Monday, 8-May-2000 04:13:05 PDT|
Now, I'm not going to spend much time explaining how to use Nmap. There is no point in all of you coming out here just to learn what all the options mean. The Nmap web page at insecure.org offers the man page in various languages, as well as usage examples, tutorials, articles, etc. So I will generally only cover specific features of Nmap when they relate to issues being discussed.
Before I get started, I want to get an idea of how familiar you guys are with Nmap so I can taylor the talk accordingly. Would those of you who have used Nmap or seen it used raise your hands?
OK, about 1/3 of you. Thanks. (skip to usage)
nmap V. 2.52_CSW Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types ('*' options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oM Output normal/machine parseable scan logs to -iL Get targets from file; Use '-' for stdin * -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
amy~>ping microsoft.com PING microsoft.com (126.96.36.199) from 188.8.131.52 : 56 data bytes --- microsoft.com ping statistics --- 11 packets transmitted, 0 packets received, 100% packet loss amy~>The first time I pinged them I thought, well, it is Windows. It is probably crashed and not responding. But they are actually filtering the pings.
-PSoption causes Nmap to send a SYN packet probe instead of an ACK. Normally we recommend the default ACK for stealthiness and firewall penetration reasons. But
-PShas a strong advantage when combined with Nmap 2.52_CSW: Since SYN is a connection-establishment-request packet, this probe (which is done against many targets in parallel) can be used to determine whether the port is open as well as whether the machine is up. This allows single-port scans to be almost twice as fast as Nmap 2.52. Example of a high speed scan for web servers in the 16 million 10.* (internal) addresses:
nmap -sS -PS80 -p80 10.0.0.0/8Note that for this speed optimization to take effect, you must have all three of the arguments (
-p) , and the port given to 'PS' and 'p' must match.
-P0tells Nmap to scan each machine without even checking if it is up first. This can be very slow (if scanning thousands of ports), but is the ultimate technique for paranoid (experienced) security admins.
-sSargument to perform this kind of scan.
-sU) A lot of people forget this whole protocol. They close all there TCP ports and think they are secure, but do not realize they have SunRPC, syslogd, lpd, and mountd all waiting to be exploited via UDP.
-goption allows for changing the source port of a scan.
amy~#nmap -p- -sR -I -O www.secret.com Starting nmap V. 2.52 by firstname.lastname@example.org ( insecure.org/nmap/ ) Interesting ports on foo.bar.com (184.108.40.206): (The 65514 ports scanned but not shown below are in state: closed) Port State Service (RPC) Owner 21/tcp open ftp root 22/tcp open ssh root 23/tcp open telnet root 25/tcp open smtp mail 80/tcp open http http 110/tcp open pop-3 root 111/tcp filtered sunrpc 113/tcp open auth root 220/tcp filtered imap3 443/tcp open https http 512/tcp filtered exec 513/tcp filtered login 514/tcp filtered shell 515/tcp filtered printer 516/tcp filtered videotex 517/tcp filtered talk 518/tcp filtered ntalk 635/tcp filtered unknown 939/tcp open (status V1) root 2049/tcp filtered nfs 3600/tcp open unknown root TCP Sequence Prediction: Class=random positive increments Difficulty=4797787 (Good luck!) Sequence numbers: 702A7726 70243971 7059255D 70F3C86B 710DC518 704EBFEE Remote operating system guess: Linux 2.1.122 - 2.2.14 Nmap run completed -- 1 IP address (1 host up) scanned in 467 secondsNote that this is the traditional command line version. Several X Window versions are also available, and one of them is included with the base Nmap distribution. In addition, web front ends are available so that you can control it from a remote browser.