Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Network Scanning
   Next

Nmap Network Scanning

Official Nmap Project Guide to Network Discovery and Security Scanning

Gordon “Fyodor” Lyon

Book URL: http://nmap.org/book/
ISBN-13: 978-0-9799587-1-7
ISBN-10: 0-9799587-1-7

Copyright © 2008 by Insecure.Com LLC. All rights reserved, except where noted.

From port scanning basics for novices to the type of packet crafting used by advanced hackers, this book by Nmap's author and maintainer suits all levels of security and networking professionals. Rather than simply document what every Nmap option does, Nmap Network Scanning demonstrates how these features can be applied to solve real world tasks such as penetration testing, taking network inventory, detecting rogue wireless access points or open proxies, quashing network worm and virus outbreaks, and much more. Examples and diagrams show actual communication on the wire. This book is essential for anyone who needs to get the most out of Nmap, particularly security auditors and systems or network administrators.

This free Web edition contains only contains about half of the content available in the complete book.

Table of Contents

Preface
Introduction
Intended Audience and Organization
Conventions
Other Resources
Request for Comments
Acknowledgements
Technology Used to Create This Book
TCP/IP Reference
1. Getting Started with Nmap
Introduction
Nmap Overview and Demonstration
Avatar Online
Saving the Human Race
MadHat in Wonderland
The Phases of an Nmap Scan
Legal Issues
Is Unauthorized Port Scanning a Crime?
Can Port Scanning Crash the Target Computer/Networks?
Nmap Copyright
The History and Future of Nmap
2. Obtaining, Compiling, Installing, and Removing Nmap
Introduction
Testing Whether Nmap is Already Installed
Command-line and Graphical Interfaces
Downloading Nmap
Verifying the Integrity of Nmap Downloads
Obtaining Nmap from the Subversion (SVN) Repository
Unix Compilation and Installation from Source Code
Configure Directives
If You Encounter Compilation Problems
Linux Distributions
RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum
Debian Linux and Derivatives such as Ubuntu
Other Linux Distributions
Windows
Windows 2000 Dependencies
Windows Self-installer
Command-line Zip Binaries
Installing the Nmap zip binaries
Compile from Source Code
Executing Nmap on Windows
Sun Solaris
Apple Mac OS X
Executable Installer
Compile from Source Code
Compile Nmap from source code
Compile Zenmap from source code
Third-party Packages
Executing Nmap on Mac OS X
FreeBSD / OpenBSD / NetBSD
OpenBSD Binary Packages and Source Ports Instructions
FreeBSD Binary Package and Source Ports Instructions
Installation of the binary package
Installation using the source ports tree
NetBSD Binary Package Instructions
Amiga, HP-UX, IRIX, and Other Platforms
Removing Nmap
3. Host Discovery (Ping Scanning)
4. Port Scanning Overview
5. Port Scanning Techniques and Algorithms
A Few Blank Sections
Idle Scan Implementation Algorithms
IP Protocol Scan (-sO)
Disambiguating Open from Filtered UDP Ports
Adaptive Retransmission
TCP Idle Scan (-sI)
Idle Scan Step by Step
Finding a Working Idle Scan Zombie Host
Executing an Idle Scan
Idle Scan Implementation Algorithms
6. Optimizing Nmap Performance
7. Service and Application Version Detection
Introduction
Usage and Examples
Technique Described
Cheats and Fallbacks
Probe Selection and Rarity
Technique Demonstrated
Post-processors
Nmap Scripting Engine Integration
RPC Grinding
SSL Post-processor Notes
nmap-service-probes File Format
Exclude Directive
Probe Directive
match Directive
softmatch Directive
ports and sslports Directives
totalwaitms Directive
rarity Directive
fallback Directive
Putting It All Together
Community Contributions
Submit Service Fingerprints
Submit Database Corrections
Submit New Probes
SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection
SOLUTION: Find All Servers Running an Insecure or Nonstandard Application Version
8. Remote OS Detection
Introduction
Reasons for OS Detection
Determining vulnerability of target hosts
Tailoring exploits
Network inventory and support
Detecting unauthorized and dangerous devices
Social engineering
Usage and Examples
TCP/IP Fingerprinting Methods Supported by Nmap
Probes Sent
Sequence generation (SEQ, OPS, WIN, and T1)
ICMP echo (IE)
TCP explicit congestion notification (ECN)
TCP (T2–T7)
UDP (U1)
Response Tests
TCP ISN greatest common divisor (GCD)
TCP ISN counter rate (ISR)
TCP ISN sequence predictability index (SP)
TCP IP ID sequence generation algorithm (TI)
ICMP IP ID sequence generation algorithm (II)
Shared IP ID sequence Boolean (SS)
TCP timestamp option algorithm (TS)
TCP options (O, 01–06)
TCP initial window size (W, W1–W6)
Responsiveness (R)
IP don't fragment bit (DF)
