Nmap -- The Art of Scanning ( basic techniques and concepts ) -=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Disclaimer: This little tutorial is just for educational purposes. Using it for breaking into machines or scanning machines not owned by you is at your own. This is just a synth of all i've read on insecure.org so don't expect something new here. And my advice is better to check the fyodor's site. Preamble: Nmap has become and the leader of the port scanners out there. Nmap is unix natively but there are ports for other OSes out there like windows / bsd etc. The most wonderful thing about nmap is that it is open source, licensed under the GNU GPL license > ver. 2.0. So anybody can modify the source. Examples And Conception Explanations: Nmap Way of work ( The conception of a port scanner ): There are plenty of security scanners out there and each one have different concept. Here comes the basic ones. You've got machine the machine have ports ( ports are sort of virtual doors threw which the network data does flow. ) The recent computers have port numbered from 0 to 65535. Each port have a state. The state could be listening or not listening respectively filtered not filtered. To check a box's security you basicly need to check all the services running there and their versions, ports that they're mapped to etc. Doing that and looking over the security bulletins does guarantee you at some basic degree :]. that you probably had streghten security and the risk to get hacked by an automated worm / program, or a human hacker ( most of which are script kiddies ) get much lesser. You can do few types of scans to figure out the state of your machine. The basic ones are. TCP scan UDP scan and an ICMP scan ( which is much less used and which results are not so accurate compared to the other two methods. ). This scans are based on a protocol level. There are other types of scans that depend on the way of scanning the protocol. That type of scans are for example the Don't ping scan, stealth scan, X-mas scan, Decoy scan etc. The simpliest way of scan you can do can be seen by executing the command nmap 127.0.0.1. This runs a simple scan on your localhost and does scan the ports that are found to be defined in /etc/services. Ofcourse a real scan session is a much more sophisticated and there are lots of options you can use with nmap. Since the time it is being developed it's scan possiblities had grown far beyond that. For example if you need a more output from the scan you can use the nmap's verbosity flag which is ( -v ) or the nmap double verbosity scan which is ( -vv ). You won't need double verbosity at most of the time it is intended to be used just for debugging purposes, so a verbose nmap scan would look like. nmap -v 127.0.0.1 and a debugging scan would be nmap -vv 127.0.0.1. Ofcorse this types of scans are much of alertish so scanning threw it is not the best thing you can do. Most of the time you are supposed to not notify your IDSes firewalls or whatever it is, so the stealth scan comes handy here. The stealth scan is a type of scan that doesn't make a physical connection with the scanned box it just sent packets with SYN flag upped and waits remote machine replies. A simple type of that scanning technique with verbosity level enabled would look like. nmap -sS -v 127.0.0.1. Ofcourse this is not enough to stay away from the IDS since nmap does try to determine if the host you're scanning is up before the process of scan by pinging it. Some IDSes/fwalls can register that and filter all ports for your host or do other denending stuff adding rules to the attacked box firewalls or executing custom programs that does alert the system administrator. All this could be easily avoided by putting the -P0 flag which make nmap not to ping the fwall before the scanning process. This type of scan will be something like nmap -sS -P0 -v 127.0.0.1. Most of the time you'll need to log your scanning session for later analysis this could be done by putting some logging options to the nmap binary. nmap can produce a different type of scanning output as XML for example. Neither that I like to use a plain text output so i do this by putting the -o option which stands for -o=output and takes as argument the filename to output to. Here is a little example of stealth scan with don't ping rule, verbose level on and a session outputted to file scan-127.0.0.1. nmap -sS -P0 -v 127.0.0.1 -o scan-127.0.0.1. This does a tcp scan ofcourse and is the default behaviour of nmap. It is a good idea to use another flag for complexity and avoidability of the IDS rules that's the --randomize_hosts flag ( for scanning more than one particular box ). That makes nmap scan the hosts not by their incremental ip numbers but ordered randomly. Here it is how this type of scan would be accomplished nmap -sS -P0 -v --randomize_hosts 127.0.0.1-255 -o scan-127.0.0.1-255. Nmap is also capable to do an ident scanning which is nice for finding out with what privilegies a remote daemon ( service ) is running this is done via the -I flag, as follows an example: nmap -sS -P0 -v -I 127.0.0.1 -o scan-127.0.0.1. Ofcourse for this type of scan the remote node should be