Tuesday, February 23, 2010

How to use nmap security scanner

Nmap is a "Network Mapper", used to discover computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren't advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.

Nmap features include:

Host Discovery
- Identifying computers on a network, for example listing the computers which respond to pings, or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target computers
Version Detection - Interrogating listening network services listening on remote computers to determine the application name and version number
OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.

Typical uses of Nmap:

-Auditing the security of a computer, by identifying the network connections which can be made to it
-Identifying open ports on a target computer in preparation for auditing
-Network inventory, Network mapping, maintenance, and asset management
Auditing the security of a network, by identifying unexpected new servers.

Nmap options
 Can pass hostnames, IP addresses, networks, etc.
 Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
 -iL : Input from list of hosts/networks
 -iR : Choose random targets
 --exclude : Exclude hosts/networks
 --excludefile : Exclude list from file
 -sL: List Scan - simply list targets to scan
 -sP: Ping Scan - go no further than determining if host is online
 -P0: Treat all hosts as online -- skip host discovery
 -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
 -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
 -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
 --dns-servers : Specify custom DNS servers
 --system-dns: Use OS's DNS resolver
 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
 -sU: UDP Scan
 -sN/sF/sX: TCP Null, FIN, and Xmas scans
 --scanflags : Customize TCP scan flags
 -sI : Idlescan
 -sO: IP protocol scan
 -b : FTP bounce scan
 -p : Only scan specified ports
 Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
 -F: Fast - Scan only the ports listed in the nmap-services file)
 -r: Scan ports consecutively - don't randomize
 -sV: Probe open ports to determine service/version info
 --version-intensity : Set from 0 (light) to 9 (try all probes)
 --version-light: Limit to most likely probes (intensity 2)
 --version-all: Try every single probe (intensity 9)
 --version-trace: Show detailed version scan activity (for debugging)
 -O: Enable OS detection (try 2nd generation w/fallback to 1st)
 -O2: Only use the new OS detection system (no fallback)
 -O1: Only use the old (1st generation) OS detection system
 --osscan-limit: Limit OS detection to promising targets
 --osscan-guess: Guess OS more aggressively
 Options which take  are in milliseconds, unless you append 's'
 (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
 -T[0-5]: Set timing template (higher is faster)
 --min-hostgroup/max-hostgroup : Parallel host scan group sizes
 --min-parallelism/max-parallelism : Probe parallelization
 --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
 probe round trip time.
 --max-retries : Caps number of port scan probe retransmissions.
 --host-timeout : Give up on target after this long
 --scan-delay/--max-scan-delay : Adjust delay between probes
 -f; --mtu : fragment packets (optionally w/given MTU)
 -D : Cloak a scan with decoys
 -S : Spoof source address
 -e : Use specified interface
 -g/--source-port : Use given port number
 --data-length : Append random data to sent packets
 --ip-options : Send packets with specified ip options
 --ttl : Set IP time-to-live field
 --spoof-mac : Spoof your MAC address
 --badsum: Send packets with a bogus TCP/UDP checksum
 -oN/-oX/-oS/-oG : Output scan in normal, XML, s|
 and Grepable format, respectively, to the given filename.
 -oA : Output in the three major formats at once
 -v: Increase verbosity level (use twice for more effect)
 -d[level]: Set or increase debugging level (Up to 9 is meaningful)
 --open: Only show open (or possibly open) ports
 --packet-trace: Show all packets sent and received
 --iflist: Print host interfaces and routes (for debugging)
 --log-errors: Log errors/warnings to the normal-format output file
 --append-output: Append to rather than clobber specified output files
 --resume : Resume an aborted scan
 --stylesheet : XSL stylesheet to transform XML output to HTML
 --webxml: Reference stylesheet from Insecure.Org for more portable XML
 --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
 -6: Enable IPv6 scanning
 -A: Enables OS detection and Version detection
 --datadir : Specify custom Nmap data file location
 --send-eth/--send-ip: Send using raw ethernet frames or IP packets
 --privileged: Assume that the user is fully privileged
 --unprivileged: Assume the user lacks raw socket privileges
 -V: Print version number
 -h: Print this help summary page.

How to use NMAP

1.How to scan your network to see which hosts are up:

nmap -sP (it will scan ip-s from to to see which hosts are up)
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:05 EET
Host is up (0.0010s latency).
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Host is up (0.00021s latency).
MAC Address: 00:24:8C:5D:EC:6C (Asustek Computer)
Host is up.
Host is up (0.0013s latency).
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.88 seconds

2. Now we scan using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.The results will be saved in a file named nmap.log.

nmap -sS -A -oN nmap.log

Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:12 EET
Interesting ports on
Not shown: 998 closed ports
80/tcp   open  http    Linksys WRT54GL wireless-G router http config
|_ html-title: 401 Unauthorized
|  http-auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = WRT54GL
5431/tcp open  http    Belkin/Linksys wireless router http config (Linux 2.4; UPnP 1.0; BRCM400 1.0)
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Devices: WAP, router

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

3.How to scan a host for open ports ,network services,os version,ipid:

nmap -sS -P0 -A -v

Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:38 EET
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 19:38
Scanning [1 port]
Completed ARP Ping Scan at 19:38, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:38
Completed Parallel DNS resolution of 1 host. at 19:38, 0.05s elapsed
Initiating SYN Stealth Scan at 19:38
Scanning [1000 ports]
Discovered open port 22/tcp on
Completed SYN Stealth Scan at 19:38, 1.41s elapsed (1000 total ports)
Initiating Service scan at 19:38
Scanning 1 service on
Completed Service scan at 19:38, 0.05s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against
Retrying OS detection (try #2) against
Retrying OS detection (try #3) against
Retrying OS detection (try #4) against
Retrying OS detection (try #5) against
NSE: Script scanning
NSE: Starting runlevel 1 scan
Initiating NSE at 19:38
Completed NSE at 19:38, 0.24s elapsed
NSE: Script Scanning completed.
Host is up (0.00085s latency).
Interesting ports on
Not shown: 999 closed ports
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0)
|  ssh-hostkey: 1024 51:08:cd:ba:ad:5a:4d:87:20:5b:41:ee:f2:34:80:e5 (DSA)
|_ 2048 a2:7c:9e:22:7e:9c:3f:2e:7d:46:d6:1a:29:f1:c2:c8 (RSA)
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:

Uptime guess: 0.004 days (since Tue Feb 23 19:33:04 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
           Raw packets sent: 1103 (52.340KB) | Rcvd: 1076 (46.596KB)
vices available

No comments:

Post a Comment