404 lines
25 KiB
HTML
404 lines
25 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Tools of the Trade: nmap LG #56</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="eyler.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue56/flechtner.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="giraldo.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Tools of the Trade: nmap</font></H1>
|
|
<H4>By <a href="mailto:jafgon@bright.net">Josh Flechtner</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<H1>nmap - the Network MAPper</H1>
|
|
<p><b>Author</b>: Fyodor
|
|
<p><b>Required</b>: <tt>flex, bison</tt>
|
|
<pre><b>Homepage</b>: <a href="http://www.insecure.org/nmap">http://www.insecure.org/nmap</a></pre>
|
|
<b>Current stable release</b>: 2.53
|
|
<p><b>License</b>: GPL
|
|
<p><b>Platform ports</b>: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, IRIX,
|
|
BSDI, SunOS, HP-UX, AIX, Digital UNIX, Cray UNICOS and Windows NT.
|
|
|
|
<H1>I. Introduction</H1> <p> The intent of this article is to
|
|
familiarize the reader with the network scanner nmap. As Lamont Grandquist (an
|
|
nmap contributor/developer) points out, nmap does three things: It will ping a
|
|
number of hosts to determine if they are up. It will portscan hosts to
|
|
determine what services they are offering and it will attempt to determine the
|
|
OS (operating system) of host(s). Nmap allows the user to scan networks as
|
|
small as a two node LAN (Local Area Network) or as large as a 500 node LAN and
|
|
even larger. Nmap also allows you to customize your scanning techniques.
|
|
Sometimes a simple ICMP (Internet Control Message Protocol) ping sweep may be
|
|
all you need. If not, then maybe you're looking for a stealth scan giving
|
|
back reports on UDP (User Datagram Protocol) and TCP (Transmission Control
|
|
Protocol) ports that are available and as to what operating system the host is
|
|
using? Still want more? You can do all that and log the data into either
|
|
human-readable or machine-parsable format. In this article I will be covering
|
|
some basic to intermediate scanning techniques to get you off and running with
|
|
nmap. If you love it enough then I would suggest reading the the nmap man pages
|
|
50 times and then translating it into the foreign language of your choice;)
|
|
|
|
<H1>II. Getting Nmap</H1>
|
|
<p> Some Linux distributions come with nmap as part of
|
|
the install. If you do not have nmap then let's begin with grabbing the
|
|
<a href="http://www.insecure.org/nmap">latest copy</a> and getting it up
|
|
and running. The version I will be covering here will be the source code
|
|
tarball, optionally you have both rpm and source-rpm to choose from . The
|
|
Linux distribution I am using is Red Hat 6.1. Download the nmap-latest.tgz
|
|
file into your home directory. Once the download is complete perform <tt>tar
|
|
-zxvf nmap-latest.tgz</tt> and this will unpack the source code into your
|
|
home directory. Go into the newly created nmap-latest directory and read
|
|
both the README and INSTALL files. Ideally the next step would be to perform
|
|
configure, make and (as root) make install in the top level of the newly
|
|
created directory. This will install the nmap binary into /usr/local/bin.
|
|
From here we're ready to run nmap.
|
|
|
|
<H1>III. Using Nmap</H1>
|
|
<p><b><font size=+1>Scanning types</font></b>
|
|
<p> Without further ado, let's
|
|
get down to business with nmap. First we will need an address to scan against.
|
|
If you are working from a LAN then pick a number of one of your hosts.
|
|
Let's say that your LAN consists of two machines: Adam and Eve. Adam (192.168.0.1)
|
|
is the unit we'll be running nmap on. Eve (192.168.0.2) is the machine
|
|
we will be scanning. From the command line I would type the following:
|
|
<p><tt> nmap 192.168.0.1</tt>
|
|
<p>Here is a sample output from the scan:
|
|
<p><b> <u>Example 1</u></b>
|
|
<p><i> Starting nmap V. 2.53
|
|
by fyodor@insecure.org (www.insecure.org/nmap)</i>
|
|
<br><i> Interesting ports on
|
|
Eve (192.168.0.2):</i>
|
|
<br><i> (The 1511 ports scanned
|
|
but not shown below are in state:closed)</i>
|
|
<br><i> Port
|
|
State
|
|
Service</i>
|
|
<br><i> 21/tcp
|
|
open
|
|
ftp</i>
|
|
<br><i> 23/tcp
|
|
open
|
|
telnet</i>
|
|
<br><i> 25/tcp
|
|
open
|
|
smtp</i>
|
|
<br><i> 79/tcp
|
|
open
|
|
finger</i>
|
|
<br><i> 80/tcp
|
|
open
|
|
http</i>
|
|
<br><i> 98/tcp
|
|
open
|
|
linuxconf</i>
|
|
<br><i> 111/tcp
|
|
open
|
|
sunrpc</i>
|
|
<br><i> 113/tcp
|
|
open
|
|
auth</i>
|
|
<br><i> 513/tcp
|
|
open
|
|
login</i>
|
|
<br><i> 514/tcp
|
|
open
|
|
shell</i>
|
|
<br><i> 515/tcp
|
|
open
|
|
printer</i>
|
|
<br><i> 6000/tcp
|
|
open
|
|
X11</i>
|
|
<p><i> Nmap run completed --
|
|
1 IP address (1 host up) scanned in 1 second</i>
|
|
<p><b> </b>What the above example did was run a
|
|
vanilla TCP scan against the designated address. As we can see from this
|
|
sample output our host is up and gives us a list of available ports that
|
|
are listening. This of course is the most basic of all commands and can
|
|
be run without any special privileges. The disadvantage of this call is
|
|
that any host running logging software will easily detect this sort of
|
|
scan. The output of this call would be the same as adding the option -sT
|
|
to the command line so it would look like this: <tt>nmap -sT 192.168.0.2.</tt>
|
|
(Note that this call is allowable by normal users).
