Troubleshooting and Debugging - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 10: Troubleshooting and Debugging

Overview

Technical problems are an inherent part of using computers. Nmap is no exception. Occasionally a scan may not produce the output you expected. You may receive an error – or you may not receive any output at all. Nmap offers several options for tracing and debugging a scan, which can help identify why this happens. The following section describes these troubleshooting and debugging features.

Summary of features covered in this section:

-h
Getting Help

-V
Display Nmap Version

-v
Verbose Output

-d
Debugging

--reason
Display Port State Reason

--packet-trace
Trace Packets

--iflist
Display Host Networking

-e
Specify a Network Interface

Getting Help

Executing nmap -h will display a summary of available options.

Usage syntax: nmap -h

$ nmap –h | more

Nmap 6.47 ( http://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-iL <inputfilename>: Input from list of hosts/networks

-iR <num hosts>: Choose random targets

--exclude <host1[,host2][,host3],...>: Exclude hosts/networks

--excludefile <exclude_file>: Exclude list from file

[...]

Displaying Nmap help information

The -h option displays a quick cheat sheet of Nmap’s features. For more detailed information, you can read the Nmap manual page by executing man nmap on the command line. The manual for Nmap provides a description of every Nmap feature and is a handy reference when working on the command line.

$ man nmap

NMAP(1) Nmap Reference Guide

NAME

nmap - Network exploration tool and security / port scanner

SYNOPSIS

nmap [Scan Type...] [Options] {target specification}

DESCRIPTION

Nmap (“Network Mapper”) is an open source tool for network exploration and

[...]

Accessing the Nmap man page on Unix and Linux systems

Note: The man command is only available on Unix, Linux, and Mac OS X based systems. Windows users can read the Nmap manual online at nmap.org/book/man.html.

Tip: You can also find help online by subscribing to the Nmap mailing list at seclists.org.

Display Nmap Version

The -V option (uppercase V) is used to display the installed version of Nmap.

Usage syntax: nmap -V

$ nmap -V

Nmap version 6.47 ( http://nmap.org )

Platform: x86_64-pc-linux-gnu

Compiled with: liblua-5.2.3 openssl-1.0.1f libpcre-8.31 libpcap-1.5.3 nmap-libdnet-1.12 ipv6

Compiled without:

Available nsock engines: epoll poll select

Displaying the installed version of Nmap

The -V option displays the Nmap version along with other information about how it was compiled. When troubleshooting Nmap problems you should always make sure you have the most up-to-date version installed. Open source programs like Nmap are developed at a rapid pace and critical bugs are typically fixed as soon as they are discovered. Compare your installed version to the latest version available on the Nmap website at nmap.org to make sure you are running the most up-to-date version available. This will ensure that you have access to the latest features as well as the most bug-free version available.

Verbose Output

The -v option (lowercase v) is used to enable verbose output.

Usage syntax: nmap -v [target]

# nmap -v scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:49 CST

Initiating Ping Scan at 11:49

Scanning scanme.nmap.org (74.207.244.221) [4 ports]

Completed Ping Scan at 11:49, 1.00s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 11:49

Completed Parallel DNS resolution of 1 host. at 11:49, 0.00s elapsed

Initiating SYN Stealth Scan at 11:49

Scanning scanme.nmap.org (74.207.244.221) [1000 ports]

Discovered open port 22/tcp on 74.207.244.221

Discovered open port 80/tcp on 74.207.244.221

Discovered open port 9929/tcp on 74.207.244.221

Completed SYN Stealth Scan at 11:49, 2.00s elapsed (1000 total ports)

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.31s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds

Raw packets sent: 1188 (52.248KB) | Rcvd: 1185 (47.445KB)

Nmap scan with verbose output enabled

Verbose output can be useful when troubleshooting connectivity problems, or if you are simply interested in what’s going on behind the scenes of your scan. In the example above, verbose output is displayed for the scan in progress. Most of this information appears in real-time, prior to the final port display and summary. Additional information, such as data files and packet counts, is displayed at the end of the scan.

Tip: You can use -vv to enable additional verbose output.

Debugging

The -d option enables debugging output.

Usage syntax: nmap -d[1-9] [target]

# nmap -d scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:49 CST

PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)

--------------- Timing report ---------------

hostgroups: min 1, max 100000

rtt-timeouts: init 1000, min 100, max 10000

max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

parallelism: min 0, max 0

max-retries: 10, host-timeout: 0

min-rate: 0, max-rate: 0

---------------------------------------------

Initiating Ping Scan at 11:49

Scanning scanme.nmap.org (74.207.244.221) [4 ports]

Packet capture filter (device eth0): dst host 10.10.4.25 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 74.207.244.221)))

We got a TCP ping packet back from 74.207.244.221 port 80 (trynum = 0)

Completed Ping Scan at 11:49, 1.00s elapsed (1 total hosts)

Overall sending rates: 3.99 packets / s, 151.48 bytes / s.

mass_rdns: Using DNS server 10.10.4.46

Initiating Parallel DNS resolution of 1 host. at 11:49

mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]

Completed Parallel DNS resolution of 1 host. at 11:49, 0.00s elapsed

DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 11:49

Scanning scanme.nmap.org (74.207.244.221) [1000 ports]

Packet capture filter (device eth0): dst host 10.10.4.25 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 74.207.244.221)))

Discovered open port 22/tcp on 74.207.244.221

Discovered open port 80/tcp on 74.207.244.221

Discovered open port 9929/tcp on 74.207.244.221

Increased max_successful_tryno for 74.207.244.221 to 1 (packet drop)

Completed SYN Stealth Scan at 11:50, 2.00s elapsed (1000 total ports)

Overall sending rates: 591.12 packets / s, 26009.44 bytes / s.

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up, received reset (0.34s latency).

Scanned at 2015-01-17 11:49:57 CST for 3s

[...]

Nmap debugging output

Debugging output provides additional information that can be used to trace bugs or troubleshoot problems. The default -d output provides a fair amount of debugging information. You can also specify a debugging level of 1-9 to be used with the -d parameter to increase or decrease the amount of output. For example: -d1 provides the lowest amount of debugging output and -d9 is the highest.

Display Port State Reason Codes

The --reason parameter displays the reason why a port is considered to be in the given state.

Usage syntax: nmap --reason [target]

# nmap -p25,80,135 --reason 10.10.4.80

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-08 19:40 CST

Nmap scan report for 10.10.4.80

Host is up, received arp-response (0.00045s latency).

PORT STATE SERVICE REASON

25/tcp closed smtp reset

80/tcp open http syn-ack

135/tcp filtered msrpc port-unreach

MAC Address: 00:50:56:BA:F8:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds

Nmap scan with port state reason codes enabled

Notice the addition of the reason field in the above scan. Information in this field can be useful when trying to determine why a target’s ports are in a particular state. Ports that respond with syn-ack are considered to be open. Ports that respond with conn-refused or reset are typically closed. Ports that do not respond or at all are generally filtered (by a firewall). An ICMP port unreachable message (port-unreach) is usually the result of a protocol mismatch, but can be generated by numerous other conditions.

Trace Packets

The --packet-trace parameter instructs Nmap to display a summary of all packets sent and received.

Usage syntax: nmap --packet-trace [target]

# nmap --packet-trace 10.10.4.1 | more

4.46:53] (timeout: -1ms) EID 34

NSOCK INFO [0.2790s] nsi_delete(): nsi_delete (IOD #1)

NSOCK INFO [0.2790s] msevent_cancel(): msevent_cancel on event #34 (type READ)

SENT (0.2803s) TCP 10.10.4.25:60354 > 10.10.4.1:554 S ttl=50 id=6247 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2804s) TCP 10.10.4.25:60354 > 10.10.4.1:110 S ttl=59 id=19854 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2804s) TCP 10.10.4.25:60354 > 10.10.4.1:8080 S ttl=46 id=54919 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2805s) TCP 10.10.4.25:60354 > 10.10.4.1:3306 S ttl=41 id=26585 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2806s) TCP 10.10.4.25:60354 > 10.10.4.1:5900 S ttl=51 id=13633 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2807s) TCP 10.10.4.25:60354 > 10.10.4.1:256 S ttl=48 id=39170 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2808s) TCP 10.10.4.25:60354 > 10.10.4.1:23 S ttl=56 id=60892 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2808s) TCP 10.10.4.25:60354 > 10.10.4.1:111 S ttl=49 id=55716 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2809s) TCP 10.10.4.25:60354 > 10.10.4.1:22 S ttl=57 id=21878 iplen=44 seq=1617903748 win=1024 <mss 1460>

SENT (0.2810s) TCP 10.10.4.25:60354 > 10.10.4.1:1025 S ttl=40 id=27546 iplen=44 seq=1617903748 win=1024 <mss 1460>

RCVD (0.2804s) TCP 10.10.4.1:554 > 10.10.4.25:60354 RA ttl=64 id=4236 iplen=40 seq=0 win=0

[...]

Packet trace output

The --packet-trace parameter is another useful tool for troubleshooting. It can be used to check for connectivity issues or determine if Nmap is even able to send packets on your system. The example above shows the typical output of a packet trace which displays detailed information about every packet sent/received to and from the target system.

Tip: Trace information will rapidly scroll across the screen. Use the more command to see one page at a time. Alternatively, redirect output using nmap --packet-trace 10.10.4.1 > trace.txt to save the trace output to a file called trace.txt.

Display Host Networking Configuration

The --iflist option displays the network interfaces and routes configured on the local system.

Usage syntax: nmap --iflist

$ nmap --iflist

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:58 CST

***INTERFACES***

DEV (SHORT) IP/MASK TYPE UP MTU MAC

lo (lo) 127.0.0.1/8 loopback up 65536

eth0 (eth0) (null)/0 ethernet down 1500 ...

eth1 (eth1) (null)/0 ethernet down 1500 ...

eth2 (eth2) 10.10.4.1/24 ethernet up 1500 ...

eth2.5 (eth2.5) 10.10.5.1/24 ethernet up 1500 ...

eth3 (eth3) 10.10.3.100/24 ethernet up 1500 ...

***ROUTES***

DST/MASK DEV METRIC GATEWAY

10.10.3.0/24 eth3 0

10.10.4.0/24 eth2 0

10.10.5.0/24 eth2.5 0

0.0.0.0/0 eth3 0 10.10.3.1

Interface list output

The above example displays the network and routing information for the local system. This option can be helpful for quickly identifying network configuration or troubleshooting connectivity issues.

Tip: Additional commands that are helpful for troubleshooting networking configuration include ifconfig (Unix/Linux) and ipconfig (Windows). Most Windows and Unix based systems also include the netstat utility that provides additional network information.

Specify Which Network Interface to Use

The -e option is used to manually specify which network interface Nmap should use.

Usage syntax: nmap -e [interface] [target]

# nmap -e eth0 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:03 CST

Nmap scan report for 10.10.3.1

Host is up (0.20s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 3.74 seconds

Manually specifying a network interface

Many systems now have multiple network interfaces. Most modern laptops, for example, have both a regular ethernet jack and a wireless card. If you want to ensure Nmap is using your preferred interface you can use -e to specify it on the command line. In this example -e is used to force Nmap to scan via the eth0 interface on the host system.