Beginning its life as a simple port-scanner, Nmap has evolved into an excellent network security auditing tool. The Nmap website now describes it as a free and open source utility for network exploration or security auditing.
Like most open source utilities, Nmap is released under the GNU GPL license (free to use, modify, and distribute). Interested users can download the latest version for their OS and start using it. All versions have the same command-line syntax and the same GUI; the only differentiator is a person’s knowledge of how to use it to scan/audit the network.
Understanding the various command-line options should help you use the tool in the most effective way. For example, while demonstrating the Nmap Scripting Engine capabilities at Black Hat 2010, the following steps were performed live:
- Tracking a live Web cam installed on an unknown public IP.
- Brute-forcing its username/password to gain access.
- Watching the live video displayed.
The seemingly impossible feat was performed in less than 15 minutes. Sure, it is definitely not easy to achieve this kind of expertise, but to effectively master Nmap for everyday use should not be too difficult.
Nmap command-line options
If you run nmap without any switches, it gives you a list of all available command-line options. These are logically classified as shown in Table 1.
| Table 1: A summary of NMap commands | |
| Scan switch | Utilisation |
| Target specification | You can specify the target in various intuitive ways: by directly specifying the hostname/IP address; or by giving the start and end addresses to specify a range. You can also pass a list of IP addresses to Nmap using the -iL switch, followed by the name of the file containing the IP list. You may also exclude hosts with the --exclude <hostname(s)> switch. |
| Host discovery | From a wide range of hosts to be scanned, you will probably be interested in finding specific hosts, depending on the reason for the scan. Nmap has various host-discovery techniques; some of the important ones are:
|
| Scan techniques | Nmap supports various scan techniques: -sS for a SYN scan; -sP for a ping scan; -sU for a UDP scan; -b for an FTP Bounce scan; and -sI for an idle scan, using a zombie host. |
| Port specifications | By default, Nmap scans the 1,000 most common service ports. The --top-ports n switch overrides this default setting with n. The -F switch reduces the most common scanned ports to 100. The following option is very useful if only predetermined ports are required to be scanned: -p U:portnumbers T:portnumbers |
| Service/version detection | When services are running on non-standard ports, a version detection scan (-sV) on that particular port may provide an excellent option to detect what service it is. To run this scan on all ports, use --allports. |
| Script scan | As mentioned on nmap.org, NSE is Nmap’s most powerful and flexible feature. Users can write scripts in the Lua programming language for automated scanning. Nmap version 5.50 has 177 ready-made NSE scripts in various categories, including discovery, DoS exploits, version-detection and a few more. Some of the intrusive category scripts may crash the target system or use up significant resources on the host. |
| Operating system detection | The -O option does operating system “fingerprinting”. Nmap version 5.50 has 2,982 OS fingerprints and 7,319 version-detection signatures. |
| Timings | Though often neglected, adjusting scan time is very important in effective network scanning. Consider two scenarios:
|
| Firewall/IDS evasion and spoofing | -f does fragmentation; -D ip_list sets up decoy hosts. -S ip_addresses does spoofing of source IP address, while --source-port portnumber spoofs source port numbers. |
| Output | Three basic output options are available: -oN for normal output, -oX for XML output, and -oG for greppable output. The -oA option provides output in all the above formats. One more important option is verbosity. While a scan is running, you may press v to increase verbosity and V (Shift+v) to decrease it. |
| Miscellaneous | The most important is -6, which enables IPv6 scanning. |
Nmap uses various files to store its default options. Users may edit these files to fine-tune options for individual scanning requirements.
From the exhaustive list above, a few options that come in really handy while scanning networks are shown in Table 2.
| Table 2: Interesting NMap options | |
| Option | Description |
-sC --smb-users-enum-sC --smb-shares-enum |
Really handy for scanning SMB networks, these options respectively return a list of users, and a list of shares detected in the specified host range. |
-O |
Detects operating systems even of various networking devices. |
-A |
Runs a standard scan, including OS version detection |
-T4 |
Speeds up the scan; especially useful in quickly scanning a range of IP addresses. |
-PN (or -P0) |
Ping response is disabled on a few hosts to be scanned. This option assumes the hosts are up/online. |
Other tools
The Nmap team is also developing some other very interesting tools, some of which follow:
- ncrack — Network authentication cracking tool, includes support for cracking RDP, SSH, HTTP, HTTPS, SMB, POP3, POP3S, FTP, and telnet.
- ncat — Reads and writes data across networks from the command line (similar to netcat)
- zenmap — GUI for Nmap
- ndiff — Compares and shows differences in two Nmap scan result files
- nping — Network packet generation, response analysis and response time measurement tool. Includes echo mode, debugging with sent/received packets, captured packets on the server, etc.
- rainmap — An online scanning service
With this, I conclude this series on NMap.
References
- NMap Network Scanning book by Gordon “Fyodor” Lyon
- Various NMap site links: Homepage, Download, NSE Documentation, Rainmap Documentation
- The Lua programming language (used for NSE programming)
- insecure.org