|
|
<p> Not on a local LAN? Working from a single host dial-up
|
|
machine? No problem, run <i>ifconfig</i> (or use your favorite text editor
|
|
to view your /var/log/messages file, look for the last entry in the messages
|
|
file that contains a remote IP address) to obtain your IP address and go
|
|
from there. Let's say my IP address is 206.212.15.23, we can use
|
|
that as a premise to base our scans on. So with that in mind let's check
|
|
on our "neighbor":
|
|
<p><tt> nmap -sT 206.212.15.22</tt>
|
|
<p> Here is the sample output:
|
|
<p> <b><u>Example 2</u></b>
|
|
<p> <i>Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap)</i>
|
|
<br><i> Interesting ports on find2-cs-4.dial.ISP.net
|
|
(206.212.15.22):</i>
|
|
<br><i> (1522 ports scanned but not shown below are in
|
|
state: closed)</i>
|
|
<br><i> Port
|
|
State
|
|
Service</i>
|
|
<br><i> 139/tcp
|
|
open
|
|
netbios-ssn</i>
|
|
<p><i> Nmap run completed -- 1 IP address (1 host up)
|
|
scanned in 20 seconds</i>
|
|
<p> This is a very basic example of nmap's capabilities
|
|
but it atleast gives the beginner some grounds to work off of if not on
|
|
a local LAN.
|
|
<p><b> -sS </b>Now let's say that that you wish to use
|
|
a more stealthy scan to prevent detection, you would then use our previous
|
|
example only with the -sS (SYN) call so it would look like this: <tt>nmap
|
|
-sS 192.168.0.2.</tt>The -sS (SYN) call is sometimes referred to as the
|
|
"half-open" scan because you do not initiate a full TCP connection. The
|
|
output will read the same as <b>example 1</b> only with a lesser chance
|
|
of detection from the other end. Unlike running the -sT call this call
|
|
requires root privileges.
|
|
<p> <b>-sF -sX -sN</b> Now for the truly paranoid
|
|
or instances when the target may be running filtering or logging software
|
|
that detect SYN we can issue a third type of call with the -sF (Stealth
|
|
FIN), sX (Xmas Tree) or -sN (Null) scan. Note: Since Microsoft insists
|
|
on doing things their own way, neither the FIN, Xmas or Null scan modes
|
|
will work on Windows 95/98 or NT boxes. So if we were to get a listing
|
|
of available ports running either the -sT or -sS options but "<tt>All scanned
|
|
ports are: closed</tt>" running the -sF, sX or -sN option, then we
|
|
can safely assume that the target is probably a Windows box. This really
|
|
isn't a necessary procedure to verify a Windows machine since nmap
|
|
has built in OS detection which we will cover later. These three commands
|
|
also require root privileges.
|
|
<p> <b>-sU</b> This option tells nmap to scan for listening
|
|
UDP (User Datagram Protocol) rather than TCP ports on a target host. Although
|
|
this can sometimes be slow on Linux machines it runs particularly fast
|
|
against Window boxes. Using our previous examples of Adam and Eve, let's
|
|
run (once again root privilege is required) a -sU scan against Eve:
|
|
<p><tt> nmap -sU 192.168.0.2</tt>
|
|
<p>Here is the sample output from the scan:
|
|
<p><b> <u>Example 3</u></b>
|
|
<p><i> Starting nmap V. 2.53 by fyodor@insecure.org
|
|
(www.insecure.org/nmap)</i>
|
|
<br><i> Interesting ports on Eve (192.168.0.2):</i>
|
|
<br><i> (The 1445 ports scanned but not shown below are
|
|
in state: closed)</i>
|
|
<br><i> Port
|
|
State
|
|
Service</i>
|
|
<br><i> 111/udp
|
|
open
|
|
sunrpc</i>
|
|
<br><i> 517/udp
|
|
open
|
|
talk</i>
|
|
<br><i> 518/udp
|
|
open
|
|
ntalk</i>
|
|
<p><i> Nmap run completed -- 1 IP address (1 host up)
|
|
scanned in 4 seconds</i>
|
|
<p><i> </i>As we can see nmap scanned 1455 ports on Eve
|
|
and gave us a listing of the UDP ports it found to be listening. We can
|
|
gather from examples one and two that we are looking at a Linux install.
