Advanced Nmap: A Recap

A Recap

This final article in the series consolidates information from the previous articles, looks at NMap’s future possibilities, and at the new tools from the development team.

Beginning its life as a simple port-scanner, Nmap has evolved into an excellent network security auditing tool. The Nmap website now describes it as a free and open source utility for network exploration or security auditing.

Like most open source utilities, Nmap is released under the GNU GPL license (free to use, modify, and distribute). Interested users can download the latest version for their OS and start using it. All versions have the same command-line syntax and the same GUI; the only differentiator is a person’s knowledge of how to use it to scan/audit the network.

Understanding the various command-line options should help you use the tool in the most effective way. For example, while demonstrating the Nmap Scripting Engine capabilities at Black Hat 2010, the following steps were performed live:

  1. Tracking a live Web cam installed on an unknown public IP.
  2. Brute-forcing its username/password to gain access.
  3. Watching the live video displayed.

The seemingly impossible feat was performed in less than 15 minutes. Sure, it is definitely not easy to achieve this kind of expertise, but to effectively master Nmap for everyday use should not be too difficult.

Nmap command-line options

If you run nmap without any switches, it gives you a list of all available command-line options. These are logically classified as shown in Table 1.

Table 1: A summary of NMap commands
Scan switch Utilisation
Target specification You can specify the target in various intuitive ways: by directly specifying the hostname/IP address; or by giving the start and end addresses to specify a range. You can also pass a list of IP addresses to Nmap using the -iL switch, followed by the name of the file containing the IP list. You may also exclude hosts with the --exclude <hostname(s)> switch.
Host discovery From a wide range of hosts to be scanned, you will probably be interested in finding specific hosts, depending on the reason for the scan. Nmap has various host-discovery techniques; some of the important ones are:

  • -sL, which will list the hosts to be scanned, but won’t perform an actual scan.
  • -PS, which will perform a TCP SYN scan by sending a SYN packet to the destination host, by default, on port 80. If an RST is received, it indicates a closed port. No reply indicates a filtered port, and an ACK response indicates an open port
  • Similarly, -PA (ACK ping), -PR (ARP ping), -PU (UDP Ping) are also available.
  • While scanning internal networks, in particular, the -n option that disables the DNS resolution of IP addresses, may come in handy.
Scan techniques Nmap supports various scan techniques: -sS for a SYN scan; -sP for a ping scan; -sU for a UDP scan; -b for an FTP Bounce scan; and -sI for an idle scan, using a zombie host.
Port specifications By default, Nmap scans the 1,000 most common service ports. The --top-ports n switch overrides this default setting with n. The -F switch reduces the most common scanned ports to 100. The following option is very useful if only predetermined ports are required to be scanned: -p U:portnumbers T:portnumbers
Service/version detection When services are running on non-standard ports, a version detection scan (-sV) on that particular port may provide an excellent option to detect what service it is. To run this scan on all ports, use --allports.
Script scan As mentioned on nmap.org, NSE is Nmap’s most powerful and flexible feature. Users can write scripts in the Lua programming language for automated scanning. Nmap version 5.50 has 177 ready-made NSE scripts in various categories, including discovery, DoS exploits, version-detection and a few more. Some  of the intrusive category scripts may crash the target system or use up significant resources on the host.
Operating system detection The -O option does operating system “fingerprinting”. Nmap version 5.50 has 2,982 OS fingerprints and 7,319 version-detection signatures.
Timings Though often neglected, adjusting scan time is very important in effective network scanning. Consider two scenarios:

  • When scanning a large number of hosts, fine-tuning scan timing is essential. For example, scanning a Class B IP address range (up to 65,535 addresses) may require significant time. The possible options to use here are: --min-rtt-timeout, --max-rtt-timeout and --host-timeout.
  • To scan devices deployed with IDS/IPS, only a few probes may be allowed in a certain interval; --scan-delay may be used here.
Firewall/IDS evasion and spoofing -f does fragmentation; -D ip_list sets up decoy hosts. -S ip_addresses does spoofing of source IP address, while --source-port portnumber spoofs source port numbers.
Output Three basic output options are available: -oN for normal output, -oX for XML output, and -oG for greppable output. The -oA option provides output in all the above formats. One more important option is verbosity. While a scan is running, you may press v to increase verbosity and V (Shift+v) to decrease it.
Miscellaneous The most important is -6, which enables IPv6 scanning.

Nmap uses various files to store its default options. Users may edit these files to fine-tune options for individual scanning requirements.

From the exhaustive list above, a few options that come in really handy while scanning networks are shown in Table 2.

Table 2: Interesting NMap options
Option Description
-sC --smb-users-enum
-sC --smb-shares-enum
Really handy for scanning SMB networks, these options respectively return a list of users, and a list of shares detected in the specified host range.
-O Detects operating systems even of various networking devices.
-A Runs a standard scan, including OS version detection
-T4 Speeds up the scan; especially useful in quickly scanning a range of IP addresses.
-PN (or -P0) Ping response is disabled on a few hosts to be scanned. This option assumes the hosts are up/online.

Other tools

The Nmap team is also developing some other very interesting tools, some of which follow:

  • ncrack — Network authentication cracking tool, includes support for cracking RDP, SSH, HTTP, HTTPS, SMB, POP3, POP3S, FTP, and telnet.
  • ncat — Reads and writes data across networks from the command line (similar to netcat)
  • zenmap — GUI for Nmap
  • ndiff — Compares and shows differences in two Nmap scan result files
  • nping — Network packet generation, response analysis and response time measurement tool. Includes echo mode, debugging with sent/received packets, captured packets on the server, etc.
  • rainmap — An online scanning service

With this, I conclude this series on NMap.

References
Feature image courtesy: Alpha six. Reused under the terms of CC-BY-SA 2.0 License.

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.