Critical Eye

Nmap (Network Mapper) [1] discovers computers, services, and vulnerabilities on a network. The port scanner, which is implemented in C++ is GPLv2 licensed and runs on all major operating systems. Nmap has been developed since 1996 by Gordon "Fyodor" Lyon of Insecure.Org. Nmap has appeared in 12 movies, including "The Matrix Reloaded," "Die Hard 4," and "The Bourne Ultimatum."

The Nmap scanner can serve many roles. It uses a variety of approaches to discover computers on a network, and it also provides quite accurate information about operating systems, active services, and service vulnerabilities. Packaged in a cron job, Nmap notifies administrators when a service fails or a computer in the network suddenly offers new services installed by an attacker or overzealous user.

Nmap also includes a scripting engine and many LUA scripts for automating tasks and extending the functionality of the tools. Apart from the scanner, the Nmap suite includes other helpful tools, such as the Zenmap graphical user interface, the Ncat data transfer and debugging tool, the Ndiff comparison tool, and the Nping packet generator.

Getting Started

Most popular Linux distributions offer Nmap through their package repositories. The nmap --version command quickly tells you which version is installed. It is usually not the latest; typically, you will need to build the latest version from source [2]. To build Nmap, download and unpack the source tarball, then execute the standard installation steps with administrative rights:

./configure && make && make install

Nmap allows you to investigate individual computers as well as entire networks, and it distinguishes between privileged and unprivileged users. Some scans are not successful unless you have the necessary privileges (see the box titled "With Privileges"). Nmap's ability to scan entire networks is especially useful if you do not (or no longer) know what services individual computers offer. To scan a network, you can either pass in the IP address of each computer directly in the call to Nmap or pass in a file. An even easier approach is to specify IP address ranges (e.g., in CIDR notation [3]). The commands in the first three lines of Listing 1 are functionally identical. If you want Nmap to parse the hosts from a file, you need a single entry per line, but again, larger ranges are permitted. The file containing the hosts is passed in by using the Nmap -sL <filename> option.

Figure 1: When admins use Nmap, the target systems often do not even notice.

By default, Nmap scans the 1,000 most common ports for each host – it uses a pretty fast procedure, but your mileage can naturally vary depending on the number of computers scanned. The -F (fast) switch lets you limit the number of ports investigated to the 100 most important. To scan only specific ports, you can use the -p switch to specify individual ports or port ranges as a comma-separated list (Listing 1, last line). If you use -p-, you are telling Nmap to scan the full range, 1-65535.

Often knowing whether a host is online and which ports are open is not enough, but Nmap also can collect detailed information about the operating systems and services offered. To do so, use the -sV (version query) and -O (OS detection) options, for which Nmap offers an extensive database with fingerprints of numerous services and operating systems (see the "Feeding Nmap Databases" box).

The -A option also involves numerous scripts in the OS and version detection scan and returns the traceroute. Such scans take a long time and might cause a lot of unwanted "noise" on the target machine. Nmap flags open ports as open and ports that immediately respond to requests with a RST as closed. Additionally, Nmap interprets some ports as filtered. These are ports that are probably protected by a firewall, which simply rejects the request with a DROP. Mixed forms such as open | filtered or closed | filtered mean that Nmap cannot detect the exact status of the port.

Output Formats

Nmap outputs its results on the console by default. For a few scanned hosts, this might be okay, but not for a complete network scan. In this case, it is useful to redirect the output to files. Nmap supports output to standard text files (-oN), grep-optimized text files (-oG), and XML format (-oX). The advantage of XML files is that they are easier to evaluate with other programs later on. Additionally, Nmap supports the ScRipT KIdd|3 (-oS) format, which is designed for a very special target group (Figure 2).

Figure 2: Very special: Nmap output format in leetspeak.

Nmap needs a long time to scan a large network and check UDP ports in the process, but other factors also affect the duration of the scan. For example, if a host is switched off during a scan, Nmap will still try to query all its ports. This might mean that it spends most of the scan time on a handful of computers. The --host-timeout 10s option tells the tool to ignore the host after the specified period of time.

Although the command

# nmap -p- --host-timeout 120s -O -sV -oX nmap.xml 192.168.x1.1/24

tells Nmap to check all computers on the network that were switched on at the time of the call, it stops the tool from investigating any individual host for more than 120 seconds. Instead of seconds (s), you can define the duration in milliseconds (ms) or minutes (m).

Incidentally, if you send the output to a text file, you can cancel the scan and resume later using nmap --resume <file>. This does not work for XML files. However, because XML files provide many options for alternative evaluation, they should be your first choice.

To begin, it makes sense to run Nmap on a computer that you know to be always on. If this is a remote computer, the screen multiplexer [5] often turns out to be a useful tool. If Nmap is running in a session started with

screen -S nmap-session

you can close open consoles after a detach (Ctrl+AD). Later, you can view the session from another computer with

screen -r nmap-session

and check on the progress. Compared with other solutions (such as nohup), the advantage of a screen session is that Nmap is not detached from the input side; thus, you can discover – by pressing Enter at any time – when the port scanner expects to complete the scan (Figure 3).

Figure 3: To discover how long a scan is expected to last, press Enter.

Zenmap

The Zenmap graphical interface can naturally launch Nmap port scans, but it can also present results in a more intuitive way, such as comparing two XML scans stored at different times, to help you evaluate them. At the command line,

ndiff scan1.xml scan2.xml

displays all the relevant information, but Zenmap makes the comparison a little more convenient and understandable (Figure 4).

Figure 4: Which computers run at night and which during the day? Two scans and Ndiff facilitate the evaluation.

Figure 5 shows the topography of the investigated network, another Nmap specialty. All the hosts share a switch. Circles indicate that these are normal computers on the network, such as a desktops, servers, or printers. Rectangles represent network devices, such as switches, routers, or access points.

Figure 5: The topography of an investigated network in the Zenmap view.

The size and color of the icons say something about open ports: Green appliances have three, those in yellow between three and six, and those in red more than six. Clicking on a node displays more detailed information about the host. In Figure 5, the topography looks very symmetrical – this changes when you scan computers at different locations over several hops.

When you click one of the icons in the left-hand column and enable the Host Details tab, two large icons indicate whether the host is a computer (Windows screen, a grinning Mac face, or Linux penguins) or a peripheral device (monitor).

The second icon shows you at a glance how many ports are open: A safety deposit box stands for a maximum of two open ports, a treasure chest represents three or four, and a carton indicates five or six. For seven and eight open ports Nmap shows a smelly cheese, and for everything higher, the symbol is a bomb (Figure 6).

Figure 6: A treasure chest: computer details in Zenmap.

Information about the uptime, hostname, and operating systems is displayed if you set the appropriate options for the scan. Filters help you quickly identify candidates that attackers could use as potential entry points, such as computers with old operating systems or vulnerable services (Figure 7).

Figure 7: Operating systems, services, port status: Zenmap offers several filter options; in this case, looking for computers running Windows XP.

Scripting Engine

For more detailed investigations, Nmap version 4.5 or later comes with the Nmap Scripting Engine (NSE). With NSE and the current crop of 430 NSE scripts implemented in Lua, you can elicit many additional details from individual hosts (Table 1).

To discover what the individual scripts actually do, run the

nmap --script-help "*"

command. If you replace the asterisk with a category or script name, you only receive information about the associated script(s).

To run one or more scripts against one or more hosts, you can use the

nmap --script <name>

command, where <name> refers to a script, a whole category, a directory of scripts, or a regular expression. Some scripts require additional parameters, which you pass in to Nmap, as in --script-args <parameter>. Using the

nmap - script http-enum <target>

command, for example, will attempt to identify all the interesting URLs that the target host offers (Figure 8).

Figure 8: The http-enum script reveals interesting pages on web servers very quickly.

On the other hand,

nmap -sV -O --script vuln <target>

lets you run all the scripts in the vuln category against each host on the network. Scanning every host with a single command does not replace a thorough review, but it does discover some common vulnerabilities very quickly.

In addition to the NSE scripts included in the Nmap package, you will find more on the Nmap developer list [6] or on the pages of individual developers. You can copy the scripts to Nmap's script directory, if needed, and then bind them to the port scanner using the nmap --script-updatedb command.

Conclusions

Nmap is a very powerful tool whose capabilities go far beyond those of a normal port scanner. The software already supports IPv6 and does not simply give you yes/no statements on whether ports are open; rather, it also determines exactly which services and operating systems are running on the computers under investigation.

Nmap scans both TCP and UDP ports and comes with a number of ping test methods that can work despite firewalls. Additional tricks, such as packages filled with random characters, can also help trick firewalls, IDS, and IPS systems. The Nmap Scripting Engine lets you automate many steps. If you frequently need to analyze networks, it pays to read the excellent and extensive Nmap documentation, which provides examples and a huge amount of background knowledge.

Before you start investigating a third-party host or network, be sure you obtain the consent of the operator; otherwise, they will feel they are being attacked, which can lead to unpleasant legal consequences. If you want to practice, do so on your home network – or use the scanme host offered by Nmap [7].