Sunday, 10 October 2010

Beginner level: Nmap examples (basic nmap examples)

This short blog discusses a few nmap command examples for those learning the basics of port-scanning and network reconnaissance.

Nmap is a very powerful and flexible tool, and using it effectively is an important skill for any IT Security Professional or Network Administrator.

Please remember to use these examples for good purposes. I do not condone or recommend breaking the law or unethical practices.

The basic portscan

In its most basic form, nmap is really easy to use. If you have a target IP address, and you want to know what common ports are open; here is the most basic nmap example:

nmap 192.168.1.76

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:29 BST
Nmap scan report for lin-desktop.lan (192.168.1.76)
Host is up (0.000039s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds

So, looking at the results, we can see that this system has FTP (port 21 TCP), SSH (port 22 TCP) and HTTP (port 80 TCP) all responding. A pretty straight forward nmap example.

Hidden hosts

Let's look at a system that does not want to play ball. This system has a built-in firewall and does not respond to the initial ICMP ping, so the system is ignored by a default nmap scan.

nmap 192.168.1.254

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:25 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.68 seconds

So we got no results in this example, but if the initial ICMP test was ignored (using the -P0 option) the scan will proceed, and still yield good results, so definitely worth bearing this option in mind.

nmap -P0 192.168.1.254

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:25 BST
Nmap scan report for dsldevice.lan (192.168.1.254)
Host is up (0.0085s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
80/tcp   open  http
443/tcp  open  https
1723/tcp open  pptp
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)

Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds

Scanning a certain port across multiple machines

What if you wanted to scan the same port on several systems. In this example we scan all systems in the range from 192.168.1.1 to 192.168.1.254 for port 80

nmap -p 80 192.168.1.1-254

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:23 UTC
Nmap scan report for laptop.lan (192.168.1.65)
Host is up (0.00013s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for desktop.lan (192.168.1.66)
Host is up (0.021s latency).
PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 70:1A:04:AC:BD:FC (Liteon Tech)

Nmap done: 254 IP addresses (2 hosts up) scanned in 5.30 seconds


We detected 2 hosts here. Notice the difference when we include the -P0 option, it detects more hosts:

nmap -P0 -p 80 192.168.1.1-254

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:25 UTC
Nmap scan report for laptop.lan (192.168.1.65)
Host is up (0.00013s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for desktop.lan (192.168.1.66)
Host is up (0.021s latency).
PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 70:1A:04:AC:BD:FC (Liteon Tech)

Nmap scan report for dsldevice.lan (192.168.1.254)
Host is up (0.033s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)

Nmap done: 254 IP addresses (3 hosts up) scanned in 5.47 seconds


Banner grabbing and versioning

nmap can grab banners to identify the versions of services running, using the -sV option. This shows us which services are running and the various versions (highlighted in green)

nmap -P0 -sV 192.168.1.254

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:34 UTC
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 17:35 (0:00:10 remaining)
Nmap scan report for dsldevice.lan (192.168.1.254)
Host is up (0.0035s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      Alcatel Speedtouch aDSL router ftpd
23/tcp   open  telnet   Alcatel/Thomson SpeedTouch DSL router admin interface
80/tcp   open  http     Alcatel/Thomson SpeedTouch aDSL http config 1.0
443/tcp  open  ssl/http Alcatel/Thomson SpeedTouch aDSL http config 1.0
1723/tcp open  pptp     THOMSON (Firmware: 1)
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)
Service Info: Host: SpeedTouch; Device: broadband router

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.83 seconds


OS detection

The -O option can be used to identify operating systems versions from various signature patterns. OS guesses are highlighted in green below.

nmap -O 192.168.1.66

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:39 UTC
Nmap scan report for
desktop.lan (192.168.1.66)
Host is up (0.0074s latency).
Not shown: 992 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
5357/tcp  open  unknown
10243/tcp open  unknown
49156/tcp open  unknown
MAC Address: 70:1A:04:AC:BD:FC (Liteon Tech)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
OS details: Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.23 seconds


zenmap

If you are new to network scanning, then you may want to start getting familiar with nmap by using zenmap. Zenmap is a graphical tool which can be used to drive nmap, with various preconfigured scans, and some other cool graphical features which can help you to visualise a network:


This tool can help you to quickly get familiar with various nmap command line options, and save your scans for later analysis.

More details and downloads are available at the following location:
http://nmap.org/download.html

2 comments: