techniques to get you off and running with
nmap. If you love it enough then I would suggest reading the the nmap man pages
50 times and then translating it into the foreign language of your choice;)
<H1>II. Getting Nmap</H1>
<p> Some Linux distributions come with nmap as part of
the install. If you do not have nmap then let's begin with grabbing the
<a href="http://www.insecure.org/nmap">latest copy</a> and getting it up
and running. The version I will be covering here will be the source code
tarball, optionally you have both rpm and source-rpm to choose from . The
Linux distribution I am using is Red Hat 6.1. Download the nmap-latest.tgz
file into your home directory. Once the download is complete perform <tt>tar
-zxvf nmap-latest.tgz</tt> and this will unpack the source code into your
home directory. Go into the newly created nmap-latest directory and read
both the README and INSTALL files. Ideally the next step would be to perform
configure, make and (as root) make install in the top level of the newly
created directory. This will install the nmap binary into /usr/local/bin.
From here we're ready to run nmap.
<H1>III. Using Nmap</H1>
<p><b><font size=+1>Scanning types</font></b>
<p> Without further ado, let's
get down to business with nmap. First we will need an address to scan against.
If you are working from a LAN then pick a number of one of your hosts.
Let's say that your LAN consists of two machines: Adam and Eve. Adam (192.168.0.1)
is the unit we'll be running nmap on. Eve (192.168.0.2) is the machine
we will be scanning. From the command line I would type the following:
<p><tt> nmap 192.168.0.1</tt>
<p>Here is a sample output from the scan:
<p><b> <u>Example 1</u></b>
<p><i> Starting nmap V. 2.53
by fyodor@insecure.org (www.insecure.org/nmap)</i>
<br><i> Interesting ports on
Eve (192.168.0.2):</i>
<br><i> (The 1511 ports scanned
but not shown below are in state:closed)</i>
<br><i> Port
State
Service</i>
<br><i> 21/tcp
open
ftp</i>
<br><i> 23/tcp
open
telnet</i>
<br><i> 25/tcp
open
smtp</i>
<br><i> 79/tcp
open
finger</i>
<br><i> 80/tcp
open
http</i>
<br><i> 98/tcp
open
linuxconf</i>
<br><i> 111/tcp
open
sunrpc</i>
<br><i> 113/tcp
open
auth</i>
<br><i> 513/tcp
open
login</i>
<br><i> 514/tcp
open
shell</i>
<br><i> 515/tcp
open
printer</i>
<br><i> 6000/tcp
open
X11</i>
<p><i> Nmap run completed --
1 IP address (1 host up) scanned in 1 second</i>
<p><b> </b>What the above example did was run a
vanilla TCP scan against the designated address. As we can see from this
sample output our host is up and gives us a list of available ports that
are listening. This of course is the most basic of all commands and can
be run without any special privileges. The disadvantage of this call is
that any host running logging software will easily detect this sort of
scan. The output of this call would be the same as adding the option -sT
to the command line so it would look like this: <tt>nmap -sT 192.168.0.2.</tt>
(Note that this call is allowable by normal users).
<p> Not on a local LAN? Working from a single host dial-up
machine? No problem, run <i>ifconfig</i> (or use your favorite text editor
to view your /var/log/messages file, look for the last entry in the messages
file that contains a remote IP address) to obtain your IP address and go
from there. Let's say my IP address is 206.212.15.23, we can use
that as a premise to base our scans on. So with that in mind let's check
on our "neighbor":
<p><tt> nmap -sT 206.212.15.22</tt>
<p> Here is the sample output:
<p> <b><u>Example 2</u></b>
<p> <i>Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap)</i>
<br><i> Interesting ports on find2-cs-4.dial.ISP.net
(206.212.15.22):</i>
<br><i> (1522 ports scanned but not shown below are in
state: closed)</i>
<br><i> Port
State
Service</i>
<br><i> 139/tcp
open
netbios-ssn</i>
<p><i> Nmap run completed -- 1 IP address (1 host up)
scanned in 20 seconds</i>
<p> This is a very basic example of nmap's capabilities
but it atleast gives the beginner some grounds to work off of if not on
a local LAN.
<p><b> -sS </b>Now let's say that that you wish to use
a more stealthy scan to prevent detection, you would then use our previous
example only with the -sS (SYN) call so it would look like this: <tt>nmap
-sS 192.168.0.2.</tt>The -sS (SYN) call is sometimes referred to as the
"half-open" scan because you do not initiate a full TCP connection. The
output will read the same as <b>example 1</b> only with a lesser chance
of detection from the other end. Unlike running the -sT call this call
requires root privileges.
