Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Exploit World
Advertising
About/Contact
Credits
Sponsors:


Rational AppScan


Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Nmap Network Scanning (PRE-RELEASE BETA VERSION)
   Next

Nmap Network Scanning (PRE-RELEASE BETA VERSION)

Gordon “Fyodor” Lyon

Insecure.Org

April 9, 2008

Table of Contents

Preface
Introduction
Intended Audience and Organization
Conventions
Other Resources
Request for Comments
Acknowledgements
1. Getting Started with Nmap
Introduction
Nmap Overview and Demonstration
Avatar Online
Saving the Human Race
MadHat in Wonderland
Legal Issues
Is Unauthorized Port Scanning a Crime?
Can Port Scanning Crash the Target Computer/Networks?
Nmap Copyright
The History and Future of Nmap
2. Obtaining, Compiling, Installing, and Removing Nmap
Introduction
Testing Whether Nmap is Already Installed
Command-line and Graphical Interfaces
Downloading Nmap
Verifying the Integrity of Nmap Downloads
Obtaining Nmap from the Subversion (SVN) Repository
Unix Compilation and Installation from Source Code
Configure Directives
If You Encounter Compilation Problems
Linux Distributions
RPM-based Distributions (Red Hat, Mandrake, Suse, Fedora)
Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum
Debian Linux and Derivatives such as Ubuntu
Other Linux Distributions
Windows
Windows Self-installer
Command-line Zip Binaries
Installing the Nmap zip binaries
Compile from Source Code
Executing Nmap on Windows
Sun Solaris
Apple Mac OS X
FreeBSD / OpenBSD / NetBSD
OpenBSD Binary Packages and Source Ports Instructions
FreeBSD Binary Package and Source Ports Instructions
Installation of the binary package
Installation using the source ports tree
NetBSD Binary Package Instructions
Amiga, HP-UX, IRIX, and Other Platforms
Removing Nmap
3. Host Discovery (“Ping Scanning”)
4. Port Scanning Overview
5. Port Scanning Techniques and Algorithms
6. Optimizing Nmap Performance
7. Service and Application Version Detection
Introduction
Usage and Examples
Technique Described
Cheats and Fallbacks
Probe Selection and Rarity
--version-intensity
--version-light
--version-all
Technique Demonstrated
Post-processors
Nmap Scripting Engine Integration
RPC Grinding
SSL Post-processor Notes
nmap-service-probes File Format
Exclude Directive
Probe Directive
match Directive
softmatch Directive
ports and sslports Directives
totalwaitms Directive
rarity Directive
fallback Directive
Putting it all together
Community Contributions
Submit Service Fingerprints
Submit Database Corrections
Submit New Probes
[RECIPE] Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection
[RECIPE] Find All Servers Running an Insecure or Nonstandard Application Version
8. Remote OS Detection
Introduction
Reasons for OS Detection
Determining vulnerability of target hosts
Tailoring exploits
Network inventory and support
Detecting unauthorized and dangerous devices
Social engineering
Usage and Examples
TCP/IP Fingerprinting Methods Supported by Nmap
Probes Sent
Sequence generation (SEQ, OPS, WIN, and T1)
ICMP echo (IE)
TCP explicit congestion notification (ECN)
TCP (T2T7)
UDP (U1)
Response Tests
TCP ISN greatest common denominator (GCD)
TCP ISN counter rate (ISR)
TCP ISN sequence predictability index (SP)
TCP IP ID sequence generation algorithm (TI)
ICMP IP ID sequence generation algorithm (II)
Shared IP ID sequence boolean (SS)
TCP timestamp option algorithm (TS)
TCP options (O, 01–06)
TCP initial window size (W, W1W6)
Responsiveness (R)
IP don't fragment bit (DF)
Don't fragment (ICMP) (DFI)
IP initial time-to-live (T)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)
TCP miscellaneous quirks (Q)
TCP sequence number (S)
ICMP sequence number(SI)
TCP acknowledgment number (A)
TCP flags (F)
TCP RST data checksum (RD)
IP type of service (TOS)
IP type of service for ICMP responses (TOSI)
IP total length (IPL)
Unused port unreachable field nonzero (UN)
Returned probe IP total length value (RIPL)
Returned probe IP ID value (RID)
Integrity of returned probe IP checksum value (RIPCK)
Integrity of returned probe UDP length and checksum (RUL and RUCK)
Integrity of returned UDP data (RUD)
ICMP response code (CD)
IP data length for ICMP responses (DLI)
Fingerprinting Methods Avoided by Nmap
Passive Fingerprinting
Exploit Chronology
Retransmission Times
IP Fragmentation
Understanding an Nmap Fingerprint
Decoding the Subject Fingerprint Format
Decoding the SCAN line of a subject fingerprint
Decoding the Reference Fingerprint Format
Free-form OS description (Fingerprint line)
Device and OS classification (Class lines)
Test expressions
OS Matching Algorithms
Dealing with Misidentified and Unidentified Hosts
When Nmap Guesses Wrong
When Nmap Fails to Find a Match and Prints a Fingerprint
Modifying the nmap-os-db database Yourself
9. Nmap Scripting Engine
Introduction
Usage and Examples
Script Categories
Arguments to Scripts
Command-line Arguments
Usage Examples
Script Format
id Field
description Field
author Field
license Field
runlevel Field
Port and Host Rules
Action
Script Language
Lua Base Language
Lua Extensions
Bitwise Logical Operations
Perl Compatible Regular Expressions
IP Operations
Short Portrules
Functional Programming Style List Operations
String Buffer Operations
URL Manipulation Functions
Buffered Network I/O Helper Functions
HTTP Functions
Data File Parsing Functions
Various Utility Functions
Nmap API
Information Passed to a Script
Target Information Retrieving by a Script
Various Utility Functions for Raw Packet Support
Network I/O API
Connect-style network I/O
Raw packet network I/O
Exception Handling
The Registry
Script Writing Tutorial
The Head
The Rule
The Mechanism
Version Detection using NSE
Example Scripts
Finger-Test Script
Service Owner Lookup via Identd
Implementation
Initialization Phase
Matching of Scripts to Targets
Running Scripts
Adding C Modules to Nselib
NSE Script License and Community Contributions
10. Detecting and Subverting Firewalls and Intrusion Detection Systems
11. Defenses Against Nmap
12. Zenmap GUI Users' Guide
Introduction
Scanning
Profiles
Scan tabs
Interpreting scan results
Scan results tabs
Sorting by host
Sorting by service
Saving and loading scan results
The recent scans database
The Nmap command constructor wizard
The profile editor
Creating a new profile
Profile meta-information
Editing a profile
Deriving a new profile from an old one
Searching through results
Comparing results
Graphical comparison
Text comparison
Files used by Zenmap
The nmap executable
System configuration files
Per-user configuration files
Description of zenmap.conf
Sections of zenmap.conf
Command line options
Synopsis
Option summary
Output redirection and debugging
History
13. Nmap Output Formats
Introduction
Command-line Flags
Controlling Output Type
Controlling Verbosity of Output
Enabling Debugging Output
Enabling Packet Tracing
Resuming Aborted Scans
Interactive Output
Normal Output (-oN)
$crIpT kIddI3 0uTPut (-oS)
XML Output (-oX)
Using XML Output
Manipulating XML Output with Perl
Output to a Database
Creating HTML Reports
Grepable Output (-oG)
Grepable Output Fields
Host field
Ports field
Protocols field
Ignored State field
OS field
Seq Index field
IP ID Seq field
Status field
Parsing Grepable Output on the Command Line
14. Understanding and Customizing Nmap Data Files
Introduction
Well Known Port List: nmap-services
Version Scanning DB: nmap-service-probes
SunRPC Numbers: nmap-rpc
Old Nmap OS Detection DB: nmap-os-fingerprints
Nmap OS Detection DB: nmap-os-db
MAC Address Vendor Prefixes: nmap-mac-prefixes
IP Protocol Number List: nmap-protocols
Using Customized Data Files
15. Nmap Reference Guide
Description
Options Summary
Target Specification
Host Discovery
Port Scanning Basics
Port Scanning Techniques
Port Specification and Scan Order
Service and Version Detection
OS Detection
Nmap Scripting Engine (NSE)
Timing and Performance
Firewall/IDS Evasion and Spoofing
Output
Miscellaneous Options
Runtime Interaction
Examples
Bugs
Author
Legal Notices
Nmap Copyright and Licensing
Creative Commons License for this Nmap Guide
Source Code Availability and Community Contributions
No Warranty
Inappropriate Usage
Third-Party Software
US Export Control Classification
A. Nmap XML Output DTD
Purpose
The Full DTD
Index

