Analyzing hosts and networks with Nmap

Critical Eye

Article from Issue 155/2013
Author(s):

In "The Matrix Reloaded," Trinity uses Nmap to hack into the power grid to pave Neo's way to the architect of the virtual world. However, the port scanner is also ideal for more mundane purposes – such as discovering vulnerabilities in your domestic network.

Nmap (Network Mapper) [1] discovers computers, services, and vulnerabilities on a network. The port scanner, which is implemented in C++ is GPLv2 licensed and runs on all major operating systems. Nmap has been developed since 1996 by Gordon "Fyodor" Lyon of Insecure.Org. Nmap has appeared in 12 movies, including "The Matrix Reloaded," "Die Hard 4," and "The Bourne Ultimatum."

The Nmap scanner can serve many roles. It uses a variety of approaches to discover computers on a network, and it also provides quite accurate information about operating systems, active services, and service vulnerabilities. Packaged in a cron job, Nmap notifies administrators when a service fails or a computer in the network suddenly offers new services installed by an attacker or overzealous user.

Nmap also includes a scripting engine and many LUA scripts for automating tasks and extending the functionality of the tools. Apart from the scanner, the Nmap suite includes other helpful tools, such as the Zenmap graphical user interface, the Ncat data transfer and debugging tool, the Ndiff comparison tool, and the Nping packet generator.

Getting Started

Most popular Linux distributions offer Nmap through their package repositories. The nmap --version command quickly tells you which version is installed. It is usually not the latest; typically, you will need to build the latest version from source [2]. To build Nmap, download and unpack the source tarball, then execute the standard installation steps with administrative rights:

./configure && make && make install

Nmap allows you to investigate individual computers as well as entire networks, and it distinguishes between privileged and unprivileged users. Some scans are not successful unless you have the necessary privileges (see the box titled "With Privileges"). Nmap's ability to scan entire networks is especially useful if you do not (or no longer) know what services individual computers offer. To scan a network, you can either pass in the IP address of each computer directly in the call to Nmap or pass in a file. An even easier approach is to specify IP address ranges (e.g., in CIDR notation [3]). The commands in the first three lines of Listing 1 are functionally identical. If you want Nmap to parse the hosts from a file, you need a single entry per line, but again, larger ranges are permitted. The file containing the hosts is passed in by using the Nmap -sL <filename> option.

Listing 1

Specifying IP Addresses

# nmap 192.168.1.1 192.168.1.2 <[...]> 192.168.1.254
# nmap 192.168.1.1-254
# nmap 192.168.1.0/24
# nmap -p22,25,80,110,8080-8088 192.168.1.0/24

With Privileges

If you run Nmap as a privileged user, it only knocks on port doors using a SYN (half-open) stealth scan, in which Nmap just sends a SYN packet to the server. If the server responds with SYN-ACK, Nmap sends a RST (reset) packet that immediately terminates the connection (Figure 1). The stealth scan was originally developed to prevent the requested computer from logging the IP address of the requesting computer, but now many firewalls and intrusion detection and intrusion prevention systems detect SYN requests and respond accordingly.

Figure 1: When admins use Nmap, the target systems often do not even notice.

By default, Nmap scans the 1,000 most common ports for each host – it uses a pretty fast procedure, but your mileage can naturally vary depending on the number of computers scanned. The -F (fast) switch lets you limit the number of ports investigated to the 100 most important. To scan only specific ports, you can use the -p switch to specify individual ports or port ranges as a comma-separated list (Listing 1, last line). If you use -p-, you are telling Nmap to scan the full range, 1-65535.

Often knowing whether a host is online and which ports are open is not enough, but Nmap also can collect detailed information about the operating systems and services offered. To do so, use the -sV (version query) and -O (OS detection) options, for which Nmap offers an extensive database with fingerprints of numerous services and operating systems (see the "Feeding Nmap Databases" box).

Feeding Nmap Databases

Nmap identifies operating systems and services using databases that have been fed with details for many years. This makes them very extensive: When this article went to press, the database contained about 3,050 reference fingerprints for operating systems and about 8,600 for services. Nevertheless, it can happen that Nmap does not recognize, or at least does not correctly identify, a service or an OS.

The Nmap developers depend on the assistance of users, who are called on to report these cases. I have used Nmap for several years, but have only had a few opportunities to submit Nmap fingerprints [4]. Listing 2 illustrates an example of a fingerprint, which would be a candidate for the database.

Listing 2

Nmap Fingerprint

SF-Port21-TCP:V=3.40PVT16%D=9/6%Time=3F5A961C%r(NULL,3F,"220\x20stage\x20F
SF:TP\x20server\x20\(Version\x202\.1WU\(1\)\+SCO-2\.6\.1\+-sec\)\x20ready\
SF:.\r\n")%r(GenericLines,81,"220\x20stage\x20FTP\x20server\x20\(Version\x
SF:202\.1WU\(1\)\+SCO-2\.6\.1\+-sec\)\x20ready\.\r\n500\x20'':\x20command\
SF:x20not\x20understood\.\r\n500\x20'':\x20command\x20not\x20understood\.\
SF:r\n");

The -A option also involves numerous scripts in the OS and version detection scan and returns the traceroute. Such scans take a long time and might cause a lot of unwanted "noise" on the target machine. Nmap flags open ports as open and ports that immediately respond to requests with a RST as closed. Additionally, Nmap interprets some ports as filtered. These are ports that are probably protected by a firewall, which simply rejects the request with a DROP. Mixed forms such as open | filtered or closed | filtered mean that Nmap cannot detect the exact status of the port.