<p> <b>-sF -sX -sN</b> Now for the truly paranoid
or instances when the target may be running filtering or logging software
that detect SYN we can issue a third type of call with the -sF (Stealth
FIN), sX (Xmas Tree) or -sN (Null) scan. Note: Since Microsoft insists
on doing things their own way, neither the FIN, Xmas or Null scan modes
will work on Windows 95/98 or NT boxes. So if we were to get a listing
of available ports running either the -sT or -sS options but "<tt>All scanned
ports are: closed</tt>" running the -sF, sX or -sN option, then we
can safely assume that the target is probably a Windows box. This really
isn't a necessary procedure to verify a Windows machine since nmap
has built in OS detection which we will cover later. These three commands
also require root privileges.
<p> <b>-sU</b> This option tells nmap to scan for listening
UDP (User Datagram Protocol) rather than TCP ports on a target host. Although
this can sometimes be slow on Linux machines it runs particularly fast
against Window boxes. Using our previous examples of Adam and Eve, let's
run (once again root privilege is required) a -sU scan against Eve:
<p><tt> nmap -sU 192.168.0.2</tt>
<p>Here is the sample output from the scan:
<p><b> <u>Example 3</u></b>
<p><i> Starting nmap V. 2.53 by fyodor@insecure.org
(www.insecure.org/nmap)</i>
<br><i> Interesting ports on Eve (192.168.0.2):</i>
<br><i> (The 1445 ports scanned but not shown below are
in state: closed)</i>
<br><i> Port
State
Service</i>
<br><i> 111/udp
open
sunrpc</i>
<br><i> 517/udp
open
talk</i>
<br><i> 518/udp
open
ntalk</i>
<p><i> Nmap run completed -- 1 IP address (1 host up)
scanned in 4 seconds</i>
<p><i> </i>As we can see nmap scanned 1455 ports on Eve
and gave us a listing of the UDP ports it found to be listening. We can
gather from examples one and two that we are looking at a Linux install.
With that in mind if you remember in the introduction I mentioned that
nmap performs three things: It pings, it portscan's and it detects the
target's (operating system). Now that we've briefly covered the first two
uses let's move onto OS detection
<H1>IV. OS detection</H1>
<p> <b>-O</b> This is the option to be used to determine
the operating system of the given target. It can be used in conjunction
with our above mentioned scan types or by itself. Nmap uses what is called
TCP/IP fingerprinting to try and accurately determine the OS of the given
target. For a more complete reading on OS fingerprinting please see Foyer's
article titled "Remote OS detection via TCP/IP fingerprinting" found <a href="http://www.insecure.org/nmap/nmap-fingerprinting-article.html">here</a>.
Now with that in mind let's get right to our next example. Using our target
host (Eve) from Example 1, I would type the following: (Note that
the -O option requires root privileges)
<p><tt> nmap -O 192.168.0.2</tt>
<p> Here is a the sample output from the scan:
<p> <b><u>Example 4</u></b>
<p> <i>Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap)</i>
<br><i> Interesting ports on Eve (192.168.0.2):</i>
<br><i> (The 1511 ports scanned but not shown below are
in state:closed)</i>
<br><i> Port
State
Service</i>
<br><i> 21/tcp
open
ftp</i>
<br><i> 23/tcp
open
telnet</i>
<br><i> 25/tcp
open
smtp</i>
<br><i> 79/tcp
open
finger</i>
<br><i> 80/tcp
open
http</i>
<br><i> 98/tcp
open
linuxconf</i>
<br><i> 111/tcp
open
sunrpc</i>
<br><i> 113/tcp
open
auth</i>
<br><i> 513/tcp
open
login</i>
<br><i> 514/tcp
open
shell</i>
<br><i> 515/tcp
open
printer</i>
<br><i> 6000/tcp
open
X11</i>
<p><i> TCP Sequence prediction: Class=random positive
increments</i>
<br><i>
Difficulty=1772042 (Good luck!)</i>
<br><i> Remote operating system guess: Linux 2.1.122
- 2.2.14</i>
<p><i> Nmap run completed -- 1 IP address (1 host up)
scanned in 1 second</i>
<p> Notice that nmap reports the same available port
data as it did in example 1 due to the default -sT option, but also the
OS of the machine (in this case Linux) and the kernel version...not bad
ehh?! Nmap comes equipped with an impressive OS database.
