Nmap: Port-Scanning Tool

Why would you want to scan your own machines?

Find out where your system is vulnerable

What services are visible

What may have changed since last time you checked security on your system

Security is an on-going process...

A good place to look for info on nmap: www.insecure.org/nmap/index.html

Written by Fyodor

• A scan that looks for open UDP and TCP ports
• What services are running
  
• OS fingerprint
• What operating system
  
• ping sweep
• Sending many ping packets in parallel
  

• Scanning can result in log entries on the target machine
• Scanning can be very obvious and obtrusive to the admin on the target machine
• Scanning another network or machine could potentially get  you in lots of trouble
• There is a way to run a stealthy scan

• TCP Connect Scan
• attemps 3-way TCP handshake
• fast
• doesn't require root access
• not a stealthy scan as the machine you are scanning will log connections that are closed right after they are opened
• TCP SYN Scan
• attemps a half-open connection
  
• The first packet in the three-way handshake
  
• probably not logged by the target machine
• must be root to run this scan since nmap and not the kernel builds the packets
• TCP FIN Scan
• nmap sends a single FIN packet (final packet in TCP communication)
• After a FIN is sent by the client, the server sends a RST
  
• must be scanning an RFC-793-compliant TCP/IP stack (lots of OSs are not like Windows)
  
• TCP NULL Scan
• nmap sends a TCP null packet
• Same as the FIN scan only without flags
  
• also relies on RFC-793
• TCP Xmas Tree Scan
• Same as FIN scan with URG, and PUSH flags set
  
• also relies on RFC-793
• UDP Scan
• no 3-way handshake in connectionless protocol
• nmap sends a single UDP packet to each port on the target system
  
• scanned system will return an ICMP "Port Unreachable" packet if UDP packet is sent to a closed UDP port
• assume an open port sends no ICMP packet
• not a very accurate scan
• very slow
  
• RPC Scan
• looks for Remote Procedure Call services (NFS) and their version numbers
• used in conjunction with other scan types
• Ping Scan
• finds out which IPs in a given range of IPs or network are active
• known as a ping sweep

Available from http://www.insecure.org/

grab the gzipped tarball from web	http://www.insecure.org/
unzip and explode it	tar xvfz nmap-2.53.tgz
change to nmap directory	cd nmap-2.53
configure nmap	./configure
compile nmap	make
become root	su root
install binaries and docs	make install

Using Nmap

Basic syntax:

nmap -s (scan type) -p (port-range options)  (target)

Scan Types:

Some examples

A default scan, no flags are needed. Nmap will ping the target host(s) then scan with the TCP Connect method. This is a very fast scan but it can be detected and logged. I'll scan my home machine.

    # nmap 192.168.1.20

Adding UDP and RPC to the default scan. Note: you will need to explicitely include the TCP Connect flags.

    # nmap -sTUR 192.168.1.20

Above we use the T flag for TCP Connect, the U flag for UDP, and the R flag for RPC. Using the U and the R flags together makes sense because typically RPC is UDP protocol.

Below is a command to scan all the machines on my homenet using a fast TCP and UDP scan.

    # nmap -sTU 192.168.1.0/24

Here is a nice scan I grabbed from reading the Linux Journal paper which adds a few nicities to the scan. The -OIF is as follows:

• O: OS fingerprinting
• I: query the ident daemon which tells the world which user is listening on the port
  
• F: scan only the ports listed in nmap-services which reduces the amount of ports to those most likely to be listening

    # nmap -sTUR -OIF -oN outfile 192.168.1.20

Here is a very verbose stealthy scan with OS detection.

Use the -p option to scan for a particular port. Here we are scanning for the SQL Slammer worm.