nmap is you FRIEND…. :)

Posted: 14th January 2011 by haxrbyte in Penetration Testing / Ethical Hacking

nmap is the tool any Penetration Tester/ Ethical Hacker can’t do without.

The tool can be downloaded from – http://nmap.org

I will use scanme.nmap.org as the target system for the demonstration:

[root@byte ~]# ping -c 3 scanme.nmap.org
PING scanme.nmap.org (64.13.134.52): 56 data bytes
64 bytes from 64.13.134.52: icmp_seq=0 ttl=54 time=162.937 ms
64 bytes from 64.13.134.52: icmp_seq=1 ttl=54 time=158.487 ms
64 bytes from 64.13.134.52: icmp_seq=2 ttl=54 time=154.497 ms

--- scanme.nmap.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 154.497/158.640/162.937/3.447 ms

When we run the nmap command against scanme.nmap.org

[root@byte ~]# nmap scanme.nmap.org

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-14 06:13 CST
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 993 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed auth
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 34.15 seconds
[root@byte ~]#

The scan it runs by default is the TCP SYN Scan, also known as the Stealth of Half Scan. As you can see it give you a list of interesting ports, with a state and a service that might be running on that port.

I normally start with a host discovery with a ping scan, this goes no further than to determine if the host is online.

[root@byte ~]# nmap -sP scanme.nmap.org

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-14 06:28 CST
Host scanme.nmap.org (64.13.134.52) is up (0.16s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
[root@byte ~]#

You can run a list scan, but this only gives you a list of targets to scan

[root@byte ~]# nmap -sL scanme.nmap.org

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-14 06:28 CST
Host scanme.nmap.org (64.13.134.52) not scanned
Nmap done: 1 IP address (0 hosts up) scanned in 0.24 seconds
[root@byte ~]#

This scan will, probably only be used, to determine if what the network range that you want scan involves…something like…

[root@byte ~]# nmap -sL 64.13.134.48/28

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-14 06:35 CST
Host nmap.org (64.13.134.48) not scanned
Host insecure.org (64.13.134.49) not scanned
Host seclists.org (64.13.134.50) not scanned
Host sectools.org (64.13.134.51) not scanned
Host scanme.nmap.org (64.13.134.52) not scanned
Host research.nmap.org (64.13.134.53) not scanned
Host cust-134-54.titan.net (64.13.134.54) not scanned
Host cust-134-55.titan.net (64.13.134.55) not scanned
Host cust-134-56.titan.net (64.13.134.56) not scanned
Host cust-134-57.titan.net (64.13.134.57) not scanned
Host ns1.titan.net (64.13.134.58) not scanned
Host ns2.titan.net (64.13.134.59) not scanned
Host wwwr.titan.net (64.13.134.60) not scanned
Host nswc1.titan.net (64.13.134.61) not scanned
Host nswc2.titan.net (64.13.134.62) not scanned
Host 64.13.134.63 not scanned
Nmap done: 16 IP addresses (0 hosts up) scanned in 0.21 seconds
[root@byte ~]#

as you can see no scanning, just listing.

I upgraded my nmap version to nmap-5.36.t4 , there are other interresting things that comes with this like NPING and NCAT (Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat)

But I will blog about that a bit later….

I decided, rather than going through the NMAP reference guide, I wanted to show you some nicer things to do with NMAP…well at least I think it’s nicer 🙂

TCP connect scan (-sT)

This is you tipical 3-way handshake (SYN–>SYN-ACK–>ACK). The host sends out a SYN packet, the target responds wit h a SYN-ACK packet, the host then responds with a ACK packet. Then the communications channel is established and traffic can flow.

[root@byte ~]# nmap -sT scanme.nmap.com

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-28 05:02 CST
Nmap scan report for scanme.nmap.com (64.13.134.52)
Host is up (0.045s latency).
rDNS record for 64.13.134.52: scanme.nmap.org
Not shown: 993 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed auth
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 41.77 seconds
[root@byte ~]#


Ok, you see a couple of ports open.

A interesting thing to use is –packet-trace. The –packet-trace option causes Nmap to print a summary of every packet it sends and receives. This is helpful when trying to understand how Nmap works, and for debugging.

