Basic Scanning Techniques - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 2: Basic Scanning Techniques

Overview

This section covers the basics of network scanning with Nmap. Before we begin it is important to understand the following concepts:

- Firewalls, routers, proxy servers, and other security devices can skew the results of an Nmap scan. Because of this, scanning remote hosts that are not on your local network may produce misleading information.

- Some scanning options require elevated privileges. On Unix and Linux systems you may be required to login as the root user or to execute Nmap using the sudo command.

There are also a couple of warnings to take into consideration:

- Scanning networks that you do not have permission to scan can get you in trouble with your internet service provider, the police, and possibly even the government. Don’t scan the FBI or Secret Service websites unless you want to get in trouble.

- Aggressively scanning some systems can lead to undesirable results such as system downtime or data loss. Always scan mission critical systems with caution.

Now let’s start scanning!

Scan a Single Target

Executing Nmap with no command line options will perform a basic scan on the target system. A target can be specified as an IP address or host name (which Nmap will try to resolve).

Usage syntax: nmap [target]

$ nmap 192.168.1.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:23 CST

Nmap scan report for 192.168.1.1

Host is up (0.00084s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

53/tcp open domain

139/tcp open netbios-ssn

445/tcp open microsoft-ds

548/tcp open afp

5009/tcp open airport-admin

10000/tcp open snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds

Single target scan

The resulting scan shows the status of ports detected on the specified target along with other helpful information such as the protocol in use and service associated with the port. The table below describes the output fields displayed by the scan.

PORT
Port number/protocol

STATE
Status of the port

SERVICE
Type of service associated with the port

A default Nmap scan will check for the 1000 most commonly used TCP/IP ports. Ports that respond to a probe are classified into one of six port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered. Descriptions of these port states are described on the following page.

Nmap Port States

Nmap uses six different port states to classify the status of a port scan. The list below describes the meaning of each port state.

open
An open port is a port that actively responds to an incoming connection.

closed
A closed port is a port on a target that actively responds to a probe but does not appear to have any service running on the port. Closed ports are commonly found on systems where no firewall is in place to filter incoming traffic.

filtered
Filtered ports are ports that are typically protected by a firewall of some sort that prevents Nmap from determining whether the port is open or closed.

unfiltered
An unfiltered port is a port that Nmap can access but is unable to determine whether it is open or closed.

open|filtered
An open|filtered port is a port which Nmap believes to be open or filtered but cannot definitively determine which state the port is actually in.

closed|filtered
A closed|filtered port is a port that Nmap believes to be closed or filtered but cannot definitively determine which state the port is actually in.

Understanding Port States

Take a look at the following scan...

# nmap scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:51 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up, received reset (0.30s latency).

Not shown: 997 closed ports

Reason: 997 resets

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds

Nmap scan from a dedicated internet connection

This scan shows the results of scanning a remote target from a dedicated commercial internet connection. Now review the following scan on the same target, which was performed using a consumer broadband connection.

# nmap scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 19:21 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up, received echo-reply (0.087s latency).

Not shown: 990 closed ports

Reason: 990 resets

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp filtered smtp

80/tcp open http

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

554/tcp open rtsp

7070/tcp open realserver

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 5.74 seconds

Nmap scan from a broadband internet connection

The above scan differs from the first scan because the internet provider is performing filtering on outbound connections, whereas the first provider is not. In this case, they prevent home internet subscribers from being able to run an SMTP server and also block ports common to Microsoft Windows systems (135, 139, 445) that can be exploited by viruses. Additionally, a consumer brand router on the broadband connection is intercepting traffic destined for ports 21, 554, and 7070 and actively responds to them as it attempts to proxy protocols on those ports. In these cases, the ports are not actually open/filtered on the target system. Rather, they have been tampered with en route to the destination.

It’s important to keep in mind that when scanning remote systems your results may be skewed. This can happen at any stage between you and the target. Two good rules-of-thumb when trying to interpret scan results are listed below.

"The less expensive a connection is, the more problematic it will be for scanning."
Companies providing internet service for the masses are quite likely to have traffic restrictions. You can expect home broadband connections and free Wi-Fi at Starbucks to be more susceptible to filtering than a dedicated internet connection.

“The third port state is usually a suspect."
On a typical system, you can generally expect to see a mixture of only two port states such as open/closed or open/filtered. Notice how the second scan reports ports that are open, closed, and filtered. The presence of three port states can indicate that “man-in-the-middle” filtering is taking place.

Scan Multiple Targets

Nmap can be used to scan multiple hosts at the same time. The easiest way to do this is to string together the target IP addresses or host names on the command line.

Usage syntax: nmap [target1 target2 etc]

$ nmap 192.168.1.1 192.168.1.109 192.168.1.155

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:30 CST

Nmap scan report for 192.168.1.1

Host is up (0.0012s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

53/tcp open domain

139/tcp open netbios-ssn

445/tcp open microsoft-ds

548/tcp open afp

5009/tcp open airport-admin

10000/tcp open snet-sensor-mgmt

Nmap scan report for 192.168.1.109

Host is up (0.00026s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

Nmap done: 3 IP addresses (2 hosts up) scanned in 3.85 seconds

Multiple target scan

The example above demonstrates using Nmap to scan three addresses at the same time. You can use any combination of IP addresses and hostnames (separated by a space). At the end of the scan, a status line is printed with a summary of the results. In this case, only two of the three addresses responded to the probes.

