Host Scanning
Nmap provides the -sP option to perform a host scan. By default, Nmap sends both an ICMP echo request (also known as ping) packet as well as a TCP SYN packet to port 80 (the default web server port) to determine whether a computer is listening on a given IP address. If the IP addresses being scanned are on the same subnet as the scanner, ARP packets are used instead; it is a faster and more reliable way to see which IP addresses are in use. Here’s an example of Nmap scanning the first 20 hosts of a subnet:
[bryan@nereid bryan] sudo nmap -n -sP 10.150.9.1-20
Host 10.150.9.15 appears to be up.
MAC Address: 00:0C:F1:D2:29:4C (Intel)
Host 10.150.9.16 appears to be up.
MAC Address: 00:0B:DB:27:40:47 (Dell ESG Pcba Test)
Nmap finished: 20 IP addresses (2 hosts up) scanned in 0.646 seconds
Dealing with Blocked Pings
One workaround to this problem is to use the -P0 flag, which instructs nmap to bypass the host discovery process entirely and instead connect to every port even if the host seems down. The downside to this approach is that on sparse networks, a tremendous amount of time is wasted trying to scan open ports of vacant IP addresses. Adding -P0 to the above scan did find the Windows XP machine, but it took 56 minutes to complete.
One workaround to this problem is to use the -P0 flag, which instructs nmap to bypass the host discovery process entirely and instead connect to every port even if the host seems down. The downside to this approach is that on sparse networks, a tremendous amount of time is wasted trying to scan open ports of vacant IP addresses. Adding -P0 to the above scan did find the Windows XP machine, but it took 56 minutes to complete.
nmap -n <ip address> -P0
A faster solution to the blocked ping problem is to extend the list of probed ports to cover more than just pings and TCP port 80. Nmap provides the following flags to customize the host scan functionality:
-PSportlist
Lets you specify which ports to send TCP SYN packets to. If this flag is omitted, Nmap uses port 80.
-PAportlist
Lets you specify which ports to send TCP ACK packets to. This is similar to the preceding SYN scan but may provide better results when simple firewalls are between you and the host being scanned.
-PUportlist
Lets you specify which ports to send empty UDP packets to. This is similar to the TCP SYN option but for probing UDP applications.
-PE
Instructs Nmap to send ICMP echo request (ping) packets. These packets are sent by default if no -P options are specified.
-PP
Instructs Nmap to send ICMP timestamp packets. These may be used as an alternative to ping packets in case the firewall is only blocking pings.
-PM
Instructs Nmap to send ICMP netmask request packets. These may be used as an alternative to pings in the same fashion as the -PP option.
nmap -sP -PS21,22,23,25,80,139,445,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM centos-doxer
Common Windows ports include the following:
[root@centos-doxer ~]# cat /etc/services|awk ‘$2 ~ /^135\/|^139\/|^445\/|^1025\/|^1026\/|^1027\/|^1028\/|^1029\/|^1030\/|^3389\/|^137\/|^138\//’
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
microsoft-ds 445/tcp
microsoft-ds 445/udp
epmap 135/tcp # DCE endpoint resolution
epmap 135/udp # DCE endpoint resolution
blackjack 1025/tcp # network blackjack
blackjack 1025/udp # network blackjack
cap 1026/tcp # Calender Access Protocol
cap 1026/udp # Calender Access Protocol
solid-mux 1029/tcp # Solid Mux Server
solid-mux 1029/udp # Solid Mux Server
iad1 1030/tcp # BBN IAD
iad1 1030/udp # BBN IAD
ms-wbt-server 3389/tcp # MS WBT Server
ms-wbt-server 3389/udp # MS WBT Server
And common Linux ports include the following:
[root@centos-doxer ~]# cat /etc/services|awk ‘$2 ~ /^21\/|^22\/|^23\/|^25\/|^80\/|^111\/|^53\/|^67\/|^68\/|^69\/|^161\/|^514\//’
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
telnet 23/udp
smtp 25/tcp mail
smtp 25/udp mail
domain 53/tcp # name-domain server
domain 53/udp
bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp dhcpc # BOOTP client
bootpc 68/udp dhcpc
tftp 69/tcp
tftp 69/udp
http 80/tcp www www-http # WorldWideWeb HTTP
http 80/udp www www-http # HyperText Transfer Protocol
sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
snmp 161/tcp # Simple Net Mgmt Proto
snmp 161/udp # Simple Net Mgmt Proto
shell 514/tcp cmd # no passwords used
syslog 514/udp
