Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)
Section 10: Troubleshooting and Debugging
Overview
Technical problems are an inherent part of using computers. Nmap is no exception. Occasionally a scan may not produce the output you expected. You may receive an error – or you may not receive any output at all. Nmap offers several options for tracing and debugging a scan, which can help identify why this happens. The following section describes these troubleshooting and debugging features.
Summary of features covered in this section:
-h
Getting Help
-V
Display Nmap Version
-v
Verbose Output
-d
Debugging
--reason
Display Port State Reason
--packet-trace
Trace Packets
--iflist
Display Host Networking
-e
Specify a Network Interface
Getting Help
Executing nmap -h will display a summary of available options.
Usage syntax: nmap -h
$ nmap –h | more
Nmap 6.47 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
[...]
Displaying Nmap help information
The -h option displays a quick cheat sheet of Nmap’s features. For more detailed information, you can read the Nmap manual page by executing man nmap on the command line. The manual for Nmap provides a description of every Nmap feature and is a handy reference when working on the command line.
$ man nmap
NMAP(1) Nmap Reference Guide
NAME
nmap - Network exploration tool and security / port scanner
SYNOPSIS
nmap [Scan Type...] [Options] {target specification}
DESCRIPTION
Nmap (“Network Mapper”) is an open source tool for network exploration and
[...]
Accessing the Nmap man page on Unix and Linux systems
Note: The man command is only available on Unix, Linux, and Mac OS X based systems. Windows users can read the Nmap manual online at nmap.org/book/man.html.
Tip: You can also find help online by subscribing to the Nmap mailing list at seclists.org.
Display Nmap Version
The -V option (uppercase V) is used to display the installed version of Nmap.
Usage syntax: nmap -V
$ nmap -V
Nmap version 6.47 ( http://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.2.3 openssl-1.0.1f libpcre-8.31 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
Displaying the installed version of Nmap
The -V option displays the Nmap version along with other information about how it was compiled. When troubleshooting Nmap problems you should always make sure you have the most up-to-date version installed. Open source programs like Nmap are developed at a rapid pace and critical bugs are typically fixed as soon as they are discovered. Compare your installed version to the latest version available on the Nmap website at nmap.org to make sure you are running the most up-to-date version available. This will ensure that you have access to the latest features as well as the most bug-free version available.
Verbose Output
The -v option (lowercase v) is used to enable verbose output.
Usage syntax: nmap -v [target]
# nmap -v scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:49 CST
Initiating Ping Scan at 11:49
Scanning scanme.nmap.org (74.207.244.221) [4 ports]
Completed Ping Scan at 11:49, 1.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:49
Completed Parallel DNS resolution of 1 host. at 11:49, 0.00s elapsed
Initiating SYN Stealth Scan at 11:49
Scanning scanme.nmap.org (74.207.244.221) [1000 ports]
Discovered open port 22/tcp on 74.207.244.221
Discovered open port 80/tcp on 74.207.244.221
Discovered open port 9929/tcp on 74.207.244.221
Completed SYN Stealth Scan at 11:49, 2.00s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.31s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds
Raw packets sent: 1188 (52.248KB) | Rcvd: 1185 (47.445KB)
Nmap scan with verbose output enabled
Verbose output can be useful when troubleshooting connectivity problems, or if you are simply interested in what’s going on behind the scenes of your scan. In the example above, verbose output is displayed for the scan in progress. Most of this information appears in real-time, prior to the final port display and summary. Additional information, such as data files and packet counts, is displayed at the end of the scan.
Tip: You can use -vv to enable additional verbose output.
Debugging
The -d option enables debugging output.
Usage syntax: nmap -d[1-9] [target]
# nmap -d scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:49 CST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 11:49
Scanning scanme.nmap.org (74.207.244.221) [4 ports]
Packet capture filter (device eth0): dst host 10.10.4.25 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 74.207.244.221)))
We got a TCP ping packet back from 74.207.244.221 port 80 (trynum = 0)
Completed Ping Scan at 11:49, 1.00s elapsed (1 total hosts)
Overall sending rates: 3.99 packets / s, 151.48 bytes / s.
mass_rdns: Using DNS server 10.10.4.46
Initiating Parallel DNS resolution of 1 host. at 11:49
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 11:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:49
Scanning scanme.nmap.org (74.207.244.221) [1000 ports]
Packet capture filter (device eth0): dst host 10.10.4.25 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 74.207.244.221)))
Discovered open port 22/tcp on 74.207.244.221
Discovered open port 80/tcp on 74.207.244.221
Discovered open port 9929/tcp on 74.207.244.221
Increased max_successful_tryno for 74.207.244.221 to 1 (packet drop)
Completed SYN Stealth Scan at 11:50, 2.00s elapsed (1000 total ports)
Overall sending rates: 591.12 packets / s, 26009.44 bytes / s.
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up, received reset (0.34s latency).
Scanned at 2015-01-17 11:49:57 CST for 3s
[...]
Nmap debugging output
Debugging output provides additional information that can be used to trace bugs or troubleshoot problems. The default -d output provides a fair amount of debugging information. You can also specify a debugging level of 1-9 to be used with the -d parameter to increase or decrease the amount of output. For example: -d1 provides the lowest amount of debugging output and -d9 is the highest.