List of Figures

1.1. Trinity begins her assault
1.2. Trinity scans the Matrix
1.3. Terminal-view of the hack
1.4. Strong opinions on port scanning legality and morality
2.1. Executing Nmap from a Windows command shell
8.1. IPv4 header layout
8.2. TCP header layout
8.3. ICMP echo request or reply header layout
8.4. ICMP destination unreachable header layout
8.5. UDP header layout
12.1. Typical Zenmap screenshot
12.2. Zenmap’s main window
12.3. Target and profile selection
12.4. Scan tabs
12.5. Host selection
12.6. Service selection
12.7. Choosing a profile
12.8. The profile editor
12.9. The search dialog
12.10. Search options
12.11. Comparison tool
12.12. Graphical comparison
12.13. Comparison colors
12.14. Text mode comparison
13.1. Reading XML in a web browser

List of Tables

1. Formatting style conventions
7.1. versioninfo field formats and values
8.1. O test values
8.2. DFI test values
8.3. CC test values
8.4. S test values
8.5. SI test values
8.6. Ack test values
8.7. F test values
8.8. TOSI test values
8.9. CD test values
8.10. DLI test values
8.11. Reference fingerprint test expression operators
9.1. port.version values
12.1. Vulnerability icons
12.2. OS icons
12.3. Text diff character codes

List of Examples

1. A typical Nmap scan
1.1. Nmap list scan against Avatar Online IP addresses
1.2. Nmap results against an AO firewall
1.3. Another interesting AO machine
1.4. Nmap-diff typical output
1.5. Nmap-report execution
2.1. Checking for Nmap and determining its version number
2.2. Verifying the Nmap and Fyodor PGP Key Fingerprints
2.3. Verifying PGP Key Fingerprints (Successful)
2.4. Detecting a bogus file
2.5. A typical Nmap release digest file
2.6. Verifying Nmap hashes
2.7. Installing Nmap from binary RPMs
2.8. Building and installing Nmap from source RPMs
2.9. Installing Nmap from a system Yum repository
7.1. Simple usage of version detection
7.2. Version detection against www.microsoft.com
7.3. Complex version detection
7.4. NULL Probe Cheat Example Output
7.5. Enumerating RPC services with rpcinfo
7.6. Nmap direct RPC scan
7.7. Version scanning through SSL
8.1. OS Detection with Verbosity (-O -v)
8.2. Using version scan to detect the OS
8.3. A typical subject fingerprint
8.4. A cleaned up subject fingerprint
8.5. A typical reference fingerprint
8.6. Some typical fingerprint descriptions and corresponding classifications
8.7. The MatchPoints structure
9.1. Typical NSE Output
9.2. Exception handling example
9.3. Using local variables to save data.
13.1. Scanrand output against a local network
13.2. Greping for verbosity conditionals
13.3. A comparison of interactive output with and without verbosity enabled.
13.4. Some representative debugging lines
13.5. Using --packet-trace to detail a ping scan of Scanme
13.6. A typical example of normal output
13.7. A typical example of $crIpt KiDDi3 0utPut
13.8. An example of Nmap XML output
13.9. Nmap XML port elements
13.10. Nmap::Parser sample code
13.11. Nmap::Scanner sample code
13.12. A typical example of grepable output
13.13. Grepable output for IP protocol scan
13.14. Ping scan grepable output
13.15. List scan grepable output
13.16. Parsing grepable output on the command line
14.1. Excerpt from nmap-services
14.2. Excerpt from nmap-service-probes
14.3. Excerpt from nmap-rpc
14.4. Excerpt from nmap-os-fingerprints
14.5. Excerpt from nmap-mac-prefixes
14.6. Excerpt from nmap-protocols
15.1. A representative Nmap scan
   Next
   Preface
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]