WIXLIB

Nmap CookbookThe fat-free guide to network scanning

2

Nmap CookbookThe Fat-free Guide to Network ScanningCopyright 2010 Nicholas MarshAll rights reserved.ISBN: 1449902529EAN-13: 9781449902520www.NmapCookbook.comBSD is a registered trademark of the University of California, BerkeleyCentOS is property of CentOS Ltd.Debian is a registered trademark of Software in the Public Interest, IncFedora is a registered trademark of Red Hat, Inc.FreeBSD is a registered trademark of The FreeBSD FoundationGentoo is a registered trademark of The Gentoo FoundationLinux is the registered trademark of Linus TorvaldsMac OS X is a registered trademark of Apple, Inc.Windows is a registered trademark of Microsoft CorporationNmap is a registered trademark of Insecure.Com LLCRed Hat is a registered trademark of Red Hat, Inc.Ubuntu is a registered trademark of Canonical Ltd.UNIX is a registered trademark of The Open GroupAll other trademarks used in this book are property of their respective owners. Useof any trademark in this book does not constitute an affiliation with or endorsementfrom the trademark holder.All information in this book is presented on an “as-is” basis. No warranty orguarantee is provided and the author and/or publisher shall not be held liable forany loss or damage.3

4

Contents at a GlanceIntroduction. 15Section 1: Installing Nmap . 19Section 2: Basic Scanning Techniques . 33Section 3: Discovery Options . 45Section 4: Advanced Scanning Options. 65Section 5: Port Scanning Options . 79Section 6: Operating System and Service Detection . 89Section 7: Timing Options . 97Section 8: Evading Firewalls . 115Section 9: Output Options . 127Section 10: Troubleshooting and Debugging. 135Section 11: Zenmap. 147Section 12: Nmap Scripting Engine (NSE). 161Section 13: Ndiff . 171Section 14: Tips and Tricks. 177Appendix A - Nmap Cheat Sheet . 187Appendix B - Nmap Port States . 191Appendix C - CIDR Cross Reference . 193Appendix D - Common TCP/IP Ports . 1955

6

Table of ContentsIntroduction. 15Conventions Used In This Book . 18Section 1: Installing Nmap . 19Installation Overview . 20Installing Nmap on Windows . 21Installing Nmap on Unix and Linux systems . 25Installing Precompiled Packages for Linux . 25Compiling Nmap from Source for Unix and Linux . 26Installing Nmap on Mac OS X . 29Section 2: Basic Scanning Techniques . 33Basic Scanning Overview. 34Scan a Single Target. 35Scan Multiple Targets . 36Scan a Range of IP Addresses . 37Scan an Entire Subnet . 38Scan a List of Targets . 39Scan Random Targets . 40Exclude Targets from a Scan. 41Exclude Targets Using a List . 42Perform an Aggressive Scan . 43Scan an IPv6 Target . 44Section 3: Discovery Options . 45Discovery Options Overview . 46Don’t Ping . 47Ping Only Scan. 48TCP SYN Ping . 49TCP ACK Ping . 50UDP Ping . 51SCTP INIT Ping . 527

ICMP Echo Ping. 53ICMP Timestamp Ping . 54ICMP Address Mask Ping . 55IP Protocol Ping . 56ARP Ping . 57Traceroute . 58Force Reverse DNS Resolution. 59Disable Reverse DNS Resolution. 60Alternative DNS Lookup Method. 61Manually Specify DNS Server(s) . 62Create a Host List . 63Section 4: Advanced Scanning Options. 65Advanced Scanning Functions Overview . 66TCP SYN Scan . 67TCP Connect Scan . 68UDP Scan . 69TCP NULL Scan . 70TCP FIN Scan . 71Xmas Scan. 72Custom TCP Scan . 73TCP ACK Scan . 74IP Protocol Scan . 75Send Raw Ethernet Packets . 76Send IP Packets . 77Section 5: Port Scanning Options . 79Port Scanning Options Overview . 80Perform a Fast Scan . 81Scan Specific Ports . 82Scan Ports by Name . 83Scan Ports by Protocol . 848

