Quick nmap How-To

By | 2011/10/01

nmap or network mapper is an open source command line program for security auditing. Here is a basic intro!

As always, only scan your own hosts or hosts that you have permission to scan!



To do a simple check of open ports or port filtering, issue:

$ sudo nmap host

stmiller@brahms:~$ sudo nmap scottlinux.com

Starting Nmap 5.21 ( http://nmap.org ) at 2011-10-01 09:43 PDT
Nmap scan report for scottlinux.com (173.230.156.66)
Host is up (0.023s latency).
rDNS record for 173.230.156.66: li166-66.members.linode.com
Not shown: 994 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
443/tcp open  https
465/tcp open  smtps
993/tcp open  imaps

Nmap done: 1 IP address (1 host up) scanned in 4.54 seconds
stmiller@brahms:~$ 

In the default scan for TCP, nmap makes what is called a half-open connection often called a SYN scan. You send a SYN packet to begin a TCP connection, the server replies with a SYN-ACK. Next, nmap does not follow up with an ACK, but instead records that as a listening port.


To get a little more fancy, try adding these options:

$ sudo nmap -A -T4 --spoof-mac 0 scanme.nmap.org

-A: Enables OS detection and version detection, script scanning and
traceroute

-T(value) is a numerical value betweek 0 and 5 that sets the intensity of the scan.

paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)

If you are concerned about tripping IDS, use T0 or T1 but note this will increase the time to complete the scan.

–spoof-mac with a value of 0 will provide a random MAC address. This is of course optional but useful.


Here is an example scan:

stmiller@brahms:~$ sudo nmap -A -T4 --spoof-mac 0 scottlinux.com
[sudo] password for stmiller: 

Starting Nmap 5.21 ( http://nmap.org ) at 2011-10-01 09:40 PDT
Spoofing MAC address 96:56:9A:A9:6B:64 (No registered vendor)
Nmap scan report for scottlinux.com (173.230.156.66)
Host is up (0.030s latency).
rDNS record for 173.230.156.66: li166-66.members.linode.com
Not shown: 995 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh?
25/tcp  open  smtp?
80/tcp  open  http     Apache httpd
| robots.txt: has 13 disallowed entries 
| /cgi-bin /wp-admin /wp-includes /wp-content /author 
|_/wget/ /httpd/ /i/ /f/ /t/ /c/ /j/ /
|_html-title: HTTP Error 403
443/tcp open  ssl/http Apache httpd
| robots.txt: has 13 disallowed entries 
| /cgi-bin /wp-admin /wp-includes /wp-content /author 
|_/wget/ /httpd/ /i/ /f/ /t/ /c/ /j/ /
|_html-title: HTTP Error 403
993/tcp open  imaps?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|webcam|broadband router|WAP|general purpose|printer
Running (JUST GUESSING) : CipherLab embedded (86%), D-Link embedded (86%), Efficient Networks embedded (86%), Hioki embedded (86%), Linux 2.4.X|2.6.X (86%), Panasonic embedded (86%)
Aggressive OS guesses: CipherLab 5100 time and attendance terminal (86%), D-Link DCS-3220 or DCS-5300G webcam (86%), Efficient Networks SpeedStream 5100 ADSL router (86%), Hioki MEMORY HiCORDER 8855 digital oscilloscope (86%), DD-WRT v23 (Linux 2.4.36) (86%), Linux 2.6.18 (86%), Linux 2.6.26 (PCLinuxOS) (86%), Panasonic DB-3500 series printer (86%), Panasonic KX-HCM270 Network Camera (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 11 hops

TRACEROUTE (using port 25/tcp)
HOP RTT      ADDRESS
1   3.86 ms  172.16.1.1
2   30.95 ms 10.15.0.1
3   31.60 ms 172.16.17.1
4   32.46 ms te-1-2.ar01.rkln-ca.wavecable.com (76.14.96.2)
5   68.42 ms 216.55.44.17
6   38.80 ms vb1510.rar3.sanjose-ca.us.xo.net (216.156.0.153)
7   31.33 ms 207.88.14.226.ptr.us.xo.net (207.88.14.226)
8   26.34 ms 206.111.6.166.ptr.us.xo.net (206.111.6.166)
9   ...
10  16.91 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6)
11  16.02 ms li166-66.members.linode.com (173.230.156.66)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.22 seconds

Ok, so the OS detection did not work so great for my server, but good information is provided including a quick tracroute.

Cool!