Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)
Section 2: Basic Scanning Techniques
Overview
This section covers the basics of network scanning with Nmap. Before we begin it is important to understand the following concepts:
- Firewalls, routers, proxy servers, and other security devices can skew the results of an Nmap scan. Because of this, scanning remote hosts that are not on your local network may produce misleading information.
- Some scanning options require elevated privileges. On Unix and Linux systems you may be required to login as the root user or to execute Nmap using the sudo command.
There are also a couple of warnings to take into consideration:
- Scanning networks that you do not have permission to scan can get you in trouble with your internet service provider, the police, and possibly even the government. Don’t scan the FBI or Secret Service websites unless you want to get in trouble.
- Aggressively scanning some systems can lead to undesirable results such as system downtime or data loss. Always scan mission critical systems with caution.
Now let’s start scanning!
Scan a Single Target
Executing Nmap with no command line options will perform a basic scan on the target system. A target can be specified as an IP address or host name (which Nmap will try to resolve).
Usage syntax: nmap [target]
$ nmap 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:23 CST
Nmap scan report for 192.168.1.1
Host is up (0.00084s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afp
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds
Single target scan
The resulting scan shows the status of ports detected on the specified target along with other helpful information such as the protocol in use and service associated with the port. The table below describes the output fields displayed by the scan.
PORT
Port number/protocol
STATE
Status of the port
SERVICE
Type of service associated with the port
A default Nmap scan will check for the 1000 most commonly used TCP/IP ports. Ports that respond to a probe are classified into one of six port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered. Descriptions of these port states are described on the following page.
Nmap Port States
Nmap uses six different port states to classify the status of a port scan. The list below describes the meaning of each port state.
open
An open port is a port that actively responds to an incoming connection.
closed
A closed port is a port on a target that actively responds to a probe but does not appear to have any service running on the port. Closed ports are commonly found on systems where no firewall is in place to filter incoming traffic.
filtered
Filtered ports are ports that are typically protected by a firewall of some sort that prevents Nmap from determining whether the port is open or closed.
unfiltered
An unfiltered port is a port that Nmap can access but is unable to determine whether it is open or closed.
open|filtered
An open|filtered port is a port which Nmap believes to be open or filtered but cannot definitively determine which state the port is actually in.
closed|filtered
A closed|filtered port is a port that Nmap believes to be closed or filtered but cannot definitively determine which state the port is actually in.
Understanding Port States
Take a look at the following scan...
# nmap scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:51 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up, received reset (0.30s latency).
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds
Nmap scan from a dedicated internet connection
This scan shows the results of scanning a remote target from a dedicated commercial internet connection. Now review the following scan on the same target, which was performed using a consumer broadband connection.
# nmap scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 19:21 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up, received echo-reply (0.087s latency).
Not shown: 990 closed ports
Reason: 990 resets
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
7070/tcp open realserver
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 5.74 seconds
Nmap scan from a broadband internet connection
The above scan differs from the first scan because the internet provider is performing filtering on outbound connections, whereas the first provider is not. In this case, they prevent home internet subscribers from being able to run an SMTP server and also block ports common to Microsoft Windows systems (135, 139, 445) that can be exploited by viruses. Additionally, a consumer brand router on the broadband connection is intercepting traffic destined for ports 21, 554, and 7070 and actively responds to them as it attempts to proxy protocols on those ports. In these cases, the ports are not actually open/filtered on the target system. Rather, they have been tampered with en route to the destination.
It’s important to keep in mind that when scanning remote systems your results may be skewed. This can happen at any stage between you and the target. Two good rules-of-thumb when trying to interpret scan results are listed below.
"The less expensive a connection is, the more problematic it will be for scanning."
Companies providing internet service for the masses are quite likely to have traffic restrictions. You can expect home broadband connections and free Wi-Fi at Starbucks to be more susceptible to filtering than a dedicated internet connection.
“The third port state is usually a suspect."
On a typical system, you can generally expect to see a mixture of only two port states such as open/closed or open/filtered. Notice how the second scan reports ports that are open, closed, and filtered. The presence of three port states can indicate that “man-in-the-middle” filtering is taking place.
Scan Multiple Targets
Nmap can be used to scan multiple hosts at the same time. The easiest way to do this is to string together the target IP addresses or host names on the command line.
Usage syntax: nmap [target1 target2 etc]
$ nmap 192.168.1.1 192.168.1.109 192.168.1.155
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:30 CST
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afp
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
Nmap scan report for 192.168.1.109
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 3 IP addresses (2 hosts up) scanned in 3.85 seconds
Multiple target scan
The example above demonstrates using Nmap to scan three addresses at the same time. You can use any combination of IP addresses and hostnames (separated by a space). At the end of the scan, a status line is printed with a summary of the results. In this case, only two of the three addresses responded to the probes.
Tip: Since all three targets in the above example are on the same subnet you could use the shorthand notation of nmap 192.168.1.1,109,155 to achieve the same results.
