Analyzing hosts and networks with Nmap
In "The Matrix Reloaded," Trinity uses Nmap to hack into the power grid to pave Neo's way to the architect of the virtual world. However, the port scanner is also ideal for more mundane purposes – such as discovering vulnerabilities in your domestic network.
Nmap (Network Mapper)  discovers computers, services, and vulnerabilities on a network. The port scanner, which is implemented in C++ is GPLv2 licensed and runs on all major operating systems. Nmap has been developed since 1996 by Gordon "Fyodor" Lyon of Insecure.Org. Nmap has appeared in 12 movies, including "The Matrix Reloaded," "Die Hard 4," and "The Bourne Ultimatum."
The Nmap scanner can serve many roles. It uses a variety of approaches to discover computers on a network, and it also provides quite accurate information about operating systems, active services, and service vulnerabilities. Packaged in a cron job, Nmap notifies administrators when a service fails or a computer in the network suddenly offers new services installed by an attacker or overzealous user.
Nmap also includes a scripting engine and many LUA scripts for automating tasks and extending the functionality of the tools. Apart from the scanner, the Nmap suite includes other helpful tools, such as the Zenmap graphical user interface, the Ncat data transfer and debugging tool, the Ndiff comparison tool, and the Nping packet generator.
Most popular Linux distributions offer Nmap through their package repositories. The
nmap --version command quickly tells you which version is installed. It is usually not the latest; typically, you will need to build the latest version from source . To build Nmap, download and unpack the source tarball, then execute the standard installation steps with administrative rights:
./configure && make && make install
Nmap allows you to investigate individual computers as well as entire networks, and it distinguishes between privileged and unprivileged users. Some scans are not successful unless you have the necessary privileges (see the box titled "With Privileges"). Nmap's ability to scan entire networks is especially useful if you do not (or no longer) know what services individual computers offer. To scan a network, you can either pass in the IP address of each computer directly in the call to Nmap or pass in a file. An even easier approach is to specify IP address ranges (e.g., in CIDR notation ). The commands in the first three lines of Listing 1 are functionally identical. If you want Nmap to parse the hosts from a file, you need a single entry per line, but again, larger ranges are permitted. The file containing the hosts is passed in by using the Nmap
-sL <filename> option.
Specifying IP Addresses
# nmap 192.168.1.1 192.168.1.2 <[...]> 192.168.1.254 # nmap 192.168.1.1-254 # nmap 192.168.1.0/24 # nmap -p22,25,80,110,8080-8088 192.168.1.0/24
If you run Nmap as a privileged user, it only knocks on port doors using a SYN (half-open) stealth scan, in which Nmap just sends a SYN packet to the server. If the server responds with SYN-ACK, Nmap sends a RST (reset) packet that immediately terminates the connection (Figure 1). The stealth scan was originally developed to prevent the requested computer from logging the IP address of the requesting computer, but now many firewalls and intrusion detection and intrusion prevention systems detect SYN requests and respond accordingly.
By default, Nmap scans the 1,000 most common ports for each host – it uses a pretty fast procedure, but your mileage can naturally vary depending on the number of computers scanned. The
-F (fast) switch lets you limit the number of ports investigated to the 100 most important. To scan only specific ports, you can use the
-p switch to specify individual ports or port ranges as a comma-separated list (Listing 1, last line). If you use
-p-, you are telling Nmap to scan the full range,
Often knowing whether a host is online and which ports are open is not enough, but Nmap also can collect detailed information about the operating systems and services offered. To do so, use the
-sV (version query) and
-O (OS detection) options, for which Nmap offers an extensive database with fingerprints of numerous services and operating systems (see the "Feeding Nmap Databases" box).
Feeding Nmap Databases
Nmap identifies operating systems and services using databases that have been fed with details for many years. This makes them very extensive: When this article went to press, the database contained about 3,050 reference fingerprints for operating systems and about 8,600 for services. Nevertheless, it can happen that Nmap does not recognize, or at least does not correctly identify, a service or an OS.
The Nmap developers depend on the assistance of users, who are called on to report these cases. I have used Nmap for several years, but have only had a few opportunities to submit Nmap fingerprints . Listing 2 illustrates an example of a fingerprint, which would be a candidate for the database.
