Tuesday, 30-January-2001 04:13:05 PDT|
Nmap V. 2.54BETA19 Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types ('*' options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG Output normal/XML/grepable scan logs to -iL Get targets from file; Use '-' for stdin * -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
amy~> ping microsoft.com PING microsoft.com (184.108.40.206) from 220.127.116.11 : 56(84) bytes of data. --- microsoft.com ping statistics --- 8 packets transmitted, 0 packets received, 100% packet loss
-PS. We will discuss one reason for doing this later.
-P0tells Nmap to scan each machine without even checking if it is up first. This can be very slow (if scanning thousands of ports), but is the ultimate technique for paranoid (experienced) security admins.
-sSargument to perform this kind of scan.
-sN). More details on the mechanics of these scans is available in the Nmap manpage.
else if (scantype == NULL_SCAN) scanflags = 0;
-sA) for probing firewalls/filtering systems.
-sP. Nmap usually focuses on TCP, UDP, and ICMP, but there is a whole World of other protocols available for advanced attacks and information gathering. The Protocol Scan cycles through the 8-bit protocol field sending raw IP headers without any data. An ICMP Protocol Unreachable error means the target does not accept packets for the given protocol.
For example, here is a SYN scan of a high-end CISCO router:
amy~# nmap -sS 18.104.22.168 Starting nmap V. 2.54BETA19 ( insecure.org/nmap/ ) Interesting ports on dcr01-g6-0.sntc05.exodus.net (22.214.171.124): (The 1537 ports scanned but not shown below are in state: closed) Port State Service 514/tcp open shell Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds
amy~#nmap -sO 126.96.36.199 Starting nmap V. 2.54BETA19 ( insecure.org/nmap/ ) Interesting protocols on dcr01-g6-0.sntc05.exodus.net (188.8.131.52): (The 238 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 4 open ip 6 open tcp 8 open egp 9 open igp 17 open udp 47 open gre 53 open swipe 54 open narp 55 open mobile 77 open sun-nd 80 open iso-ip 88 open eigrp 89 open ospfigp 94 open ipip 103 open pim Nmap run completed -- 1 IP address (1 host up) scanned in 149 seconds
IP Protocol scanning support was sent in by Gerhard Rieger (email@example.com) last year.
-O) can usually determine the OS in use via a technique known as TCP/IP fingerprinting. The idea is to send various valid and invalid IP packets to the remote host and study the characteristics of the response very closely. A paper I wrote which describes these techniques is available at http://nmap.org/nmap-fingerprinting-article.html.
hping2 --traceroute -t 1 -2 --baseport 53 -keep -V -p 5023 gw.target.comThis means do a traceroute, starting with ttl=1 using UDP packets with a source port of 53 (dns) and a desination port of 5023 against gw.target.com. -V just turns on verbosity.
-goption allows for changing the source port of a scan.
nmap -sS -PS53 -p53 10.0.0.8/8Recall from earlier in this presentation that -PS means "spew SYN packet probes to the given port of each target IP and watch for replies". But if a SYN packet has already been sent to the targeted port of a machine, doing the actuaql "SYN scan" is redundant, so Nmap just interprets the results of the initial SYN probe to deterine whether the port is open or not This shortcut can make a scan go two or three times faster than it would otherwise. All three options above must be given, and the port numbers must match up.
"nmap -sS -PS53 -p53 10.2.3.0/24 10.0.0.8/8"" (assuming 10.2.3.* contains some machines).
-T Aggressiveor to muck with the low level timing parameters (eg --max_rtt_timout, --host_timeout, etc.). These can make a dramatic difference if you scan thousands of hosts and learn to use them appropriately. Usually they are most important if the hosts being scanned are behind a firewall. Otherwise Nmap usually does a good job at determining the optimum scan speed.
-D) uses source address spoofing to forge scans against the target "from" the machines given as decoys. So even if the target network has special software to log scans, they will see scans from dozens of addresses and are unlikely to be able to fish out the true scan origin from all of the decoys.
amy~#nmap -p- -sR -I -O www.secret.com Starting nmap V. 2.52 by ( insecure.org/nmap/ ) Interesting ports on foo.bar.com (184.108.40.206): (The 65514 ports scanned but not shown below are in state: closed) Port State Service (RPC) Owner 21/tcp open ftp root 22/tcp open ssh root 23/tcp open telnet root 25/tcp open smtp mail 80/tcp open http http 110/tcp open pop-3 root 111/tcp filtered sunrpc 113/tcp open auth root 220/tcp filtered imap3 443/tcp open https http 512/tcp filtered exec 513/tcp filtered login 514/tcp filtered shell 515/tcp filtered printer 516/tcp filtered videotex 517/tcp filtered talk 518/tcp filtered ntalk 635/tcp filtered unknown 939/tcp open (status V1) root 2049/tcp filtered nfs 3600/tcp open unknown root TCP Sequence Prediction: Class=random positive increments Difficulty=4797787 (Good luck!) Sequence numbers: 702A7726 70243971 7059255D 70F3C86B 710DC518 704EBFEE Remote operating system guess: Linux 2.1.122 - 2.2.14 Nmap run completed -- 1 IP address (1 host up) scanned in 467 seconds