Beginning its life as a simple port-scanner, Nmap has evolved into an excellent network security auditing tool. The Nmap website now describes it as a free and open source utility for network exploration or security auditing.
Like most open source utilities, Nmap is released under the GNU GPL license (free to use, modify, and distribute). Interested users can download the latest version for their OS and start using it. All versions have the same command-line syntax and the same GUI; the only differentiator is a person’s knowledge of how to use it to scan/audit the network.
Understanding the various command-line options should help you use the tool in the most effective way. For example, while demonstrating the Nmap Scripting Engine capabilities at Black Hat 2010, the following steps were performed live:
- Tracking a live Web cam installed on an unknown public IP.
- Brute-forcing its username/password to gain access.
- Watching the live video displayed.
The seemingly impossible feat was performed in less than 15 minutes. Sure, it is definitely not easy to achieve this kind of expertise, but to effectively master Nmap for everyday use should not be too difficult.
Nmap command-line options
If you run
nmap without any switches, it gives you a list of all available command-line options. These are logically classified as shown in Table 1.
|Table 1: A summary of NMap commands|
|Target specification||You can specify the target in various intuitive ways: by directly specifying the hostname/IP address; or by giving the start and end addresses to specify a range. You can also pass a list of IP addresses to Nmap using the
|Host discovery||From a wide range of hosts to be scanned, you will probably be interested in finding specific hosts, depending on the reason for the scan. Nmap has various host-discovery techniques; some of the important ones are:
|Scan techniques||Nmap supports various scan techniques:
|Port specifications||By default, Nmap scans the 1,000 most common service ports. The
|Service/version detection||When services are running on non-standard ports, a version detection scan (
|Script scan||As mentioned on nmap.org, NSE is Nmap’s most powerful and flexible feature. Users can write scripts in the Lua programming language for automated scanning. Nmap version 5.50 has 177 ready-made NSE scripts in various categories, including discovery, DoS exploits, version-detection and a few more. Some of the intrusive category scripts may crash the target system or use up significant resources on the host.|
|Operating system detection||The
|Timings||Though often neglected, adjusting scan time is very important in effective network scanning. Consider two scenarios:
|Firewall/IDS evasion and spoofing||
|Output||Three basic output options are available:
|Miscellaneous||The most important is
Nmap uses various files to store its default options. Users may edit these files to fine-tune options for individual scanning requirements.
From the exhaustive list above, a few options that come in really handy while scanning networks are shown in Table 2.
|Table 2: Interesting NMap options|
||Really handy for scanning SMB networks, these options respectively return a list of users, and a list of shares detected in the specified host range.|
||Detects operating systems even of various networking devices.|
||Runs a standard scan, including OS version detection|
||Speeds up the scan; especially useful in quickly scanning a range of IP addresses.|
||Ping response is disabled on a few hosts to be scanned. This option assumes the hosts are up/online.|
The Nmap team is also developing some other very interesting tools, some of which follow:
- ncrack — Network authentication cracking tool, includes support for cracking RDP, SSH, HTTP, HTTPS, SMB, POP3, POP3S, FTP, and telnet.
- ncat — Reads and writes data across networks from the command line (similar to netcat)
- zenmap — GUI for Nmap
- ndiff — Compares and shows differences in two Nmap scan result files
- nping — Network packet generation, response analysis and response time measurement tool. Includes echo mode, debugging with sent/received packets, captured packets on the server, etc.
- rainmap — An online scanning service
With this, I conclude this series on NMap.
- NMap Network Scanning book by Gordon “Fyodor” Lyon
- Various NMap site links: Homepage, Download, NSE Documentation, Rainmap Documentation
- The Lua programming language (used for NSE programming)
The author is an IS auditor, network security consultant and trainer with 25+ of years industry experience. He is an industrial electronics engineer with CISA, CISSP and DCL certification. Please feel free to contact him at rajesh at omegasystems dot co dot in.