After scanning, Nmap's output is displayed. This output will be
familiar to Nmap users. Apart from Zenmap's highlighting
it doesn't offer any advantages over running Nmap in a terminal.
However, other parts of Zenmap's interface interpret and
aggregate the terminal output in a way that aims to make the scan
results easy to understand and use.
In each scan window, there are five tabs that display different
aspects of the scan results. They are: “Nmap
Output”, “Ports / Hosts”,
“Topology”, “Host Details”,
and “Scans”. Each of these will be discussed.
The “Nmap Output” tab is the one displayed by
default when a scan is run. It shows the familiar Nmap terminal
output. The display
highlights
parts of the output according to their meaning; for example, open
and closed ports are displayed in different colors. Custom
highlights can be given in
zenmap.conf;
see the section called “Description of zenmap.conf”.
Recall that the results of more than one scan may be shown in a
window (see the section called “Scan Aggregation”). The
drop-down combo box at the top of the tab allows you to select the
scan whose output is shown. The “Details”
button brings up a window showing other miscellaneous information
about the scan.
The “Ports / Hosts” tab's display is different
depending on whether a host or a service is currently selected.
When a host is selected, it shows all the interesting ports on a
certain host, along with version information if available. For how
to select a host, see the section called “Sorting by Host”.
When a service is selected, the “Ports / Hosts”
tab shows all the hosts which have that port open or filtered.
This is a good way to quickly answer the question “What
computers are running HTTP?” For how to select a service,
see the section called “Sorting by Service”.
The “Topology” tab is an interactive view of
the connections between hosts in a network. Hosts are arranged in
concentric rings. Each ring represents an additional network hop
from the center node. Clicking on a node brings it to the center.
Because it shows a representation of the network paths between
hosts, the “Topology” tab benefits from the use
of the --traceroute option. The topology view is
discussed in more detail in the section called “Surfing the Network Topology”.
The “Host Details” tab breaks all the
information about a single host into a hierarchical display. Shown
are the host's names and addresses, its state (up or down), and
the number and status of scanned ports. The host's uptime,
operating system, its OS icon (see
Figure 12.5, “OS icons”), and other associated details
are shown if they are available. (If no exact OS match was found
there will be a display showing the closest matches.)
There is also a
collapsible text field for storing a comment about the host which
will be saved when the scan is saved to a file (see
the section called “Saving and Loading Scan Results”).
Each host has an icon that gives a rough estimate of its
“vulnerability”, which is based solely on the number
of open ports. The icons and the numbers of open ports they
correspond to are
0–2 open ports,
|
3–4 open ports,
|
5–6 open ports,
|
7–8 open ports, and
|
9 or more open ports.
|
The “Scans” tab shows all the scans that are
aggregated
to make up the network inventory. From this tab you can add scans
(from a file or directory) and remove scans.
After you start a scan but before it is finished its status will
be “Running”. You may cancel a running scan by
clicking the “Cancel Scan” button.
On the left side of a window is a column headed by two buttons
labeled “Hosts” and
“Services”. Clicking the
“Hosts” button will bring up a list of all
hosts that were scanned, as in Figure 12.4. Commonly this will be just a
single host, but it could be thousands in a large scan. The host
list can be sorted by OS or host name/IP address by clicking the
headers at the top of the list. Selecting a host will cause the
“Ports / Hosts” tab to display the interesting
ports on that host.
Each host is labeled with its host name or IP address and has an
icon indicating the operating system that was detected for that
host. The icon is meaningful only if operating system detection
was performed using the -O option. Otherwise, the
icon will be a default one indicating that the OS is unknown.
Figure 12.5 shows what icons are possible.
Note that Nmap's OS detection cannot always provide the level
of specificity implied by the icons; for example a Red Hat Linux
host will often be displayed with the generic Linux icon.
Above the same list that contains all the scanned hosts is a button
labeled “Services”. Clicking that will change the
list into a list of all ports that are open,
filtered, or open|filtered on
any of the targets, as in
Figure 12.6. (Ports that were not
listed explicitly by Nmap are not
included.)
The ports are
identified by service name (http,
ftp, etc.). The list can be sorted by clicking
the header of the list.
Selecting a host will cause the “Ports / Hosts”
tab to display all the hosts that have that service open or
filtered.
Intro