Scan All Ports. 85Scan Top Ports . 86Perform a Sequential Port Scan . 87Section 6: Operating System and Service Detection . 89Version Detection Overview . 90Operating System Detection . 91Submitting TCP/IP Fingerprints . 92Attempt to Guess an Unknown Operating System . 93Service Version Detection . 94Troubleshooting Version Scans . 95Perform an RPC Scan. 96Section 7: Timing Options . 97Timing Options Overview . 98Timing Parameters . 99Timing Templates . 100Minimum Number of Parallel Operations. 101Maximum Number of Parallel Operations . 102Minimum Host Group Size . 103Maximum Host Group Size . 104Initial RTT Timeout . 105Maximum RTT Timeout . 106Maximum Retries . 107Set the Packet TTL . 108Host Timeout . 109Minimum Scan Delay . 110Maximum Scan Delay. 111Minimum Packet Rate . 112Maximum Packet Rate . 113Defeat Reset Rate Limits . 1149

Section 8: Evading Firewalls . 115Firewall Evasion Techniques Overview . 116Fragment Packets . 117Specify a Specific MTU . 118Use a Decoy . 119Idle Zombie Scan . 120Manually Specify a Source Port Number. 121Append Random Data . 122Randomize Target Scan Order . 123Spoof MAC Address . 124Send Bad Checksums . 125Section 9: Output Options . 127Output Options Overview . 128Save Output to a Text File. 129Save Output to a XML File . 130Grepable Output . 131Output All Supported File Types. 132Display Scan Statistics. 133133t Output . 134Section 10: Troubleshooting and Debugging. 135Troubleshooting and Debugging Overview . 136Getting Help . 137Display Nmap Version. 138Verbose Output . 139Debugging . 140Display Port State Reason Codes . 141Only Display Open Ports . 142Trace Packets . 143Display Host Networking Configuration . 144Specify Which Network Interface to Use . 14510

Section 11: Zenmap. 147Zenmap Overview . 148Launching Zenmap . 149Basic Zenmap Operations . 150Zenmap Results . 151Scanning Profiles . 152Profile Editor . 153Viewing Open Ports . 154Viewing a Network Map . 155Saving Network Maps . 156Viewing Host Details . 157Viewing Scan History . 158Comparing Scan Results . 159Saving Scans . 160Section 12: Nmap Scripting Engine (NSE). 161Nmap Scripting Engine Overview. 162Execute Individual Scripts . 163Execute Multiple Scripts . 164Script Categories . 165Execute Scripts by Category . 166Execute Multiple Script Categories . 167Troubleshoot Scripts . 168Update the Script Database . 169Section 13: Ndiff . 171Ndiff Overview . 172Scan Comparison Using Ndiff . 173Ndiff Verbose Mode . 174XML Output Mode . 175Section 14: Tips and Tricks. 177Tips and Tricks Overview . 17811

Combine Multiple Options . 179Scan Using Interactive Mode . 180Runtime Interaction . 181Remotely Scan Your Network . 182Wireshark . 183Scanme.Insecure.org . 184Nmap Online Resources . 185Appendix A - Nmap Cheat Sheet . 187Appendix B - Nmap Port States . 191Appendix C - CIDR Cross Reference . 193Appendix D - Common TCP/IP Ports . 19512

This guide is dedicated to the open source community. Without the tireless effortsof open source developers, programs like Nmap would not exist. Many of thesedevelopers devote large amounts of their spare time creating and supportingwonderful open source applications and ask for nothing in return.The collaborative manner in which open source software is developed shows thetrue potential of humanity if we all work together towards a common goal.13

14

IntroductionNmap is an open source program released under the GNU General Public License(see www.gnu.org/copyleft/gpl.html). It is an evaluable tool for networkadministrators which can be used to discover, monitor, and troubleshoot TCP/IPsystems. Nmap is a free cross-platform network scanning utility created by Gordon“Fyodor” Lyon and is actively developed by a community of volunteers.A typical Nmap scanNmap’s award-winning suite of network scanning utilities has been in constantdevelopment since 1997 and continually improves with each new release. Version5.00 of Nmap (released in July of 2009) adds many new features and enhancementsincluding: Improved service and operating system version detection (see page 89) Improved support for Windows and Mac OS X Improved Nmap Scripting Engine (NSE) for performing complex scanningtasks (see page 161) Addition of the Ndiff utility which can be used to compare Nmap scans (seepage 171)15