Display Port State Reason Codes
The --reason parameter displays the reason why a port is considered to be in the given state.
Usage syntax: nmap --reason [target]
# nmap -p25,80,135 --reason 10.10.4.80
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-08 19:40 CST
Nmap scan report for 10.10.4.80
Host is up, received arp-response (0.00045s latency).
PORT STATE SERVICE REASON
25/tcp closed smtp reset
80/tcp open http syn-ack
135/tcp filtered msrpc port-unreach
MAC Address: 00:50:56:BA:F8:B2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds
Nmap scan with port state reason codes enabled
Notice the addition of the reason field in the above scan. Information in this field can be useful when trying to determine why a target’s ports are in a particular state. Ports that respond with syn-ack are considered to be open. Ports that respond with conn-refused or reset are typically closed. Ports that do not respond or at all are generally filtered (by a firewall). An ICMP port unreachable message (port-unreach) is usually the result of a protocol mismatch, but can be generated by numerous other conditions.
Trace Packets
The --packet-trace parameter instructs Nmap to display a summary of all packets sent and received.
Usage syntax: nmap --packet-trace [target]
# nmap --packet-trace 10.10.4.1 | more
4.46:53] (timeout: -1ms) EID 34
NSOCK INFO [0.2790s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [0.2790s] msevent_cancel(): msevent_cancel on event #34 (type READ)
SENT (0.2803s) TCP 10.10.4.25:60354 > 10.10.4.1:554 S ttl=50 id=6247 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2804s) TCP 10.10.4.25:60354 > 10.10.4.1:110 S ttl=59 id=19854 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2804s) TCP 10.10.4.25:60354 > 10.10.4.1:8080 S ttl=46 id=54919 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2805s) TCP 10.10.4.25:60354 > 10.10.4.1:3306 S ttl=41 id=26585 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2806s) TCP 10.10.4.25:60354 > 10.10.4.1:5900 S ttl=51 id=13633 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2807s) TCP 10.10.4.25:60354 > 10.10.4.1:256 S ttl=48 id=39170 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2808s) TCP 10.10.4.25:60354 > 10.10.4.1:23 S ttl=56 id=60892 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2808s) TCP 10.10.4.25:60354 > 10.10.4.1:111 S ttl=49 id=55716 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2809s) TCP 10.10.4.25:60354 > 10.10.4.1:22 S ttl=57 id=21878 iplen=44 seq=1617903748 win=1024 <mss 1460>
SENT (0.2810s) TCP 10.10.4.25:60354 > 10.10.4.1:1025 S ttl=40 id=27546 iplen=44 seq=1617903748 win=1024 <mss 1460>
RCVD (0.2804s) TCP 10.10.4.1:554 > 10.10.4.25:60354 RA ttl=64 id=4236 iplen=40 seq=0 win=0
[...]
Packet trace output
The --packet-trace parameter is another useful tool for troubleshooting. It can be used to check for connectivity issues or determine if Nmap is even able to send packets on your system. The example above shows the typical output of a packet trace which displays detailed information about every packet sent/received to and from the target system.
Tip: Trace information will rapidly scroll across the screen. Use the more command to see one page at a time. Alternatively, redirect output using nmap --packet-trace 10.10.4.1 > trace.txt to save the trace output to a file called trace.txt.
Display Host Networking Configuration
The --iflist option displays the network interfaces and routes configured on the local system.
Usage syntax: nmap --iflist
$ nmap --iflist
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:58 CST
***INTERFACES***
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 65536
eth0 (eth0) (null)/0 ethernet down 1500 ...
eth1 (eth1) (null)/0 ethernet down 1500 ...
eth2 (eth2) 10.10.4.1/24 ethernet up 1500 ...
eth2.5 (eth2.5) 10.10.5.1/24 ethernet up 1500 ...
eth3 (eth3) 10.10.3.100/24 ethernet up 1500 ...
***ROUTES***
DST/MASK DEV METRIC GATEWAY
10.10.3.0/24 eth3 0
10.10.4.0/24 eth2 0
10.10.5.0/24 eth2.5 0
0.0.0.0/0 eth3 0 10.10.3.1
Interface list output
The above example displays the network and routing information for the local system. This option can be helpful for quickly identifying network configuration or troubleshooting connectivity issues.
Tip: Additional commands that are helpful for troubleshooting networking configuration include ifconfig (Unix/Linux) and ipconfig (Windows). Most Windows and Unix based systems also include the netstat utility that provides additional network information.
Specify Which Network Interface to Use
The -e option is used to manually specify which network interface Nmap should use.
Usage syntax: nmap -e [interface] [target]
# nmap -e eth0 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:03 CST
Nmap scan report for 10.10.3.1
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 3.74 seconds
Manually specifying a network interface
Many systems now have multiple network interfaces. Most modern laptops, for example, have both a regular ethernet jack and a wireless card. If you want to ensure Nmap is using your preferred interface you can use -e to specify it on the command line. In this example -e is used to force Nmap to scan via the eth0 interface on the host system.