Tip: Since all three targets in the above example are on the same subnet you could use the shorthand notation of nmap 192.168.1.1,109,155 to achieve the same results.

Scan a Range of IP Addresses

Nmap can also accept a range of IP addresses for target specification.

Usage syntax: nmap [range]

$ nmap 192.168.1.1-100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:32 CST

Nmap scan report for 192.168.1.1

Host is up (0.00100s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

53/tcp open domain

139/tcp open netbios-ssn

445/tcp open microsoft-ds

548/tcp open afp

5009/tcp open airport-admin

10000/tcp open snet-sensor-mgmt

Nmap scan report for 192.168.1.100

Host is up (0.0029s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

88/tcp open kerberos-sec

3689/tcp open rendezvous

5900/tcp open vnc

49152/tcp open unknown

Nmap done: 100 IP addresses (2 hosts up) scanned in 15.48 seconds

Scanning a range of IP addresses

In this example, Nmap is instructed to scan the range of IP addresses from 192.168.1.1 through 192.168.1.100. You can also use ranges to scan multiple networks/subnets. For example typing nmap 192.168.1-100.* would scan the class C IP networks of 192.168.1.1 through 192.168.100.255.

Note: The asterisk is a wildcard character that represents all valid ranges from 0-255.

Tip: When scanning large ranges, use the more command with a “pipe”(i.e. nmap 192.168.1.1-100 | more) to display the output one page at a time.

Scan an Entire Subnet

Nmap can be used to scan an entire subnet using CIDR (Classless Inter-Domain Routing) notation.

Usage syntax: nmap [network/CIDR]

$ nmap 192.168.1.1/24 | more

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:35 CST

Nmap scan report for 192.168.1.1

Host is up (0.00081s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

53/tcp open domain

139/tcp open netbios-ssn

445/tcp open microsoft-ds

548/tcp open afp

5009/tcp open airport-admin

10000/tcp open snet-sensor-mgmt

[...]

Nmap scan report for 192.168.1.111

Host is up (0.0016s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

Nmap done: 256 IP addresses (7 hosts up) scanned in 45.77 seconds

Scanning an entire class C subnet using CIDR notation

The above example demonstrates using Nmap to scan the entire 192.168.1.0 network using CIDR notation. CIDR notation consists of the network address and subnet mask (in binary bits) separated by a slash. In this case, /24 corresponds to a subnet mask of 255.255.255.0.

The table on the following page provides a cross-reference of CIDR notations for IPv4 networks.

CIDR Notation Reference

Classless Inter-Domain Routing notation is a shorthand method for referencing a subnet mask. The number represents the count of binary bits in the network portion of the mask. The table below shows all IPv4 subnet masks in dotted decimal notation and their CIDR notation equivalents.

000.000.000.000 /0

128.000.000.000 /1

192.000.000.000 /2

224.000.000.000 /3

240.000.000.000 /4

248.000.000.000 /5

252.000.000.000 /6

254.000.000.000 /7

255.000.000.000 /8

255.128.000.000 /9

255.192.000.000 /10

255.224.000.000 /11

255.240.000.000 /12

255.248.000.000 /13

255.252.000.000 /14

255.254.000.000 /15

255.255.000.000 /16

255.255.128.000 /17

255.255.192.000 /18

255.255.224.000 /19

255.255.240.000 /20

255.255.248.000 /21

255.255.252.000 /22

255.255.254.000 /23

255.255.255.000 /24

255.255.255.128 /25

255.255.255.192 /26

255.255.255.224 /27

255.255.255.240 /28

255.255.255.248 /29

255.255.255.252 /30

255.255.255.254 /31

255.255.255.255 /32

Scan a List of Targets

If you have a large number of systems to scan, you can enter the IP address (or host names) in a text file and use that file as input for Nmap on the command line.

$ cat list.txt

192.168.1.1

192.168.1.100

192.168.1.105

Target IP addresses in a text file

The list.txt file above contains a list of hosts to be scanned. Each entry in the list.txt file must be separated by a space, tab, or new line. The -iL parameter is used to instruct Nmap to extract the list of targets from the list.txt file.

Usage syntax: nmap -iL [list.txt]

$ nmap -iL list.txt

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:42 CST

Nmap scan report for 192.168.1.1

Host is up (0.00090s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

53/tcp open domain

139/tcp open netbios-ssn

445/tcp open microsoft-ds

548/tcp open afp

5009/tcp open airport-admin

10000/tcp open snet-sensor-mgmt

[...]

Nmap done: 3 IP addresses (3 hosts up) scanned in 22.15 seconds

Nmap scan using a list for target specification

The resulting scan displayed above will be performed for each host in the list.txt file. This is useful for situations where you want to scan a large number of targets that would be cumbersome when attempting to string them together as command line arguments.