Lets take ssh for a example:

[root@byte ~]# nmap --packet-trace -p 22 -sT scanme.nmap.org

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-28 05:26 CST
SENT (0.0550s) ICMP 72.200.200.200 > 64.13.134.52 Echo request (type=8/code=0) ttl=58 id=45864 iplen=28
SENT (0.0550s) TCP 72.200.200.200:47740 > 64.13.134.52:443 S ttl=59 id=2266 iplen=44  seq=768689839 win=4096 
SENT (0.0550s) TCP 72.200.200.200:47740 > 64.13.134.52:80 A ttl=51 id=50330 iplen=40  seq=0 win=4096
SENT (0.0550s) ICMP 72.200.200.200 > 64.13.134.52 Timestamp request (type=13/code=0) ttl=45 id=35095 iplen=40
RCVD (0.0990s) ICMP 64.13.134.52 > 72.200.200.200 Echo reply (type=0/code=0) ttl=52 id=17449 iplen=28
NSOCK (0.2550s) UDP connection requested to 72.232.192.2:53 (IOD #1) EID 8
NSOCK (0.2550s) Read request from IOD #1 [72.232.192.2:53] (timeout: -1ms) EID 18
NSOCK (0.2550s) Write request for 43 bytes to IOD #1 EID 27 [72.232.192.2:53]: .............52.134.13.64.in-addr.arpa.....
NSOCK (0.2550s) Callback: CONNECT SUCCESS for EID 8 [72.232.192.2:53]
NSOCK (0.2550s) Callback: WRITE SUCCESS for EID 27 [72.232.192.2:53]
NSOCK (0.2560s) Callback: READ SUCCESS for EID 18 [72.232.192.2:53] (184 bytes)
NSOCK (0.2560s) Read request from IOD #1 [72.232.192.2:53] (timeout: -1ms) EID 34
CONN (0.2560s) TCP localhost > 64.13.134.52:22 => Operation now in progress
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.044s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
[root@byte ~]#

NOTE: I used fake ip’s .. just in case 🙂

TCP stealth (half) scan (-sS)

This scan only sends out packets like this (SYN–>SYN-ACK). The host send a SYN packet, and the target reponds with a SYN-ACK packet, but the host never sends a ACK packet back to the target.

[root@byte ~]# nmap -sS scanme.nmap.org

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-28 05:18 CST
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.045s latency).
Not shown: 993 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed auth
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 14.75 seconds
[root@byte ~]#

now lets try this with the –packet-trace option

[root@byte ~]# nmap --packet-trace -p 22 -sS scanme.nmap.org

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-28 05:27 CST
SENT (0.0550s) ICMP 72.200.200.200 > 64.13.134.52 Echo request (type=8/code=0) ttl=58 id=64459 iplen=28
SENT (0.0550s) TCP 72.200.200.200:35214 > 64.13.134.52:443 S ttl=48 id=3099 iplen=44  seq=3743350257 win=1024 
SENT (0.0550s) TCP 72.200.200.200:35214 > 64.13.134.52:80 A ttl=40 id=33163 iplen=40  seq=0 win=1024
SENT (0.0550s) ICMP 72.200.200.200 > 64.13.134.52 Timestamp request (type=13/code=0) ttl=52 id=22089 iplen=40
RCVD (0.0990s) ICMP 64.13.134.52 > 72.200.200.200 Echo reply (type=0/code=0) ttl=52 id=17450 iplen=28
NSOCK (0.2550s) UDP connection requested to 72.232.192.2:53 (IOD #1) EID 8
NSOCK (0.2550s) Read request from IOD #1 [72.232.192.2:53] (timeout: -1ms) EID 18
NSOCK (0.2550s) Write request for 43 bytes to IOD #1 EID 27 [72.232.192.2:53]:  64.13.134.52:22 S ttl=56 id=9289 iplen=44  seq=1621599360 win=1024 
RCVD (0.3020s) TCP 64.13.134.52:22 > 72.200.200.200:35214 SA ttl=52 id=0 iplen=44  seq=2276068255 win=5840 
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.044s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
[root@byte ~]#

to be continued…..

You must be logged in to post a comment.