Tips and Tricks - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 16: Tips and Tricks

Overview

This section provides several helpful tips and tricks for getting the most out of Nmap. It also incorporates the use of third party programs that work in conjunction with Nmap to help you analyze your network.

Summary of topics discussed in this section:

Combine Multiple Options

Display Scan Status

Runtime Interaction

Remotely Scan Your Network

Scanme.Nmap.org

Wireshark

Nmap Online Resources

Combine Multiple Options

If you haven’t already noticed, Nmap allows you to combine multiple options to produce a custom scan unique to your needs.

Usage syntax: nmap [options] [target]

# nmap --reason -F --open -T3 -O scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:58 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up, received reset (0.057s latency).

Not shown: 98 closed ports

Reason: 98 resets

PORT STATE SERVICE REASON

22/tcp open ssh syn-ack

80/tcp open http syn-ack

Aggressive OS guesses: Linux 3.0 - 3.9 (94%), Linux 2.6.32 - 3.1 (93%), Linux 2.6.32 - 2.6.39 (92%), Linux 2.6.39 (91%), Linux 2.6.32 - 3.9 (91%), HP P2000 G3 NAS device (90%), Linux 3.0 (90%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (90%), Linux 3.7 (89%), Linux 3.0 - 3.2 (89%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 9 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 11.49 seconds

Combining multiple Nmap options

Combining options is where the real fun begins when using Nmap. In the above example, many different options are combined to produce the desired results. This allows you to create a scan customized to meet your specific needs. As you can see, the possibilities are nearly limitless.

Display Scan Status

The --stats-every option can be used to periodically display the status of the current scan.

Usage syntax: nmap --stats-every [time] [target]

# nmap --stats-every 5s 10.10.4.1/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:43 CST

Stats: 0:00:05 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan

ARP Ping Scan Timing: About 83.92% done; ETC: 11:43 (0:00:01 remaining)

Stats: 0:00:10 elapsed; 88 hosts completed (64 up), 64 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 8.56% done; ETC: 11:44 (0:00:53 remaining)

Stats: 0:00:15 elapsed; 88 hosts completed (64 up), 64 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 10.56% done; ETC: 11:45 (0:01:25 remaining)

Stats: 0:00:20 elapsed; 88 hosts completed (64 up), 64 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 12.76% done; ETC: 11:45 (0:01:43 remaining)

Stats: 0:00:25 elapsed; 88 hosts completed (64 up), 64 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 14.56% done; ETC: 11:46 (0:01:57 remaining)

Stats: 0:00:30 elapsed; 88 hosts completed (64 up), 64 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 16.04% done; ETC: 11:46 (0:02:11 remaining)
[...]

Nmap scan status output

On slow scans you may get bored looking at your screen doing nothing for long periods of time. The --stats-every option can alleviate this problem. Enabling this option will show the status of the current scan with updates at the specified interval. In the above example, --stats-every 5s instructs Nmap to display the status of the current scan every five seconds. Timing parameters can be specified in seconds (s), minutes (m), or hours (h) by appending an s/m/h qualifier to the interval number.

Runtime Interaction

Nmap offers several runtime interaction keystrokes that can modify a scan in progress. The table below lists Nmap’s runtime interaction keys.

v
Pressing lowercase v during a scan will increase the verbosity level.

V
Pressing uppercase V during a scan will decrease the verbosity level.

d
Pressing lowercase d during a scan will increase the debugging level.

D
Pressing uppercase D during a scan will decrease the debugging level.

p
Pressing lowercase p during a scan will enable packet tracing.

P
Pressing uppercase P during a scan will disable packet tracing.

?
Pressing ? during a scan will display the runtime interaction help.

Any other key not listed above
Pressing any key other than the ones defined above during a scan will print a status message indicating the progress of the scan and how much time is remaining.

Nmap runtime interaction keys

Runtime interaction is very useful for getting status updates when performing a scan on a large number of hosts. The example below displays the status of the current scan when the space bar is pressed. The v key is also demonstrated to enable verbose output for the scan in progress.

# nmap 10.10.4.1/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 13:08 CST

<space>

Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan

ARP Ping Scan Timing: About 15.10% done; ETC: 13:08 (0:00:06 remaining)

<v>

Verbosity Increased to 1.