|
|
With that in mind if you remember in the introduction I mentioned that
|
|
nmap performs three things: It pings, it portscan's and it detects the
|
|
target's (operating system). Now that we've briefly covered the first two
|
|
uses let's move onto OS detection
|
|
|
|
<H1>IV. OS detection</H1>
|
|
<p> <b>-O</b> This is the option to be used to determine
|
|
the operating system of the given target. It can be used in conjunction
|
|
with our above mentioned scan types or by itself. Nmap uses what is called
|
|
TCP/IP fingerprinting to try and accurately determine the OS of the given
|
|
target. For a more complete reading on OS fingerprinting please see Foyer's
|
|
article titled "Remote OS detection via TCP/IP fingerprinting" found <a href="http://www.insecure.org/nmap/nmap-fingerprinting-article.html">here</a>.
|
|
Now with that in mind let's get right to our next example. Using our target
|
|
host (Eve) from Example 1, I would type the following: (Note that
|
|
the -O option requires root privileges)
|
|
<p><tt> nmap -O 192.168.0.2</tt>
|
|
<p> Here is a the sample output from the scan:
|
|
<p> <b><u>Example 4</u></b>
|
|
<p> <i>Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap)</i>
|
|
<br><i> Interesting ports on Eve (192.168.0.2):</i>
|
|
<br><i> (The 1511 ports scanned but not shown below are
|
|
in state:closed)</i>
|
|
<br><i> Port
|
|
State
|
|
Service</i>
|
|
<br><i> 21/tcp
|
|
open
|
|
ftp</i>
|
|
<br><i> 23/tcp
|
|
open
|
|
telnet</i>
|
|
<br><i> 25/tcp
|
|
open
|
|
smtp</i>
|
|
<br><i> 79/tcp
|
|
open
|
|
finger</i>
|
|
<br><i> 80/tcp
|
|
open
|
|
http</i>
|
|
<br><i> 98/tcp
|
|
open
|
|
linuxconf</i>
|
|
<br><i> 111/tcp
|
|
open
|
|
sunrpc</i>
|
|
<br><i> 113/tcp
|
|
open
|
|
auth</i>
|
|
<br><i> 513/tcp
|
|
open
|
|
login</i>
|
|
<br><i> 514/tcp
|
|
open
|
|
shell</i>
|
|
<br><i> 515/tcp
|
|
open
|
|
printer</i>
|
|
<br><i> 6000/tcp
|
|
open
|
|
X11</i>
|
|
<p><i> TCP Sequence prediction: Class=random positive
|
|
increments</i>
|
|
<br><i>
|
|
Difficulty=1772042 (Good luck!)</i>
|
|
<br><i> Remote operating system guess: Linux 2.1.122
|
|
- 2.2.14</i>
|
|
<p><i> Nmap run completed -- 1 IP address (1 host up)
|
|
scanned in 1 second</i>
|
|
<p> Notice that nmap reports the same available port
|
|
data as it did in example 1 due to the default -sT option, but also the
|
|
OS of the machine (in this case Linux) and the kernel version...not bad
|
|
ehh?! Nmap comes equipped with an impressive OS database.
|
|
|
|
<H1>V. More fun with Nmap</H1>
|
|
<p> Instead of limiting ourselves to scanning just one
|
|
target., let's broaden our horizon's to bigger and better things. In example
|
|
2 we used our IP address to base a scan against. Using that address again
|
|
we can get a look at numerous targets in our "community". At the command
|
|
line type the following (substituting a valid address of your choice of
|
|
course):
|
|
<p> <tt> nmap -sT -O 206.212.15.0-50</tt>
|
|
<p> What this does is instruct nmap to scan every host
|
|
between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen
|
|
to find many interesting feedback results from this or a larger scale scan
|
|
then you can always pipe the output into your choice of a human readable
|
|
file or a machine parsable file for future reference by issuing the following
|
|
option:
|
|
<p> To create a human readable output file issue the
|
|
<b>-oN<textfile
|
|
name></b> command into your nmap string so that it would look similar to
|
|
this:
|
|
<p><tt> nmap -sT -O -oN sample.txt 206.212.15.0-50</tt>
|
|
<p> Rather have a machine parsable file? Enter the <b>-oM
|
|
<textfile name></b> to pipe the output into a machine parsable file:
|
|
<p><tt> nmap -sT -O -oM sample.txt 206.212.15.0-50</tt>
|
|
<p> *Back when I was becoming aquatinted with all the
|
|
nmap options, I ran my first large scale scan against 250 consecutive machines
|
|
using an arbitrary number (<tt>nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).</tt>To
|
|
my great surprise I was confronted with 250 up and running virgin Linux
|
|
machines. Another reason why Linux enthusiasts should NEVER become bored.