SF-Port21-TCP:V=3.40PVT16%D=9/6%Time=3F5A961C%r(NULL,3F,"220\x20stage\x20F SF:TP\x20server\x20\(Version\x202\.1WU\(1\)\+SCO-2\.6\.1\+-sec\)\x20ready\ SF:.\r\n")%r(GenericLines,81,"220\x20stage\x20FTP\x20server\x20\(Version\x SF:202\.1WU\(1\)\+SCO-2\.6\.1\+-sec\)\x20ready\.\r\n500\x20'':\x20command\ SF:x20not\x20understood\.\r\n500\x20'':\x20command\x20not\x20understood\.\ SF:r\n");
-A option also involves numerous scripts in the OS and version detection scan and returns the traceroute. Such scans take a long time and might cause a lot of unwanted "noise" on the target machine. Nmap flags open ports as open and ports that immediately respond to requests with a RST as closed. Additionally, Nmap interprets some ports as filtered. These are ports that are probably protected by a firewall, which simply rejects the request with a
DROP. Mixed forms such as open | filtered or closed | filtered mean that Nmap cannot detect the exact status of the port.
Nmap outputs its results on the console by default. For a few scanned hosts, this might be okay, but not for a complete network scan. In this case, it is useful to redirect the output to files. Nmap supports output to standard text files (
-oN), grep-optimized text files (
-oG), and XML format (
-oX). The advantage of XML files is that they are easier to evaluate with other programs later on. Additionally, Nmap supports the ScRipT KIdd|3 (
-oS) format, which is designed for a very special target group (Figure 2).
Nmap needs a long time to scan a large network and check UDP ports in the process, but other factors also affect the duration of the scan. For example, if a host is switched off during a scan, Nmap will still try to query all its ports. This might mean that it spends most of the scan time on a handful of computers. The
--host-timeout 10s option tells the tool to ignore the host after the specified period of time.
Although the command
# nmap -p- --host-timeout 120s -O -sV -oX nmap.xml 192.168.x1.1/24
tells Nmap to check all computers on the network that were switched on at the time of the call, it stops the tool from investigating any individual host for more than 120 seconds. Instead of seconds (
s), you can define the duration in milliseconds (
ms) or minutes (
Incidentally, if you send the output to a text file, you can cancel the scan and resume later using
nmap --resume <file>. This does not work for XML files. However, because XML files provide many options for alternative evaluation, they should be your first choice.
To begin, it makes sense to run Nmap on a computer that you know to be always on. If this is a remote computer, the screen multiplexer  often turns out to be a useful tool. If Nmap is running in a session started with
screen -S nmap-session
you can close open consoles after a detach (Ctrl+AD). Later, you can view the session from another computer with
screen -r nmap-session
and check on the progress. Compared with other solutions (such as
nohup), the advantage of a screen session is that Nmap is not detached from the input side; thus, you can discover – by pressing Enter at any time – when the port scanner expects to complete the scan (Figure 3).
The Zenmap graphical interface can naturally launch Nmap port scans, but it can also present results in a more intuitive way, such as comparing two XML scans stored at different times, to help you evaluate them. At the command line,
ndiff scan1.xml scan2.xml
displays all the relevant information, but Zenmap makes the comparison a little more convenient and understandable (Figure 4).
Figure 5 shows the topography of the investigated network, another Nmap specialty. All the hosts share a switch. Circles indicate that these are normal computers on the network, such as a desktops, servers, or printers. Rectangles represent network devices, such as switches, routers, or access points.
The size and color of the icons say something about open ports: Green appliances have three, those in yellow between three and six, and those in red more than six. Clicking on a node displays more detailed information about the host. In Figure 5, the topography looks very symmetrical – this changes when you scan computers at different locations over several hops.
When you click one of the icons in the left-hand column and enable the Host Details tab, two large icons indicate whether the host is a computer (Windows screen, a grinning Mac face, or Linux penguins) or a peripheral device (monitor).
The second icon shows you at a glance how many ports are open: A safety deposit box stands for a maximum of two open ports, a treasure chest represents three or four, and a carton indicates five or six. For seven and eight open ports Nmap shows a smelly cheese, and for everything higher, the symbol is a bomb (Figure 6).
Information about the uptime, hostname, and operating systems is displayed if you set the appropriate options for the scan. Filters help you quickly identify candidates that attackers could use as potential entry points, such as computers with old operating systems or vulnerable services (Figure 7).
Buy this article as PDF
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.