<H1>V. More fun with Nmap</H1>
<p> Instead of limiting ourselves to scanning just one
target., let's broaden our horizon's to bigger and better things. In example
2 we used our IP address to base a scan against. Using that address again
we can get a look at numerous targets in our "community". At the command
line type the following (substituting a valid address of your choice of
course):
<p> <tt> nmap -sT -O 206.212.15.0-50</tt>
<p> What this does is instruct nmap to scan every host
between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen
to find many interesting feedback results from this or a larger scale scan
then you can always pipe the output into your choice of a human readable
file or a machine parsable file for future reference by issuing the following
option:
<p> To create a human readable output file issue the
<b>-oN<textfile
name></b> command into your nmap string so that it would look similar to
this:
<p><tt> nmap -sT -O -oN sample.txt 206.212.15.0-50</tt>
<p> Rather have a machine parsable file? Enter the <b>-oM
<textfile name></b> to pipe the output into a machine parsable file:
<p><tt> nmap -sT -O -oM sample.txt 206.212.15.0-50</tt>
<p> *Back when I was becoming aquatinted with all the
nmap options, I ran my first large scale scan against 250 consecutive machines
using an arbitrary number (<tt>nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).</tt>To
my great surprise I was confronted with 250 up and running virgin Linux
machines. Another reason why Linux enthusiasts should NEVER become bored.
<p> <b>-I</b> This is a handy little call that activates
nmap's TCP reverse ident scanning option. This divulges information that
gives the username that owns available processes. Let's take a look (Note
that the host has to be running ident). At the command line issue this
command against your target, in this case our default Eve running Linux:
<p><tt> </tt> <b>-iR</b> Use this command to instruct nmap to
scan random hosts for you.
<p> <b>-p</b> Port range option allows you to pick what
port or ports you wish nmap to scan against.
<p> <b>-v</b> Use verbosity to display more output data.
Use twice (-v -v) for maximum verbosity.
<p> <b>-h</b> Displays a quick reference of nmap's calls
<H1>VI. Gleaning the Cube</H1>
<p> Now that we have looked at nmap's three basic usage
types and some of it's other options, let's mix and match them.
<p><tt> nmap -v -v -sS -O 209.212.53.50-100</tt>
<p> This instructs nmap to use a maximum amount of verbosity
to run a stealth scan and OS detection against all machines between IP
addresses 209.212.53.50 and 209.212.53.100. This command will also require
root privileges due to both the -sS and -O calls. Of course this will display
a very overwhelming amount of data so let's log our results into a human
readable file for future reference:
<p><tt> nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100</tt>
<p> Now let's make nmap run a stealth scan and instruct
it to look only for machines offering http and ftp services between the
addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the
output (I'm a log junkie) for future reference into a human readable file
called ftphttpscan.txt:
<p><tt> nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100</tt>
<p> Remember the <b>-iR</b> option mentioned previously?
Let's use it to take a random sampling of Internet web servers using the
verbatim example from nmap's man page:
<p><tt> nmap -sS -iR -p 80</tt>
<p> Last but certainly not least, while gleaning
information, don't forget to nmap yourself. Just type at the command line:
<tt>nmap 127.0.0.1</tt> This is especially useful and recommended if you're
a newcomer to Linux and connected to the Internet via DSL or cable modem.
<H1>VII. Nmap GUI's</H1>
<p> Now for those of you who would rather not work on
the command line (shame on you) there are graphical front ends for nmap.
<p> <b><u>NmapFE</u></b> - NmapFE, written by Zach
Smith, comes included in the nmap-2.53.rpm and uses the GTK interface.
NmapFE can be found at <a href="http://codebox.net/nmapfe.html">http://codebox.net/nmapfe.html</a>
<p> <b><u>Kmap</u></b> - Kmap, written by Ian Zepp,
uses the QT/KDE frontend for nmap at can be found at <a href="http://www.edotorg.org/kde/kmap/">http://www.edotorg.org/kde/kmap/</a>
<p> <b><u>KNmap</u></b> - KNmap, written by Alexandre
Sagal, is another KDE frontend for nmap and can be found at <a href="http://pages.infinit.net/rewind/">http://pages.infinit.net/rewind/</a>
<H1>VII. Conclusion</H1>
<p> This wraps up our quick and dirty look and nmap.
I hope you find the application as enjoyable as I do. Comments or questions
can be sent to either myself <a href="mailto:jafgon@bright.net">jafgon@bright.net</a>
or <a href="fyodor@insecure.org">fyodor@insecure.org</a>. Happy scanning.
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright © 2000, Josh Flechtner<BR>
Published in Issue 56 of <i>Linux Gazette</i>, August 2000</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="eyler.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_toc56.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_frontpage.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue56/flechtner.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="giraldo.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
|