Common ports for networking devices such as switches, routers, and firewalls typically provide a variety of network management facilities on a number of ports (although typically these are only enabled on the “internal” interface of the device):
[root@centos-doxer ~]# cat /etc/services|awk ‘$2 ~ /^22\/|^23\/|^80\/|^443\/|^161\/|^53\/|^67\/|^68\//’
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
telnet 23/udp
domain 53/tcp # name-domain server
domain 53/udp
bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp dhcpc # BOOTP client
bootpc 68/udp dhcpc
http 80/tcp www www-http # WorldWideWeb HTTP
http 80/udp www www-http # HyperText Transfer Protocol
snmp 161/tcp # Simple Net Mgmt Proto
snmp 161/udp # Simple Net Mgmt Proto
https 443/tcp # MCom
https 443/udp # MCom
Port Scanning
The state is either open, filtered, closed, or unfiltered.
Open – means that an application on the target machine is listening for connections/packets on that port.
Filtered – means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed – ports have no application listening on them, though they could open up at any time.
Unfiltered – Ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed.
Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port.
Port scanning is so central to each that without any command-line flags, they perform a port scan:
[root@slc03nsv ~]# nmap centos-doxer
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-05-04 08:16 UTC
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.60% done; ETC: 08:16 (0:00:31 remaining)
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.79% done; ETC: 08:16 (0:00:19 remaining)
Interesting ports on centos-doxer (10.182.120.188):
Not shown: 1663 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
111/tcp open rpcbind
617/tcp open sco-dtmgr
649/tcp open unknown
975/tcp open securenetpro-sensor
2049/tcp open nfs
5801/tcp open vnc-http-1
5802/tcp open vnc-http-2
5803/tcp open vnc-http-3
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
6001/tcp open X11:1
6002/tcp open X11:2
6003/tcp open X11:3
Nmap allows you to pick custom ports with the -p ports option. The ports argument is a comma-separated list of ports or port ranges. For example:
nmap -p 21-25,80,100-150 target
Nmap also provides the -F flag, which instructs Nmap to perform a “fast” scan by only looking for ports specified in the nmap-services file. This file comes with Nmap and contains around 1200 ports, which is a small decrease from the 1,600+ ports that Nmap scans by default.
You can mix UDP ports and TCP ports together in the ports list by typing T: in front of the TCP ports and U: in front of the UDP ports. For example, to scan TCP ports 21 through 25 and 80 and UDP ports 5000 through 6000, you would type:
nmap -pT:21-25,80,U:5000-6000 target
Finally, Nmap assumes a port of 1 if the left side of a range is blank, and 65535 if the right side is blank. Therefore, -p-100 is equivalent to -p1-100, and -p100- is equivalent to -p100-65535.
The IP range notation allows you to express complex target lists that are impossible with CIDR notation, such as:
10.1,3,5,7,9.50-100,150-200.1-5,250-254
Different Scan Types
UDP Scan Types
There are two types of UDP scans supported by our tools: empty packet scans and protocol data scans.
This inability to differentiate between an open and firewalled port is a severe limitation of empty packet scans. To instruct Nmap to perform an empty packet UDP scan, use the -sU flag
nmap -sU target
Protocol data scans are a more sophisticated approach to UDP scanning that involves sending valid application protocol data in UDP packets to ports to see whether an application responds. Using this technique, ports are only assumed to be open if they respond to the protocol data packets with a nonerror response. Since this technique involves speaking to listening applications, it is more likely to be logged or even cause unexpected behavior such as crashing sensitive applications.
Nmap also supports sending protocol data to UDP ports by using the application fingerprinting (-sV) functionality mentioned in Operating System Detection Here’s an example of Nmap performing a UDP scan with protocol data:
nmap -sU -sV target
Mixing UDP and application fingerprinting scans in Nmap can lead to extremely slow scans. If possible, limit the ports to be scanned to the most interesting.
