*NIX

Jan. 10, 2011, 1:36 a.m.
posted by whitehat

Using nmap



Using nmap

You can use nmap to determine all the TCP/IP ports on which a remote server is listening. It isn't usually an important tool in the home environment, but it can be used in a corporate environment to detect vulnerabilities in your network, such as servers running unauthorized network applications. It is a favorite tool of malicious surfers and therefore should be used to test external as well as internal servers under your control.

Whenever you are in doubt, you can get a list of available nmap options by just entering the command without arguments at the command prompt:

     [root@bigboy tmp]# nmap
     Nmap V. 3.00 Usage: nmap [Scan Type(s)] [Options] <host or net list>
     Some Common Scan Types ('*' options require root privileges)
     * -sS TCP SYN stealth port scan (default if privileged (root))
       -sT TCP connect() port scan (default for unprivileged users)
     * -sU UDP port scan
       -sP ping scan (Find any reachable machines)
     ...
     ...
     [root@bigboy tmp]#

Some of the more common nmap options are listed in Figure, but you should also refer to the nmap man pages for full descriptions of them all.

Figure Commonly Used nmap Options

Argument

Description

-P0

Attempts to ping a host before scanning it. If the server is being protected from ping queries, you can use this option to force it to scan anyway.

-T

Defines the timing between the packets set during a port scan. Some firewalls can detect the arrival of too many nonstandard packets within a predetermined time frame. This option can be used to send them from 60 seconds apart with a value of 5, "insane mode," to 0.3 seconds with a value of 0 in "paranoid mode."

-O

Tries to detect the operating system of the remote server based on known responses to various types of packets.

-p

Lists the TCP/IP port range to scan.

-s

Defines a variety of scan methods that use either packets that comply with the TCP/IP standard or are in violation of it.


Here is an example of trying to do a scan using valid TCP connections (-sT) in the extremely slow insane mode (-T 5) from ports 1 to 5000:

     [root@bigboy tmp]# nmap -sT -T 5 -p 1-5000 192.168.1.153

     Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
     Interesting ports on whoknows.my-site-int.com (192.168.1.153):
     (The 4981 ports scanned but not shown below are in state: closed)
     Port       State       Service
     21/tcp open            ftp
     25/tcp open            smtp
     139/tcp open           netbios-ssn
     199/tcp open           smux
     2105/tcp open          eklogin
     2301/tcp open          compaqdiag
     3300/tcp open          unknown

     Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
     [root@bigboy tmp]#

Full coverage of the possibilities on nmap as a security scanning tool are beyond the scope of this book, but you should go the extra mile and purchase a text specifically on Linux security to help protect you against attempts at malicious security breaches.

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows