How to Use NMap
In our previous articles, we discussed at a high level a few tools, the first of which was Nmap from insecure.org. In this article I want to give you a short primer on Nmap and some of the popular methods to use this powerful tool.
Nmap as previously stated was introduced several years ago and has become a very mature and well known tool. Until recently, it was a command line interface tool only, but a few revisions ago, a GUI was added to it making it even easier to use.
While learning this great tool in detail would and does consume large books, I wanted to share a use case with you. First step to using this is to obtain it from insecure.org. You can choose the correct platform for your needs. In my case, I would choose the Windows® installer. Please note the latest version does require the Microsoft Visual C++ 2008 Redistributable Package, available here.
Install and follow the instructions. Once installed find the ICON and start the app. You should see a screen shot that looks like this:
This is the startup screen for Nmap. You'll notice a few important portions of the screen. They are as follows, the TARGET drop down box, the PROFILE (currently set for Intense Scan), the SCAN button which starts the whole process. Below that you'll see the COMMAND box which currently has the default Nmap parameters in it.
Below those are the HOST and SERVICES buttons, and a number of TABS across the top of the next screen. Let's review each one in detail and then conduct a test scan.
TIP : Scanning is very "noisy" in that it will likely set off an IDS (intrusion detection system) or other alarms in most cases and will leave a very good trail. IT CAN be considered a crime in some places and in nearly all cases is very bad-form and rude to scan without permission. So with that said, if you scan a server, please obtain written permission from the owner before hand. Many HOSTS have it buried in their terms and conditions that you cannot scan them and doing so VIOLATES their Terms and Conditions. As you read through this article you will gain a sense of why. This tool is a beneficial and powerful one. It provide a LOT of valuable information. Use it wisely and never for ill gain or harm.
In this field we populate the domain name or the IP address or IP address RANGE.
There are several canned settings for you to scan your target with, in this example we see its the INTENSE SCAN. This is many times blocked immediately by firewalls, IDS and other rules. Here is an example of of my machines blocking it:
Do you see the RED ARROW? It is telling us that the target is 'blocking' our probes and to add -PN to our scan (on the top line) Doing that enabled me to complete the scan. This is fairly typical for a well configured machine. Adding the -PN changes the style of packet stream being sent over the Internet to the target.
This is where you can instruct Nmap what you want it to do specifically. As you learn more about Nmap and its wealth of commands, you can give what various commands on this to scan and probe your target to fit the situation. Once recent example was using this command to scan remote targets to detect the CONFICKER WORM.
Nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks]
By using that in the COMMAND box, and setting the [targetnetworks] to yours, it would scan and detect (in most cases) for the worm.
HOST and SERVICES buttons
These are operational POST scanning. Once the scan has completed you'll be able to see information about the HOST in the HOST tab and SERVICES will reveal the services running. This is critical to determine if you have a service that should or should not, as well as the 'hosts' resolved there. Likewise - a bad guy could use this information to find a vulnerable application or service on your machine. Its best if you find it first.
The commands listed above are but a handful available, they are defined as:
-PN : Disables PING = This tells Nmap to scan every target IP address - without this Nmap would ping for live IP addresses.
-T4 : Timing - Provides you with various 'timing' methods. This particular one tells Nmap to be aggressive (-T4), others are -T0(paranoid), -T1(sneaky), -T2(polite), -T2(normal), -T5(insane). Each of these will adjust the time for packets to be sent to the target. They consume more resources the higher the number the more the resource.
-p139,445 : Tells Nmap to scan ports 139 and 445. Another convenient option is -p http* which matches ports 80,280, 443 and 8080.
-n : No DNS resolution - this reduces scanning time
-v : Verbose mode - tells Nmap to print both active hosts as well as down hosts.
--script : This particular command invokes a canned or built in script - in this case its checking for various confiker worm vulnerabilities.
-safe=1 : reduces (not eliminates) the chances the script will crash the targeted networks.
In closing Nmap is a well beyond the scope of this short article, but is worth learning more about from the official book.
The Nmap security scanner is (C) 1996-2009 Insecure.com LLC.