running a pidentd server or some other standard identd. Sometimes you'll need to identify a remote OS type, and this be done with the ( -O ) flag. Here's how we can try to determine the remote OS type. example: nmap -sS -P0 -v -O 127.0.0.1 -o scan-127.0.0.1. Have in mind that this type of scan needs a raw sockets and respectively you've gotta have root privilegies to use that. Which is the case with ( -sS ) option too. nmap's possiblities goes far away behind all that. You can use nmap to scan a classes of ips if you're administrating a bunch of boxes, and need to check machines closed opened filtered ports the service versions and everything. A scan of ip class is very very intuite here comes a little example of such a task: nmap -sS -P0 -v -O 192.168.0.1-255 -o scan-192.168.0.1-255. This will scan the class C range of ips starting at 192.168.0.1 and ending at 192.168.0.255. ofcurse class B scans are accomplished in the same manner. nmap -sS -P0 -v 192.168.1-255.1-255 ... it is possible to use an asterisk instead of hyphen, here i'll demonstrate that too : nmap -sS -P0 -v 192.168.0.* -o scan-192.168.0.1-255. We know a basic conceptions now lets put some more explanations. First the ( -O ) option or the OS scan flag is currently based on a new technique that was introduced by another security tool called queso it does work on the principle of signatures ( fingerprints ). Each OS have an unique signature ( fingerprint ). by which nmap can easily identify the exact OS consulting its fingerprints database. Nmap stores its database in a file which is usually located at /usr/local/share/ettercap/nmap-os-fingerprints The process of adding a new signature is pretty straight forward just open the file and take a look at it or even better you can post an OS signature on insecure.org so the new fingerprints can be added to the fingerprint databases for the future nmap releases. I'll stop with the fingerprint database explanation and let you read more about that on insecure.org and say few words about the types of scanning. Maybe the oldest one for historical reasons is the banner grepping one. It does relay on a banner returns of the services which the remote operating system does return on a specific service queries or connection to specific remote ports. nmap does use all of those two types of methods and most of the service guesses are a fairly accurate. Ofcourse keep in mind that banners could be easily faked to return a fake versions. Talking 'bout a banner grepping i shall say that since the nmap 3.48 release it was introduced a new nmap option the ( -sV ) one. It implements simple banner grepping tool into nmap's functionality. It works by connecting to various box services and send them queries in order to list the service versions. Here is a real example of such a scan: nmap -sS -P0 -v -sV -I --randomize_hosts 192.168.0.1-255 -o scan-192.168.0-range. This statement says scan the 192.168.0.1 to 192.168.0.255 ip's tcp ports that are listed as known services in /etc/services verbosely, don't ping the hosts before scanning, scan them by a stealth scan method ( a.k.a SYN scan method ), try to find out the service owners ( -I ), try determining their versions ( -sV ) and do the host scans randomly ( a.k.a. don't scan incrementally ). Sometimes you'll need to scan the udp proto ports of a box, because some services backdoors and hackers use the udp for their evil plans ;]. You'll need to be root to do that because the udp scan ( -sU ) needs raw sockets as of UDP is a raw protocol with no control packet checksums. The task can be accomplished like that: nmap -sS -P0 -sU -sV -I --randomize_hosts -r 192.168.1-10 -o scan-102.168.0.1-10. This scan would not probably do a "red alert" on the potential IDS / firewall, Another handy and a little known option of the nmap security scanner is the ( -q ) flag which does something really fun at all. It does fake the nmap's name to "pine" ( by default or whatever you put as string for the -q ) so the scan would look like someone is reading his mail with pine e. g. not suspicious. However a really paranoid firewall / IDS would catch the scanning by registering a lot of connections requested by a single ip address. That's why the good old fyodor ( the nmap scanner developer guy ) has implemented a great option to nmap which allows a person to specify the speed of the scanning. This is done via the ( -T ) option here are the possible speeds ( -T ). The first one ( Paranoid ) is slow as hell, but the stealtiest the second little faster ( Sneaky ), Polite is a little more slower than the ( Normal ), ( Agressive ) would wake up all the kids in the house and ( Insane ) can possible crash some boxes as windows 95 / 98 which suffer from a lack of a nice TCP/IP implementation. Sometimes backdoored / rootkitted boxes put a trojans that listen to a port and spawn the hacker a shell on a connection time asking for a secret word or something. Hackers backdoors often does select such a ports nums that are less used and aren't added by default to the default known services in /etc/services. Identifying such backdoors needs a complete port scan of the box and since nmap doesn't scan all the box's ports by default