|
|
<p> <b>-I</b> This is a handy little call that activates
|
|
nmap's TCP reverse ident scanning option. This divulges information that
|
|
gives the username that owns available processes. Let's take a look (Note
|
|
that the host has to be running ident). At the command line issue this
|
|
command against your target, in this case our default Eve running Linux:
|
|
<p><tt> </tt> <b>-iR</b> Use this command to instruct nmap to
|
|
scan random hosts for you.
|
|
<p> <b>-p</b> Port range option allows you to pick what
|
|
port or ports you wish nmap to scan against.
|
|
<p> <b>-v</b> Use verbosity to display more output data.
|
|
Use twice (-v -v) for maximum verbosity.
|
|
<p> <b>-h</b> Displays a quick reference of nmap's calls
|
|
|
|
<H1>VI. Gleaning the Cube</H1>
|
|
<p> Now that we have looked at nmap's three basic usage
|
|
types and some of it's other options, let's mix and match them.
|
|
<p><tt> nmap -v -v -sS -O 209.212.53.50-100</tt>
|
|
<p> This instructs nmap to use a maximum amount of verbosity
|
|
to run a stealth scan and OS detection against all machines between IP
|
|
addresses 209.212.53.50 and 209.212.53.100. This command will also require
|
|
root privileges due to both the -sS and -O calls. Of course this will display
|
|
a very overwhelming amount of data so let's log our results into a human
|
|
readable file for future reference:
|
|
<p><tt> nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100</tt>
|
|
<p> Now let's make nmap run a stealth scan and instruct
|
|
it to look only for machines offering http and ftp services between the
|
|
addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the
|
|
output (I'm a log junkie) for future reference into a human readable file
|
|
called ftphttpscan.txt:
|
|
<p><tt> nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100</tt>
|
|
<p> Remember the <b>-iR</b> option mentioned previously?
|
|
Let's use it to take a random sampling of Internet web servers using the
|
|
verbatim example from nmap's man page:
|
|
<p><tt> nmap -sS -iR -p 80</tt>
|
|
<p> Last but certainly not least, while gleaning
|
|
information, don't forget to nmap yourself. Just type at the command line:
|
|
<tt>nmap 127.0.0.1</tt> This is especially useful and recommended if you're
|
|
a newcomer to Linux and connected to the Internet via DSL or cable modem.
|
|
|
|
<H1>VII. Nmap GUI's</H1>
|
|
<p> Now for those of you who would rather not work on
|
|
the command line (shame on you) there are graphical front ends for nmap.
|
|
<p> <b><u>NmapFE</u></b> - NmapFE, written by Zach
|
|
Smith, comes included in the nmap-2.53.rpm and uses the GTK interface.
|
|
NmapFE can be found at <a href="http://codebox.net/nmapfe.html">http://codebox.net/nmapfe.html</a>
|
|
<p> <b><u>Kmap</u></b> - Kmap, written by Ian Zepp,
|
|
uses the QT/KDE frontend for nmap at can be found at <a href="http://www.edotorg.org/kde/kmap/">http://www.edotorg.org/kde/kmap/</a>
|
|
<p> <b><u>KNmap</u></b> - KNmap, written by Alexandre
|
|
Sagala, is another KDE frontend for nmap and can be found at <a href="http://pages.infinit.net/rewind/">http://pages.infinit.net/rewind/</a>
|
|
|
|
<H1>VII. Conclusion</H1>
|
|
<p> This wraps up our quick and dirty look and nmap.
|
|
I hope you find the application as enjoyable as I do. Comments or questions
|
|
can be sent to either myself <a href="mailto:jafgon@bright.net">jafgon@bright.net</a>
|
|
or <a href="fyodor@insecure.org">fyodor@insecure.org</a>. Happy scanning.
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2000, Josh Flechtner<BR>
|
|
Published in Issue 56 of <i>Linux Gazette</i>, August 2000</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="eyler.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue56/flechtner.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="giraldo.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|