Ability to graphically display network topology with Zenmap (see page 147) nch,andPortuguese. Better overall performanceThe Nmap project relies on volunteers to support and develop this amazing tool. Ifyou would like to help improve Nmap, there are several ways to get involved:Promote NmapNmap is a wonderful tool that every administrator network should know about.Despite its popularity, Nmap isn’t widely known outside of technically elite circles.Promote Nmap by introducing it to your friends or write a blog entry about it andhelp spread the word.Report BugsYou can help improve Nmap by reporting any bugs you discover to the Nmapdevelopers. The Nmap project provides a mailing list for this which can be foundonline at www.seclists.org/nmap-dev.Thousands of people worldwide use Nmap. Additionally, Nmap developersare very busy people. Before reporting a bug, or asking for assistance, youNoteshould search the Nmap website at www.insecure.org/search.html tomake sure your problem hasn’t already been reported or resolved.Contribute CodeIf you’re a hacker with some spare time on your hands, you can get involved withNmap development. To learn more about contributing code to the Nmap projectvisit www.nmap.org/data/HACKING.16

Submit TCP/IP FingerprintsIf you’re not a programmer, you can still improve Nmap by submitting any unknownTCP/IP fingerprints you discover while scanning. The process for this is discussed onpage 92. Submitting fingerprints is easy and it helps improve Nmap’s softwareversion and operating system detection capabilities. Visit www.nmap.org/submit/for more information or to submit your discoveries.Sponsor NmapThe Nmap project does not accept donations. If, however, you have a securityrelated service you would like promote, you can sponsor Nmap by purchasing anadvertising package on the insecure.org website. For more information visitwww.insecure.org/advertising.html.17

Conventions Used In This BookC:\ nmap scanme.insecure.orgNmap running on Microsoft Windows systems nmap scanme.insecure.orgNmap running on non-privileged account for Unix/Linux/Mac OS X# nmap scanme.insecure.orgNmap running on Unix/Linux/Mac OS X systems as the root user sudo nmap scanme.insecure.orgUsing the sudo command to elevate privileges for Unix/Linux/Mac OS XWindows users may omit the sudo command where used in examples asNoteits use is not necessary and will not work on Microsoft based systems.# nmap -T2 scanme.insecure.orgUsing command line arguments with NmapNmap’s command line arguments are case sensitive. The -T2 optionImportant (see page 100) in the example above is not the same as -t2 and willresult in an error if specified in the incorrect case.Additional Nmap output truncated (to save space)18

Section 1:Installing Nmap19

Installation OverviewNmap has its roots in the Unix and Linux environment, but has recently becomemore compatible with both Microsoft Windows and Apple’s Mac OS X operatingsystem. While great care is taken to make Nmap a universal experience on everyplatform, the reality is that you may experience bugs, errors, and performanceissues when using Nmap on a non-traditional system. This applies mainly toWindows and Mac OS X systems which have various idiosyncrasies that are notpresent on a typical Unix or Linux system.Author’s note: The Windows port of Nmap has greatly improved with Nmap 5.0.Increases in performance and reliability make Nmap for Windows as reliable as itsLinux counterpart. Unfortunately, the Mac OS port is still a little rough around theedges. Many of the problems with Nmap on Mac OS X stem from issues in Apple’slatest release (Mac OS X 10.6). From monitoring the Nmap developers list, I canconfirm that developers are aware of these issues and working to resolve them.These issues will no doubt be resolved over time as development of Nmap version5.00 continues.Skip ahead for installation procedures for your platform:20Installing Nmap on WindowsPage 21Installing Nmap on LinuxPage 25Installing Nmap from source (Unix and Linux)Page 26Installing Nmap on Mac OS XPage 29