this should be done with specifing exactly which ports to scan. In our case this would be all ports. This can be completed using the ( -p ) flag. Here comes an example of complete scan of the whole machine ( e.g. all ports ). nmap -sS -P0 -v -I -sV -p 0-65535 192.168.0.1 -o scan-192.168.0.1. This will scan all the ports on the 192.168.0.1 box starting at 0 and ending at 65535 you can scan a range of ports easily in the same manner. Here is another example nmap -sS -P0 -v -I --randomize_hosts -sV -p 0-1024 192.168.0.1 -o scan-192.168.0.1 -q. This would scan all the 192.168.0.1 ports with a stealth scan won't ping the box before scanning, will do a random port scan, check the service banners, scan all the machine tcp ports starting at 0 and ending at 1024,save the output to the scan-192.168.0.1 file and make nmap look like "pine" mail reader. Specifying all ports to nmap can be done easily with ( -p 0-65535 ) or even shorter by typing ( -p 1- ) arg to nmap. The ( -p 1- ) option means "scan all ports starting at 1 and ending at the last possible port", which is 65535. In a case you need to scan a specific ports and not a range you can use a delimiter between the ports. Another example would be nmap -sS -P0 -v --randomize_hosts -sV -p 1,10,11,13,21,23,25,80,110,113 192.168.0.1 ... Other interesting nmap scan feature is using a sort of ( zoombie hosts ) type scan to confuse the IDS/administarors of a box. So there won't be any straight traces pointing particularly to you. This technique is used to be called Decoy scanning. The idea behind the Decoy scanning is that you SYN flood a box with packets with faked source headers ( headers that makes the SYN flooded boxes think that the victim box floods 'em ), and the victim box starts answering to the SYNS with ACKS to the victim box. And it looks like the ( SYN flooded ) zoombie hosts are scanning the target machine too. Some routers ( probably most on the net now ) disallow that and log such attempts so BEWARE this feature!. Be absolutely sure what you are doing before starting to use it Common operating systems vulnerable to that kind of attack are windowses ofcourse 95,98 some old school irix boxes,BSDIs and unices too. Current Linux releases and the BSDs are not vulnerable to such attacks any more. So you've better don't try modern unixes as a Decoys. Decoys scan although good as conception are not very common used nowhere days and they'll probably get you much into troubles than making you stealther. So my advice is better not to use them. Neither that if you are sure that type of scan could help then you can use the ( -D ) flag, and start the nmap with options like: nmap -sS -P0 -v -D ip_of_decoy,ip_of_decoy1,ME,ip_ofdecoy2 ... in those examle ME should be the ip of the box from which you scan the victim. It is a good idea to put the "ME" argument not on a common place ( don't put it at the beginning or the end of the list ). Another nice feature you can be happy with when using nmap is the Scan continuation option. Yeah scan continuation is possible threw nmap. It comes handy if you have scanned some host and accidentally hit ctrl+c and interrupted the scan session. But don't worry the scan session resuming is as simple as by putting a ( --resume logfile ) option to the nmap bin. Knowing all that you should probably want to do a security audits over your network on daily basis. So i'm assuming you have a list of ips, and you want to scan everyday those ips to check their services state, this could be accomplieshed easily through the ( -iL ) option. For example open a text file. And put an ips there then exec nmap with option like: nmap -iL filename-with-ips and go watch some cartoon network 'till the scan is over:-]. That's it. Now take those nifty nmap and start experimenting with it. All you've read above should be enough for you to start using nmap seriously researching your company machines networks and having great time with the security audits. Have in mind that, this is not supposed to be a complete nmap guide but just a quick start sort of tutorial. Nmap can do much more from all explained here, just check out Fyodor's great security site http://www.insecure.org and read more about nmap there || check out the nmap manual page which is full of explanations and examples. Final author notes: Really sorry for my jewish english, and all you don't like in my explanations, but i'm a lame english talker no way. As a final words i can say that people should take much care for their computers especially their level of security and have in mind that most of the humanity work is being done /depends on computers and electronic systems nowheredays. And neglected security of a system could cost you anything from human lives to a finance loss and all other bad stuff you can ever imagine. By the way greatings about inspiration for writing that shit goes especially to Fyodor, all the open source hackers around the world and not in a last place all ppl that know me and respect me. I hope you've enjoyed that document as i've enjoyed writting it. written by hip0 - 09.07.2004 -=-=-=-=-=-=-=-=-=-=-=-=-==- - Fixed some typing and spell errors 08.12.2004 Copylefted under the recent GPL.