Discovered open port 135/tcp on 10.10.4.103

Discovered open port 80/tcp on 10.10.4.31

Discovered open port 8080/tcp on 10.10.4.43

[...]

Using runtime interaction keys to display scan status and verbose output

Remotely Scan Your Network

Nmap Online is a website that provides “free as in beer” Nmap scanning functionality via a web browser. This can be useful for remotely scanning your network or troubleshooting connectivity problems from an external source. Simply visit nmap-online.com, enter your IP address, and select the scan options to suit your needs.

Nmap-online.com home page

Note: This is a neat service that works well, but the website has become somewhat ad-laden over the years.

Scanme.Nmap.org

The scanme.nmap.org server is a common example target used throughout this guide. This system is hosted by the Nmap project and can be freely scanned by Nmap users.

# nmap -F scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 13:25 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.082s latency).

Not shown: 98 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 2.28 seconds

Example scan using scanme.nmap.org as the target

Note: The good people of the Nmap project provide this valuable service as an educational and troubleshooting tool. They request that you be polite by not aggressively scanning it hundreds of times a day or with other tools not related to Nmap.

Wireshark

Wireshark is an excellent addition to any system administrator’s toolkit. It is a sophisticated (yet easy to use) network protocol analyzer. You can use Wireshark to capture and analyze network traffic and it works hand-in-hand with Nmap by allowing you to see each packet sent and received while scanning.

Wireshark network protocol analyzer

Wireshark is available for Windows, Linux, and Mac OS X and can be downloaded for free at wireshark.org.

Nmap Online Resources

Fyodor’s Nmap Book
nmap.org/book/man.html

Nmap Install Guide
nmap.org/book/install.html

Nmap Scripting Engine Documentation
nmap.org/nsedoc/

Zenmap Reference Guide
nmap.org/book/zenmap.html

Nmap Change Log
nmap.org/changelog.html

Nmap Mailing Lists
seclists.org

Nmap GitHub Issue Tracker
github.com/nmap/nmap/issues

Nmap Online Scan
nmap-online.com

Nmap Security Tools Guide
sectools.org

Nmap Facebook
nmap.org/fb

Nmap Twitter
twitter.com/nmap

Nmap Cookbook
nmapcookbook.com

Conclusion

Nmap started as a simple port scanner and has grown into a full suite of network utilities. It is a powerful tool with hundreds of potential option combinations, but it can be used by anyone from the casual administrator to a full-blown security auditor. The Nmap suite can now be used for discovering (nmap), troubleshooting (ncat), and even stress testing (nping). Nmap is a highly valuable tool, yet they give it away for free in the spirit of open source software.

In recent news, many large companies have suffered embarrassing security breaches. Many of these breaches could have been prevented. Nmap is a great tool that you can use to evaluate your presence on the Internet and ensure that your home or business isn't the next target. Security, however, is more than just running an occasional scan on your network. Your TCP/UDP ports are your windows to the world. On the Internet, billions of people around the globe are only milliseconds away from peeking into those windows. Security requires constant monitoring and proactive measures. You must be diligent in keeping your software updated and use "best practices" in configuring your systems to stay one step ahead of the attackers.

Finally, as an administrator, you must always remember that security is an arms race. Whatever tools you are using to monitor your network, attackers are also using, plus many more.

Credits and References

The bulk of my research for this book was performed using the wealth of Nmap's online documentation. This includes mailing lists, man pages, and official Nmap documentation. The Nmap project is one of the most well documented open source projects I have ever come across and I am grateful for their diligent work in providing materials that were referenced during the creation of The Nmap Cookbook.

nmap.org/docs.html

Much of my knowledge of TCP/IP comes from on the job experience. I also received training at the Cisco Networking Academy in preparation for taking the CCNA exam. Cisco provides an excellent training program that goes well beyond simply covering how to use their products. The complete CCNA program covers TCP/IP fundamentals and provides core networking knowledge that is useful outside of the Cisco realm.

netacad.com

Despite my training and on-the-job experience, I could never dream of understanding the IP Suite as well as the people involved with Nmap. To help fill in the gaps, I utilized the information in various IETF RFC documents and Wikipedia entries related to the IP Protocol Suite during the writing of this book. The links below are an excellent starting point for those wanting to dig deeper into TCP/IP to take their understanding to the next level.

en.wikipedia.org/wiki/Internet_protocol_suite
ietf.org/rfc.html