TCP Scan Types
TCP packets can be marked with six different flags (SYN, ACK, PSH, URG, FIN, RST) in any combination (although only a few combinations are truly legitimate.) These flags are used by TCP/IP stacks to communicate control data about a connection back and forth. The default TCP scan uses packets with the SYN flag set only. This produces the most reliable results, as SYN packets are how new TCP connections are initiated, and the scan traffic appears to be normal connection traffic. Using other flag combinations can often yield interesting results, and both Unicornscan and Nmap support arbitrary flag combinations using command-line arguments.
To select a custom flag combination with Nmap, use the –scanflags option, providing a list of flags to be set in the argument. Flag names can appear in any order and aren’t separated by white space or any other characters. For example, to set the SYN and RST flags in the scan packets, you would type:
nmap –scanflags SYNRST target
In addition to allowing arbitrary flag combinations, Nmap provides command-line options to set TCP flags in some common configurations.
SYN scan (-sS)
This is the default scan type when superuser privileges (see Superuser Privileges) are available (Nmap will fall back to using a connect scan when they are not).
Connect scan (-sT)
This is similar to a SYN scan in that packets with the SYN flag are sent, but the connection is fully established then torn down. This mode is inferior to a SYN scan as it involves sending an additional packet, and since a full connection is established, the scan is more likely to be logged by the target host. This is the only TCP scan type supported by Nmap when run by unprivileged users or when scanning IPv6 addresses.
Null (-sN), FIN (-sF), Xmas (-sX), and Maimon (-sM) scans
These four scans function the same way: by abusing an interesting property of TCP stacks. Packets sent to a closed TCP port without the RST flag set have a RST packet sent in return. Meanwhile, packets sent to an open TCP port without one of the SYN, RST, or ACK flags set are silently discarded. By sending packets without any of these flags set, closed ports can be differentiated from open (or filtered) ports. Null scan packets have all flags disabled, FIN scan packets only have the FIN flag set, Xmas scan packets have the FIN, PSH, and URG flags set and Maimon scan packets set the FIN and ACK flags. These scans are not very useful when stateful firewalls (see Chapter 13) are involved, but can often bypass stateless firewalls entirely.
ACK scan (-sA)
This scan is useful for discovering firewall rules for certain firewall types. A host receiving these packets should return a RST packet regardless of whether the port is open or closed. If a RST packet is seen, Nmap assumes the port is unfiltered. If no response is seen then Nmap assumes the port is filtered. This technique works only with firewalls configured to be “moderately” stateful (see Chapter 13). Very stateful firewalls allow only SYN packets, which will lead to all ports being reported as filtered. Stateless firewalls will likely allow all ACK packets through, which Nmap interprets as all ports being unfiltered.
Window scan (-sW)
This scan operates by performing an ACK scan and inspecting the TCP window size returned by the target host. Some operating systems set different window sizes depending on whether the port is open or closed, which Nmap can use to produce scan results. (Most common operating systems do not do this, so your mileage may vary when using this scan type).
An Example of Using Multiple Scan Types
Here is the output of a standard SYN scan of my OS X desktop:
bryan@firemaw:˜$ sudo nmap -n -sS 10.150.9.46
Interesting ports on 10.150.9.46:
(The 1667 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
427/tcp closed svrloc
443/tcp closed https
3689/tcp open rendezvous
8080/tcp open http-proxy
From the scan output, we can see that five ports are open (21, 22, 80, 3689, and 8080), two ports are closed (427 and 443), and the remaining ports are filtered. The large number of filtered ports means a firewall is in place. Using an ACK scan, we can try to deduce the firewall policy:
bryan@firemaw:˜$ sudo nmap -n -sA 10.150.9.46
All 1674 scanned ports on 10.150.9.46 are: Unfiltered
The ACK scan shows that all ports are unfiltered, even though we know a firewall is present. This means that the firewall is likely stateless (see Chapter 13) and will allow all packets through that do not have the SYN flag set. We can abuse this property by using a Xmas scan to see past the firewall and discover what ports are really open or closed on the target host:
bryan@firemaw:˜$ sudo nmap -n -sX 10.150.9.46
Interesting ports on 10.150.9.46:
(The 1668 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
25/tcp open|filtered smtp
80/tcp open|filtered http
3689/tcp open|filtered rendezvous
8080/tcp open|filtered http-proxy
The output of the Xmas scan shows a new port, 25, that was missing from the SYN scan. This means that port 25 is open on the target, but is being blocked by the firewall. This is a valuable piece of information that we were only able to gather by using a nondefault scan.
Scans can wreak havoc on stateful network devices such as firewalls and NATing routers. Each packet of a scan typically represents a new connection, and a full-speed scan can easily exceed the resources of intermediary network devices. Depending on your network infrastructure, it is quite possible to perform a DoS (Denial of Service) attack on yourself by running a scan too fast. (I have personally crashed a number of commercial-grade firewalls by running Nmap with the -T5 option.) Another complication is that many firewall and IPS devices respond to a flood of SYN packets by enabling SYN cookies, which makes every port appear to be open.
Application Fingerprinting
The -sV option instructs Nmap to test for application type and version for all ports found to be open:
bryan@firemaw:˜$ sudo nmap -n -sV 10.150.9.46
Interesting ports on 10.150.9.46:
(The 1667 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
21/tcp open ftp tnftpd 20040810
22/tcp open ssh OpenSSH 3.8.1p1 (protocol 1.99)
80/tcp open http Apache httpd 1.3.33 ((Darwin) PHP/4.4.1)
427/tcp closed svrloc
443/tcp closed https
3689/tcp open rendezvous Apple iTunes 6.0.4 (on Mac OS X)
8080/tcp open http-proxy
Operating System Detection
To enable OS detection, add the -O flag to the scan command line. The following flags can be used in conjunction with OS detection to augment the results:
-v
This flag increases Nmap’s verbosity. When used with -O, Nmap performs a TCP Initial Sequence Number (ISN) and IP ID analysis. These metrics can be used to determine how susceptible the target is to various forms of traffic spoofing. Targets that are reported as having incremental IP ID sequence generation are good candidates for idle scans (see Avoiding Detection).
–osscan-limit
This flag instructs Nmap to perform OS detection only on hosts with at least one open and one closed port, leading to more accurate results.
–fuzzy or –osscan-guess
This flag instructs Nmap to make guesses about potential target operating systems when an exact match cannot be found.
Depending on the OS being scanned and the state of ports found, the results of the OS detection can vary from very accurate, to broad, to no matches at all.
nmap -n -O 10.150.9.1-254
Saving Nmap Output
By default, Nmap displays results of the scan to the terminal, but it is often preferable to save the results to a file for later inspection. This is particularly useful when scanning a large network as the scan output can span tens of pages. Some tools even take Nmap scan files as input, which is yet another reason to save the scan results to a file. Nmap can store the results of its scans in four different formats:
Normal
This is the same format as what is displayed to the terminal during a scan. The only difference is that the command-line options are printed at the top of the file as a reminder of what the scan was configured to do, and some runtime warnings are omitted.
Grepable
This format presents the results with one host per line in a concise fashion, meant to be easily processed with Unix text tools such as grep, sed, awk, and diff. Because of the condensed nature of this format, not all scan output may be preserved this way.
XML
This is the most powerful format, as the entire scan results are represented in highly structured XML for easy parsing by third-party applications. Unlike the Grepable format, all scan output is present in these files.
Script Kiddie
This format is presented solely as a joke and is simply the Normal output passed through a text-mangling filter.
These various output formats can be selected with the -otype filename option, where the type is N, G, X, or S. An additional option, -oA basename, is supported to simultaneously write the scan output in the Normal, Grepable, and XML formats. With this option, the files are named basename.nmap, basename.gnmap, and basename.xml. Multiple output formats can be specified using -o flags as well. For example, to write the output of a scan in normal and XML formats simultaneously, you would type:
nmap -oN normal_output -oX xml_output target
PS:
This article is mainly from book <Security Power Tools>.