Output Formats

Nmap outputs its results on the console by default. For a few scanned hosts, this might be okay, but not for a complete network scan. In this case, it is useful to redirect the output to files. Nmap supports output to standard text files (-oN), grep-optimized text files (-oG), and XML format (-oX). The advantage of XML files is that they are easier to evaluate with other programs later on. Additionally, Nmap supports the ScRipT KIdd|3 (-oS) format, which is designed for a very special target group (Figure 2).

Figure 2: Very special: Nmap output format in leetspeak.

Nmap needs a long time to scan a large network and check UDP ports in the process, but other factors also affect the duration of the scan. For example, if a host is switched off during a scan, Nmap will still try to query all its ports. This might mean that it spends most of the scan time on a handful of computers. The --host-timeout 10s option tells the tool to ignore the host after the specified period of time.

Although the command

# nmap -p- --host-timeout 120s -O -sV -oX nmap.xml 192.168.x1.1/24

tells Nmap to check all computers on the network that were switched on at the time of the call, it stops the tool from investigating any individual host for more than 120 seconds. Instead of seconds (s), you can define the duration in milliseconds (ms) or minutes (m).

Incidentally, if you send the output to a text file, you can cancel the scan and resume later using nmap --resume <file>. This does not work for XML files. However, because XML files provide many options for alternative evaluation, they should be your first choice.

To begin, it makes sense to run Nmap on a computer that you know to be always on. If this is a remote computer, the screen multiplexer [5] often turns out to be a useful tool. If Nmap is running in a session started with

screen -S nmap-session

you can close open consoles after a detach (Ctrl+AD). Later, you can view the session from another computer with

screen -r nmap-session

and check on the progress. Compared with other solutions (such as nohup), the advantage of a screen session is that Nmap is not detached from the input side; thus, you can discover – by pressing Enter at any time – when the port scanner expects to complete the scan (Figure 3).

Figure 3: To discover how long a scan is expected to last, press Enter.

Zenmap

The Zenmap graphical interface can naturally launch Nmap port scans, but it can also present results in a more intuitive way, such as comparing two XML scans stored at different times, to help you evaluate them. At the command line,

ndiff scan1.xml scan2.xml

displays all the relevant information, but Zenmap makes the comparison a little more convenient and understandable (Figure 4).

Figure 4: Which computers run at night and which during the day? Two scans and Ndiff facilitate the evaluation.

Figure 5 shows the topography of the investigated network, another Nmap specialty. All the hosts share a switch. Circles indicate that these are normal computers on the network, such as a desktops, servers, or printers. Rectangles represent network devices, such as switches, routers, or access points.

Figure 5: The topography of an investigated network in the Zenmap view.

The size and color of the icons say something about open ports: Green appliances have three, those in yellow between three and six, and those in red more than six. Clicking on a node displays more detailed information about the host. In Figure 5, the topography looks very symmetrical – this changes when you scan computers at different locations over several hops.

When you click one of the icons in the left-hand column and enable the Host Details tab, two large icons indicate whether the host is a computer (Windows screen, a grinning Mac face, or Linux penguins) or a peripheral device (monitor).

The second icon shows you at a glance how many ports are open: A safety deposit box stands for a maximum of two open ports, a treasure chest represents three or four, and a carton indicates five or six. For seven and eight open ports Nmap shows a smelly cheese, and for everything higher, the symbol is a bomb (Figure 6).

Figure 6: A treasure chest: computer details in Zenmap.

Information about the uptime, hostname, and operating systems is displayed if you set the appropriate options for the scan. Filters help you quickly identify candidates that attackers could use as potential entry points, such as computers with old operating systems or vulnerable services (Figure 7).

Figure 7: Operating systems, services, port status: Zenmap offers several filter options; in this case, looking for computers running Windows XP.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Nmap Scripting

    Nmap is rolling out a new scripting engine to automatically investigate vulnerabilities that turn up in a security scan. We’ll show you how to protect your network with Nmap and NSE.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Charly's Column

    Many tools keep growing with each new version, but Nmap 4.00 has lost weight thanks to the Diet-Nmap project. The latest incarnation of Nmap is not only quicker, it is also more frugal with memory.

  • Nmap 4.75 recognizes iPhones and visualizes networks

    "If we are going to call Nmap the 'Network Mapper', it should at least be able to draw you a map of the network! " writes developer Fyodor in announcing the newest version 4.75 of the Nmap security scanner.

  • RadialNet

    RadialNet draws a picture of the network, helping admins identify potential security holes.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News