Scan Random Targets

The -iR parameter can be used to select random internet hosts to scan. Nmap will randomly generate the specified number of targets and attempt to scan them.

Usage syntax: nmap -iR [number of targets]

$ nmap -iR 3

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:44 CST

[...]

Nmap done: 3 IP addresses (1 host up) scanned in 14.53 seconds

Scanning three randomly generated IP addresses

Note: For privacy reasons the results of the above scan are not displayed in this book.

Executing nmap -iR 3 instructs Nmap to randomly generate 3 IP addresses to scan. There aren’t many good reasons to ever do a random scan unless you are working on a research project (or just really bored). Additionally, if you do a lot of aggressive random scanning you could end up getting in trouble with your internet service provider as many have started to monitor customer connections for suspicious network activity. You could get a warning or even banned if network scanning is prohibited by your provider's terms of service. In most cases, however, light scanning will not raise any red flags.

Exclude Targets from a Scan

The --exclude option is used with Nmap to exclude hosts from a scan.

Usage syntax: nmap [targets] --exclude [target(s)]

$ nmap 192.168.1.0/24 --exclude 192.168.1.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:53 CST

[...]

Nmap done: 255 IP addresses (7 hosts up) scanned in 49.33 seconds

Excluding a single IP from a scan

The --exclude option is useful if you want to exclude specific hosts when scanning a large number of addresses. In the example above host 192.168.1.1 is excluded from the group of targets being scanned.

The --exclude option accepts single hosts, ranges, or entire network blocks (using CIDR notation) as demonstrated in the next example.

$ nmap 192.168.1.0/24 --exclude 192.168.1.1-100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:57 CST

[...]

Nmap done: 156 IP addresses (5 hosts up) scanned in 48.79 seconds

Excluding a range of IP addresses from a scan

In the example above, 256 addresses are specified using CIDR and a range of 100 addresses are excluded, which results in 156 addresses being scanned.

Exclude Targets Using a List

The --excludefile option is related to the --exclude option and can be used to provide a list of targets to exclude from a network scan.

$ cat list.txt

192.168.1.1

192.168.1.5

192.168.1.100

Text file with hosts to exclude from a scan

The example below demonstrates using the --excludefile argument to exclude the hosts in the list.txt file displayed above.

Usage syntax: nmap [targets] --excludefile [list.txt]

$ nmap 192.168.1.0/24 --excludefile list.txt

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 20:01 CST

Nmap scan report for 192.168.1.101

Host is up (0.0098s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

3689/tcp open rendezvous

5000/tcp open upnp

7000/tcp open afs3-fileserver

7100/tcp open font-service

62078/tcp open iphone-sync

[...]

Nmap done: 253 IP addresses (5 hosts up) scanned in 81.09 seconds

Excluding a list of hosts from a network scan

In the above example, the targets in the list.txt file are excluded from the scan. You can utilize this feature to add systems on your network that you don't want to disturb while performing an audit.

Perform an Aggressive Scan

The -A parameter instructs Nmap to perform an aggressive scan.

Usage syntax: nmap -A [target]

# nmap -A 10.10.4.31

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 09:10 CST

Nmap scan report for 10.10.4.31

Host is up (0.0031s latency).

Not shown: 999 closed ports

PORT STATE SERVICE VERSION

80/tcp open http 3Com switch http config

| http-title: Web user login

|_Requested resource was index.htm

MAC Address: CC:3E:5F:5B:BE:80 (Hewlett Packard)

Device type: switch

Running: H3C Comware 5.X

OS CPE: cpe:/o:h3c:comware:5.20

OS details: H3C Comware 5.20

Network Distance: 1 hop

Service Info: Device: switch

TRACEROUTE

HOP RTT ADDRESS

1 3.08 ms 10.10.4.31

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 27.95 seconds

Output of an aggressive scan

The aggressive scan selects some of the most commonly used options within Nmap and is provided as a simple alternative to typing a long string of command line arguments. The -A parameter is a synonym for several advanced options (like -O -sC --traceroute) which can also be accessed individually and are covered later in this guide. The resulting output includes more information than what is shown in a typical Nmap scan such as the device type and operating system.

Scan an IPv6 Target

The -6 parameter is used to perform a scan of an IP version 6 target.

Usage syntax: nmap -6 [target]

# nmap -6 fe80::2572:dd3a:34fe:daa9

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:10 CST

Nmap scan report for myserver (fe80::2572:dd3a:34fe:daa9)

Host is up (0.0011s latency).

Not shown: 988 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

445/tcp open microsoft-ds

1099/tcp open rmiregistry

1521/tcp open oracle

3389/tcp open ms-wbt-server

5080/tcp open onscreen

8080/tcp open http-proxy

9999/tcp open abyss

49152/tcp open unknown

49153/tcp open unknown

49154/tcp open unknown

MAC Address: 00:0C:29:C2:E7:8E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds

Scanning an IPv6 address

The example above displays the results of scanning an IP version 6 system. Most Nmap options support IPv6 with the exception of multiple target scanning using ranges and CIDR, as they are pointless on IPv6 networks.

Note: The host, target, and interconnecting systems must all support the IPv6 protocol in order for a -6 scan to work.