Don't fragment (ICMP) (DFI)
IP initial time-to-live (T)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)
TCP miscellaneous quirks (Q)
TCP sequence number (S)
ICMP sequence number(SI)
TCP acknowledgment number (A)
TCP flags (F)
TCP RST data checksum (RD)
IP type of service (TOS)
IP type of service for ICMP responses (TOSI)
IP total length (IPL)
Unused port unreachable field nonzero (UN)
Returned probe IP total length value (RIPL)
Returned probe IP ID value (RID)
Integrity of returned probe IP checksum value (RIPCK)
Integrity of returned probe UDP length and checksum (RUL and RUCK)
Integrity of returned UDP data (RUD)
ICMP response code (CD)
IP data length for ICMP responses (DLI)
Fingerprinting Methods Avoided by Nmap
Passive Fingerprinting
Exploit Chronology
Retransmission Times
IP Fragmentation
Open Port Patterns
Understanding an Nmap Fingerprint
Decoding the Subject Fingerprint Format
Decoding the SCAN line of a subject fingerprint
Decoding the Reference Fingerprint Format
Free-form OS description (Fingerprint line)
Device and OS classification (Class lines)
Test expressions
OS Matching Algorithms
Dealing with Misidentified and Unidentified Hosts
When Nmap Guesses Wrong
When Nmap Fails to Find a Match and Prints a Fingerprint
Modifying the nmap-os-db Database Yourself
9. Nmap Scripting Engine
Introduction
Usage and Examples
Script Categories
Command-line Arguments
Arguments to Scripts
Usage Examples
Script Format
description Field
categories Field
author Field
license Field
runlevel Field
Port and Host Rules
Action
Script Language
Lua Base Language
NSE Scripts
NSE Libraries
List of All Libraries
Adding C Modules to Nselib
Nmap API
Information Passed to a Script
Network I/O API
Connect-style network I/O
Raw packet network I/O
Thread Mutexes
Exception Handling
The Registry
Script Writing Tutorial
The Head
The Rule
The Mechanism
Writing Script Documentation (NSEDoc)
NSE Documentation Tags
Version Detection Using NSE
Example Script: finger.nse
Implementation Details
Initialization Phase
Matching Scripts with Targets
Script Execution
10. Detecting and Subverting Firewalls and Intrusion Detection Systems
11. Defenses Against Nmap
12. Zenmap GUI Users' Guide
Introduction
The Purpose of a Graphical Frontend for Nmap
Scanning
Profiles
Scan Aggregation
Interpreting Scan Results
Scan Results Tabs
The Nmap Output tab
The Ports / Hosts tab
The Topology tab
The Host Details tab
The Scans tab
Sorting by Host
Sorting by Service
Saving and Loading Scan Results
The Recent Scans Database
Surfing the Network Topology
An Overview of the Topology Tab
Legend
Controls
Action controls
Interpolation controls
Layout controls
View controls
Fisheye controls
Keyboard Shortcuts
The Hosts Viewer
The Nmap Command Constructor Wizard
The Profile Editor
Creating a New Profile
Editing a Profile
Deriving a New Profile from an Old One
Searching Saved Results
Comparing Results
Graphical Comparison
Text Comparison
Files Used by Zenmap
The nmap Executable
System Configuration Files
Per-user Configuration Files
Output Files
Description of zenmap.conf
Sections of zenmap.conf
Command-line Options
Synopsis
Options Summary
Error Output
History
13. Nmap Output Formats
Introduction
Command-line Flags
Controlling Output Type
Controlling Verbosity of Output
Enabling Debugging Output
Handling Error and Warning Messages
Enabling Packet Tracing
Resuming Aborted Scans
Interactive Output
Normal Output (-oN)
$crIpT kIddI3 0uTPut (-oS)
XML Output (-oX)
Using XML Output
Manipulating XML Output with Perl
Output to a Database
Creating HTML Reports
Saving a Permanent HTML Report
Grepable Output (-oG)
Grepable Output Fields
Host field
Ports field
Protocols field
Ignored State field
OS field
Seq Index field
IP ID Seq field
Status field
Parsing Grepable Output on the Command Line
14. Understanding and Customizing Nmap Data Files
Introduction
Well Known Port List: nmap-services
Version Scanning DB: nmap-service-probes
SunRPC Numbers: nmap-rpc
Nmap OS Detection DB: nmap-os-db
MAC Address Vendor Prefixes: nmap-mac-prefixes
IP Protocol Number List: nmap-protocols
Files Related to Scripting
Using Customized Data Files
15. Nmap Reference Guide
Description
Options Summary
Target Specification
Host Discovery
Port Scanning Basics
Port Scanning Techniques
Port Specification and Scan Order
Service and Version Detection
OS Detection
Nmap Scripting Engine (NSE)
Timing and Performance
Firewall/IDS Evasion and Spoofing
Output
Miscellaneous Options
Runtime Interaction
Examples
Bugs
Author
Legal Notices
Nmap Copyright and Licensing
Creative Commons License for this Nmap Guide
Source Code Availability and Community Contributions
No Warranty
Inappropriate Usage
Third-Party Software
United States Export Control Classification
A. Nmap XML Output DTD
Purpose
The Full DTD
Index

List of Figures

1. IPv4 header
2. TCP header
3. UDP header
4. ICMP header
1.1. Trinity begins her assault
1.2. Trinity scans the Matrix
1.3. Strong opinions on port scanning legality and morality
2.1. Executing Nmap from a Windows command shell
5.1. Idle scan of an open port
5.2. Idle scan of a closed port
5.3. Idle scan of a filtered port
8.1. ICMP echo request or reply header layout
8.2. ICMP destination unreachable header layout
12.1. Typical Zenmap screen shot
12.2. Zenmap's main window
12.3. Target and profile selection
12.4. Host selection
12.5. OS icons
12.6. Service selection
12.7. Grouping a host's children
12.8. Highlighting regions of the topology
12.9. Choosing a profile
12.10. The profile editor
12.11. The search dialog
12.12. Keyword search
12.13. Expressions search
12.14. Comparison tool
12.15. Graphical comparison
12.16. Text mode comparison
13.1. XML output in a web browser

List of Tables

1. Formatting style conventions
7.1. versioninfo field formats and values
8.1. O test values
8.2. DFI test values
8.3. CC test values
8.4. S test values
8.5. SI test values
8.6. A test values
8.7. F test values
8.8. TOSI test values
8.9. CD test values
8.10. DLI test values
8.11. Reference fingerprint test expression operators
9.1. port.version values
12.1. Text diff character codes

List of Examples

1. A typical Nmap scan
1.1. Nmap list scan against Avatar Online IP addresses
1.2. Nmap results against an AO firewall
1.3. Another interesting AO machine
1.4. nmap-diff typical output
1.5. nmap-report execution
2.1. Checking for Nmap and determining its version number
2.2. Verifying the Nmap and Fyodor PGP Key Fingerprints
2.3. Verifying PGP key fingerprints (Successful)
2.4. Detecting a bogus file
2.5. A typical Nmap release digest file
2.6. Verifying Nmap hashes
2.7. Successful configuration screen
2.8. Installing Nmap from binary RPMs
2.9. Building and installing Nmap from source RPMs
2.10. Installing Nmap from a system Yum repository
5.1. An idle scan against the RIAA
7.1. Simple usage of version detection
7.2. Version detection against www.microsoft.com
7.3. Complex version detection
7.4. NULL probe cheat example output
7.5. Enumerating RPC services with rpcinfo
7.6. Nmap direct RPC scan
7.7. Version scanning through SSL
8.1. OS detection with verbosity (-O -v)
8.2. Using version scan to detect the OS
8.3. A typical subject fingerprint
8.4. A cleaned-up subject fingerprint
8.5. A typical reference fingerprint
8.6. Some typical fingerprint descriptions and corresponding classifications
8.7. The MatchPoints structure
9.1. Typical NSE output
9.2. Connect-style I/O
9.3. Mutex manipulation
9.4. Exception handling example
9.5. An NSEDoc comment for a function
9.6. An NSEDoc comment for a module
9.7. An NSEDoc comment for a script
9.8. A typical version detection script (Skype version 2 detection)
13.1. Scanrand output against a local network
13.2. Grepping for verbosity conditionals
13.3. Interactive output without verbosity enabled
13.4. Interactive output with verbosity enabled
13.5. Some representative debugging lines
13.6. Using --packet-trace to detail a ping scan of Scanme
13.7. A typical example of normal output
13.8. A typical example of $crIpt KiDDi3 0utPut
13.9. An example of Nmap XML output
13.10. Nmap XML port elements
13.11. Nmap::Parser sample code
13.12. Nmap::Scanner sample code
13.13. A typical example of grepable output
13.14. Grepable output for IP protocol scan
13.15. Ping scan grepable output
13.16. List scan grepable output
13.17. Parsing grepable output on the command line
14.1. Excerpt from nmap-services
14.2. Excerpt from nmap-service-probes
14.3. Excerpt from nmap-rpc
14.4. Excerpt from nmap-os-db
14.5. Excerpt from nmap-mac-prefixes
14.6. Excerpt from nmap-protocols
15.1. A representative Nmap scan
   Next
   Preface
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]