News

Scan your network with Nmap

Discover Nmap and learn how to use tshark to examine Nmap traffic

network sniffer

Nmap is an open source tool created by Gordon Fyodor Lyon that supports port scanning, operating system detection and version detection and is very famous – it has even been seen in movies, including The Matrix Reloaded and Elysium.

Nmap stands for Network Mapper and supports more than 15 scanning techniques. Nmap can be useful to network administrators as well as advanced users and hackers. It can be used for securing your own network, but it can be also used for hacking (or cracking) purposes.

When scanning hosts that are not on your local network, keep in mind that sophisticated intermediate devices such as routers, firewalls and proxy servers can mislead Nmap and provide incorrect information on purpose.

Although regular users can perform various Nmap scans, particular command line options demand root privileges to run.

Make sure you experiment with Nmap in order to find out exactly which options and scanning techniques work best for you, but we’ll walk you through some of the options.

Resources

Nmap
WireShark site
RFCs
Internetworking with TCP/IP, Volume I, Douglas E. Comer, Prentice Hall

Step-by-step

Step 01 Get Nmap

Installing Nmap on a Debian 7 Linux system is as easy as running the following command with root privileges:

# apt-get install nmap

When running Nmap, the –v parameter provides additional output to the user about the scanning progress and can be used in combination with every other command line parameter. While an Nmap scan is performed, you can press the ‘v’ key to increase the verbosity of the output and the ‘V’ key to decrease the verbosity of the output.

Step 02 Find Nmap version

You can find the version of Nmap you are using by executing the following command:

$ nmap V
Nmap version 6.00 ( http://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.1.5 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmaplibdnet-1.12 ipv6
Compiled without:
$

Step 03 A simple scan

The simplest scan that you can execute on a Linux system is the following:

$ nmap localhost

The output gives you information about the open ports of localhost (127.0.0.1). As you can see from the output, the 3306 TCP port is only available through the 127.0.0.1 IP address, which means that the MySQL server process accepts local connections only.

Step 04 TCP connect() scan (nmap -sT)

The TCP connect() scan is useful when you do not have root access to a computer. Its weakness is that it leaves traces in the log files of the remote computer because it opens TCP
session to the remote machine.

Step 05 TCP SYN scan (nmap -sS)

The SYN scan never appears to log files because the TCP connection is never initialised. Its disadvantage is that it requires root access to run. What it gives you is information about the open, closed or filtered ports of a machine, which is a good starting point when trying to evaluate the security status of a computer. Remember that although TCP SYN scans do not leave any log info, modern firewalls and capture programs can detect and report TCP SYN scans.

Step 06 Ping scan (nmap -sP)

This is a very fast scan as it only sends ICMP Echo Requests and accepts ICMP Echo Replies. It is not easily noticeable, especially on busy networks. It does not need special privileges in order to run but it does not return much information and it cannot be used in combination with other types of scans. It’s used for finding the active machines on a network.

Step 07 UDP scan (nmap -sU)

The UDP protocol is used by many services and this type of scan is the only way to detect open UDP ports using Nmap. The UDP scan does not create too much network traffic and works well for examining machines that are running Microsoft operating systems, but it needs root privileges to run.

Step 08 Scan multiple hosts at once

The following command scans 256 IP addresses, from 192.168.2.0 to 192.168.2.255:

$ nmap 192.168.2.0/24

Step 09 Use a text file as input (nmap -iL)

You can use a text file in order to specify the hosts or the networks that you want to scan with Nmap. The following example will use the contents of a file named LUD to perform a UDP scan:

$ nmap -sU iL LUD

Step 10 Exclude hosts

The easiest way to exclude hosts is by using the –exclude option. In order to exclude 192.168.1.1 and 192.168.1.5 from your scanning of the 192.168.0.0/16 subnet, you should run the following command:

$ nmap sP 192.168.0.0/16 --exclude 192.168.1.1,192.168.1.5

If you have many IP addresses that you want to exclude, you can put them in a text file (ex_IPs) and use the –excludefile option as follows:

$ nmap sP 192.168.0.0/16 --excludefile ex_IPs

Any exclude option (–exclude or –excludefile) has higher priority than an include option, so in case of conflict, the exclude option wins. This does make sense, as it is better to exclude a host by mistake than include it and generate a Denial of Service attack or slow down a network.

