What is Nmap?
Nmap (Network Mapper) is a powerful network scanner that lets you discover the hosts and services on a network. It sends specific packets to remote hosts and analyses the responses to map the network. These packets can be standard ICMP/TCP/UDP packets as well as deliberately malformed packets to observe the hosts’ behaviour.
I believe it is very important to keep an eye on what’s going on in your network. As Nmap is one of the basic tools for this kind of job, I decided to spend some time to cover it and harness it in my own projects.
First you need to specify your targets. Nmap is very flexible and accepts different notations for specifying targets:
- Single IP: i.e. 192.168.1.15
- Name: i.e: www.google.com
- List: For example, 192.168.1,2.1,10 will scan 192.168.1.1, 192.168.1.10, 192.168.2.1 and 192.168.2.10. Note that the comma separated values are not ranges but single values
- Range: i.e: 192.168.1.1-10 For ranges hyphen is used as the separator. The start and end values are inclusive. Also one octet can be omitted such as 192.168.-.1. In this case Nmap will scan all IPs from 192.168.0.1 to 192.168.255.1
- CIDR (Classless Inter-Domain Routing): For example 192.168.1.240/29 will scan 8 IPs from 192.168.1.240 to 192.168.1.247
You can use any combinations of these values as a list separated with spaces such as: 192.168.1.42 www.google.com will scan the single LAN IP and Google. You can use -sL parameter to view the target list without scanning them.
In complex scenarios you can use an input file to load the target list by using the -iL flag and providing the file name.
To exclude specific IP addresses –exclude flag is used with the same notations.
Ports can be specified in 2 ways:
- Using -p flag: Single value, comma-separated list, or hyphen-separated values as a range. If just hyphen is specified it scans all ports from 1 to 65535. Also protocol can be specified such as T:80 U:53
- Using nmap-services file: You can refer to a service by name and this file is used to look it up.
Both methods can be used in combinations such as:
nmap -p http*,25,U:53 192.168.1.15
While a scan is running you can an updated status by hitting enter. Also you can save the output results to a file in different formats with the values below following the -o flag:
* N: Normal
* X: XML
* G: Grepable
nmap -v 172.16.1.0/24 -oG output.gnmap
Also a helpful flag is -v for verbose output
An added bonus about using output files is that you can resume a scan by using the –resume flag and specifying the output file name such as
nmap --resume output.gnmap
Basic scanning options
TCP SYN scan (-sS): This is the default option Nmap uses. It’s very fast and can scan thousands of ports per second. It sends a SYN packet to target and if the port is open target sends back a SYN/ACK packet. Thus far it’s just like a normal 3-way TCP handshake but in the final step instead of sending an ACK Nmap sends RST (Reset) packet and cancels the process. Since it has already acquired the information it’s looking for it doesn’t need to establish an actual connection. If the port is closed the target sends a RST packet. SYN scan is very powerful because it’s fast and quiet as it doesn’t create a session. on Linux, it requires root privileges to run it.
TCP connect() Scan (-sT): This one uses a full handshake and opens a session. Then sends a RST packet to close the session. The advantage of this method over SYN scan is that it doesn’t require root privileges. As it opens sessions they are logged so it’s noisies than SYN scan.
Ping scan (-sn formerly known as -sP): This is the quickest scan method.For local subnets it uses ARP (Address Resolution Protocol) to identify active hosts. ARP only works on local subnets so for remote subnets, it uses ICMP echo requests. It also sends a TCP ACK packet to port 80 which is completely unexpected for the host as it’s just sent out of the blue. So the host sends a RST packet to end connection (as it’s the right thing to do!) but that helps Nmap to identify there is a host up with that address. This scan is only helpful to identify hosts rather than ports and services.
UDP scan (-sU): This is the only scan that can identify open UDP ports. Since there’s no handshake the overhead is lower compared to TCP scan. When a port is closed the target returns ICMP port unreachable packet so this may increase the number of packets. Like SYN scan it requires privileged access.
In total there are lots of scanning options. You can find the full list here
OS and Service Version Detection
To detect version -sV flag is used. An intensity level between 0-9 can be specified. Default is 7
nmap -sV --version-intensity 9 172.16.1.10
Versioning can be useful in some cases but also significantly increases the scan time.
For operating system detection -O flag can be used
nmap -O -v 172.16.1.10
If you are concerned about being detected when scanning the network
- You might be doing something nasty!
- You might consider using timing categories so add some delay between each packets to evade IDSs
There are 6 categories that can be specified by T flag followed by a number from 0 to 5. Alternatively you can use the templates’ names:
- paranoid (0)
- sneaky (1)
- polite (2)
- normal (3)
- aggressive (4)
- insane (5)
With “Paranoid” template Nmap will wait 5 minutes between each probe making the total scan time very very long. “Insane” will speed up the process to a point that the delay is down to 5ms. So be careful which option you use. There are many more flags for tailoring the scans to your performance requirements: http://nmap.org/book/man-performance.html
Nmap comes with an embedded Lua interpreter which is the core of its scripting engine.
By using -sC flag all scripts in the default category can be executed such as
nmap -sC -p www.google.com
There are lots of scripts which can be found at NSE(Nmap Scripting Engine) documentation page
For example there is a script to scan OpenSSL Heartbleed vulnerability. It can be executed as follows:
nmap -p 443 --script ssl-heartbleed <target>
On my machine this script was blocked by Norton!
So be careful which script to run. Your intentions may be misinterpreted if you are running them against systems that you are not authorized.
Nmap is one of the core tools that hackers (white or black hat) use. So it has many more options geared towards attacking and being stealthy. You can spoof your IP address, use idle stations to avoid detection etc. I left out many of those options as my intention for studying Nmap is discovering devices on my network so that I can take action if any unknown devices appear. Based on these notes I will develop a simple script/applicaton to find out if anything fishy is going on in my network. I’ll blog about it when it’s ready. Stay tuned!