Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Interpreting Scan Results
Prev Chapter 12. Zenmap GUI Users' Guide Next

Interpreting Scan Results

After scanning, Nmap's output is displayed. This output will be familiar to Nmap users. Apart from Zenmap's highlighting it doesn't offer any advantages over running Nmap in a terminal. However, other parts of Zenmap's interface interpret and aggregate the terminal output in a way that aims to make the scan results easy to understand and use.

Scan Results Tabs

Within each scan tab, there are four sub-tabs that display different aspects of the scan results. They are: “Ports / Hosts”, “Nmap Output”, “Host Details”, and “Scan Details”. Each of these will be discussed.

The “Ports / Hosts” tab

The “Ports / Hosts” tab's display is different depending on whether a host or a service is currently selected. When a host is selected, it shows all the interesting ports on a certain host, along with version information if available. For how to select a host, see the section called “Sorting by Host”.

When a service is selected, the “Ports / Hosts” tab shows all the hosts which have that port open or filtered. This is a good way to quickly answer the question “What computers are running HTTP?” For how to select a service, see the section called “Sorting by Service”.

The “Nmap Output” tab

The “Nmap Output” tab is the one displayed by default when a scan is run. It shows the familiar Nmap terminal output. The output is refreshed from the running Nmap every few seconds but if you are impatient you can click the “Refresh” button to do it more frequently. The display highlights parts of the output according to their meaning; for example, open and closed ports are displayed in different colors. The highlighting can be turned on and off by toggling the “Enable Nmap output highlight” check box. Near the bottom of the display, there is a “Preferences” button, which when clicked opens a dialog that shows what parts of the output are highlighted and allows the highlighting to be customized. Custom highlights are stored in zenmap.conf; see the section called “Description of zenmap.conf.

The “Host Details” tab

The Host Details tab breaks all the information about a single host into a hierarchical display. Shown are the host's names and addresses, its state (up or down), and the number and status of scanned ports. The host's uptime, operating system, its OS icon (see Figure 12.6, “OS icons”), and other associated details are shown if they are available. (If no exact OS match was found there will be a display showing the closest matches.) There is also a collapsible text field for storing a comment about the host which will be saved when the scan is saved to a file (see the section called “Saving and Loading Scan Results”).

Each host has an icon that gives a rough estimate of its “vulnerability”, which is based solely on the number of open ports. The icons and the numbers of open ports they correspond to are

 0–2 open ports,
 3–4 open ports,
 5–6 open ports,
 7–8 open ports, and
 9 or more open ports.

The “Scan Details” tab

The “Scan Details” tab gives miscellaneous information about the scan as a whole (it is not host-specific). Among other things, this tab shows the Nmap command that was run, the version of Nmap used, start and end times for the scan, and a list of ports or protocols that were scanned.

Sorting by Host

Figure 12.5. Host selection

Host selection

On the left side of a scan tab is a column headed by two buttons labeled “Hosts” and “Services”. Clicking the “Hosts” button will bring up a list of all hosts that were scanned, as in Figure 12.5. Commonly this will be just a single host, but it could be thousands in a large scan. The host list can be sorted by OS or host name/IP address by clicking the headers at the top of the list. Selecting a host will cause the “Ports / Hosts” tab to display the interesting ports on that host.

Each host is labeled with its host name or IP address and has an icon indicating the operating system that was detected for that host. The icon is meaningful only if operating system detection was performed using the -O option. Otherwise, the icon will be a default one indicating that the OS is unknown. Figure 12.6 shows what icons are possible. Note that Nmap's OS detection cannot always provide the level of specificity implied by the icons; for example a Red Hat Linux host will often be displayed with the generic Linux icon.

Figure 12.6. OS icons

OS icons  FreeBSD OS icons  Irix OS icons  Linux
OS icons  Mac OS OS icons  OpenBSD OS icons  Red Hat Linux
OS icons  Solaris or OpenSolaris OS icons  Ubuntu Linux OS icons  Windows
OS icons  Other (no specific icon) OS icons  OS detection not performed  

Sorting by Service

Figure 12.7. Service selection

Service selection

Above the same list that contains all the scanned hosts is a button labeled “Services”. Clicking that will change the list into a list of all ports that are open, filtered, or open|filtered on any of the targets, as in Figure 12.7. (Ports that were not listed explicitly by Nmap are not included.) The ports are identified by service name (http, ftp, etc.). The list can be sorted by clicking the header of the list.

Selecting a host will cause the “Ports / Hosts” tab to display all the hosts that have that service open or filtered.

Prev Up Next
Scanning Home Saving and Loading Scan Results
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]