Step 11 Randomise hosts

Nmap can also choose IP addresses randomly and try to scan them. This type of scan can put you into serious trouble if used improperly. The main reason for using it is for generating random network traffic.

nmap --randomize-hosts

Step 12 Nmap output options

Nmap can save its output in various formats. The nmap -oN option saves the output in Normal format, which is suitable for easy reading and printing. The Grepable format (nmap -oG ) makes it easy to locate information in Nmap output. Its main advantage is that the output for each host is automatically stored on a single fi le. The XML format (nmap -oX ) is best suited for displaying the Nmap output as an HTML page or processing it by other software. The Nmap XML document DTD can be found here.

Step 13 Scan scanme.nmap.org

The scanme.nmap.org ( or scanme.insecure.org) host is offered for testing Nmap. This means that it is not illegal to run Nmap using scanme.nmap.org as your target. Please do not use it irresponsibly or for testing a SSH brute-force password-cracking tool – although it won’t filter out 256-999.

Step 14 Scan a Linux machine (part 1)

The two most helpful scans are the TCP and UDP scan because they give you a general overview of a machine, so you should start with them when examining a new machine. You can immediately find out open TCP and UDP ports as well as the network services that a machine runs.

Step 15 Scan a Linux machine (part 2)

Next, you should try something smarter, like “nmap –A –T4”. The –A option enables operating system and version detection (know as TCP/IP fingerprinting), script scanning, and traceroute while the -T4 option is used for faster execution. Please note that if you run the same command without root privileges, you will get a less detailed output.

The –T option is useful for slowing down the scans in order to avoid the creation of too much traffic that can slow down or flood a network or a host. The allowed values of the option are 0-5. A smaller number dictates a slower scan.

Step 16 Scan an iPhone 5

Nowadays, a mobile phone can have an IP address and therefore can be scanned using Nmap! It is interesting to scan new devices to find out their open ports and their behaviour during a scan. The output shows that an iPhone does not have very many open ports.

Step 17 Scan a machine running Mac OS X

As far as Nmap is concerned, a machine that is running Mac OS X does not differ that much from a typical UNIX machine, and its output demonstrates this.

Step 18 Scan a Cisco 877W ADSL router

As you can see, it took Nmap 16.07 seconds to scan a Cisco 877W ADSL router – and its guess was pretty accurate! Nevertheless, you have to keep in mind that Nmap operating system detection is not always accurate and therefore cannot be trusted all the time.

Step 19 Scan a Windows machine

Windows machines have the habit of having more open ports than needed, so it is always a good idea to examine them using Nmap. Here Nmap was unable to correctly detect the operating system of the machine, which dictates the presence of a firewall somewhere in between.

Step 20 Scan an HP printer

Network printers also have an IP address, so Nmap can be used to scan them as well. Nmap found out that it is an HP printer that runs HP embedded and has a web server running (ports 80 and 443 are open). Following the Nmap scan, the printer needed a reboot because all of its lights were blinking!

Step 21 Examine Nmap traffic using tshark

You will now learn how to study the traffic that is created by an Nmap UDP scan using tshark, the command line version of WireShark. First, the network data will be captured. Then, a tshark display filter will be applied in order to display the desired traffic. Finally, specific traffic will be examined and reviewed.

Step 22 Capture the traffic

The Nmap command that is going to be used is the following:

$ sudo nmap sU 192.168.2.10

Just before running Nmap, the following tshark command will be executed for capturing network data:

$ sudo tshark w UDPscan.tcpdump

Step 23 Watch the Nmap traffic

If you want to display the network packets that go to or come from the host with the 192.168.2.10 IP address and also use UDP port 400, you should run the following command:

$ sudo tshark -R "(ip.addr == 192.168.2.10) and (udp.port == 400)" -r UDPscan.tcpdata x

You can examine the network traffi cof other UDP port numbers using analogous commands.

Step 24 Discuss Nmap network traffic.

Nmap UDP port scanning starts by sending empty UDP packets – packets that have no additional data – to various UDP ports waiting for an answer.

You can see that for UDP port 137 (netbios-ns) there is a reply that states that the host cannot understand the actual packet, so Nmap knows that the port is definitely in use!

On the other hand, although a packet was sent to port 80, the answer was a ‘Port unreachable’ packet, so Nmap implies that UDP port 80 is not in use.

If there is no reply at all from the host for a given UDP port, then the port is considered open but filtered (port 138).

×