Scan a Range of IP Addresses
Nmap can also accept a range of IP addresses for target specification.
Usage syntax: nmap [range]
$ nmap 192.168.1.1-100
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:32 CST
Nmap scan report for 192.168.1.1
Host is up (0.00100s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afp
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
Nmap scan report for 192.168.1.100
Host is up (0.0029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
88/tcp open kerberos-sec
3689/tcp open rendezvous
5900/tcp open vnc
49152/tcp open unknown
Nmap done: 100 IP addresses (2 hosts up) scanned in 15.48 seconds
Scanning a range of IP addresses
In this example, Nmap is instructed to scan the range of IP addresses from 192.168.1.1 through 192.168.1.100. You can also use ranges to scan multiple networks/subnets. For example typing nmap 192.168.1-100.* would scan the class C IP networks of 192.168.1.1 through 192.168.100.255.
Note: The asterisk is a wildcard character that represents all valid ranges from 0-255.
Tip: When scanning large ranges, use the more command with a “pipe”(i.e. nmap 192.168.1.1-100 | more) to display the output one page at a time.
Scan an Entire Subnet
Nmap can be used to scan an entire subnet using CIDR (Classless Inter-Domain Routing) notation.
Usage syntax: nmap [network/CIDR]
$ nmap 192.168.1.1/24 | more
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:35 CST
Nmap scan report for 192.168.1.1
Host is up (0.00081s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afp
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
[...]
Nmap scan report for 192.168.1.111
Host is up (0.0016s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (7 hosts up) scanned in 45.77 seconds
Scanning an entire class C subnet using CIDR notation
The above example demonstrates using Nmap to scan the entire 192.168.1.0 network using CIDR notation. CIDR notation consists of the network address and subnet mask (in binary bits) separated by a slash. In this case, /24 corresponds to a subnet mask of 255.255.255.0.
The table on the following page provides a cross-reference of CIDR notations for IPv4 networks.
CIDR Notation Reference
Classless Inter-Domain Routing notation is a shorthand method for referencing a subnet mask. The number represents the count of binary bits in the network portion of the mask. The table below shows all IPv4 subnet masks in dotted decimal notation and their CIDR notation equivalents.
000.000.000.000 /0
128.000.000.000 /1
192.000.000.000 /2
224.000.000.000 /3
240.000.000.000 /4
248.000.000.000 /5
252.000.000.000 /6
254.000.000.000 /7
255.000.000.000 /8
255.128.000.000 /9
255.192.000.000 /10
255.224.000.000 /11
255.240.000.000 /12
255.248.000.000 /13
255.252.000.000 /14
255.254.000.000 /15
255.255.000.000 /16
255.255.128.000 /17
255.255.192.000 /18
255.255.224.000 /19
255.255.240.000 /20
255.255.248.000 /21
255.255.252.000 /22
255.255.254.000 /23
255.255.255.000 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
255.255.255.254 /31
255.255.255.255 /32
Scan a List of Targets
If you have a large number of systems to scan, you can enter the IP address (or host names) in a text file and use that file as input for Nmap on the command line.
$ cat list.txt
192.168.1.1
192.168.1.100
192.168.1.105
Target IP addresses in a text file
The list.txt file above contains a list of hosts to be scanned. Each entry in the list.txt file must be separated by a space, tab, or new line. The -iL parameter is used to instruct Nmap to extract the list of targets from the list.txt file.
Usage syntax: nmap -iL [list.txt]
$ nmap -iL list.txt
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:42 CST
Nmap scan report for 192.168.1.1
Host is up (0.00090s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afp
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
[...]
Nmap done: 3 IP addresses (3 hosts up) scanned in 22.15 seconds
Nmap scan using a list for target specification
The resulting scan displayed above will be performed for each host in the list.txt file. This is useful for situations where you want to scan a large number of targets that would be cumbersome when attempting to string them together as command line arguments.
Scan Random Targets
The -iR parameter can be used to select random internet hosts to scan. Nmap will randomly generate the specified number of targets and attempt to scan them.
Usage syntax: nmap -iR [number of targets]
$ nmap -iR 3
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:44 CST
[...]
Nmap done: 3 IP addresses (1 host up) scanned in 14.53 seconds
Scanning three randomly generated IP addresses
Note: For privacy reasons the results of the above scan are not displayed in this book.
Executing nmap -iR 3 instructs Nmap to randomly generate 3 IP addresses to scan. There aren’t many good reasons to ever do a random scan unless you are working on a research project (or just really bored). Additionally, if you do a lot of aggressive random scanning you could end up getting in trouble with your internet service provider as many have started to monitor customer connections for suspicious network activity. You could get a warning or even banned if network scanning is prohibited by your provider's terms of service. In most cases, however, light scanning will not raise any red flags.
Exclude Targets from a Scan
The --exclude option is used with Nmap to exclude hosts from a scan.
Usage syntax: nmap [targets] --exclude [target(s)]
$ nmap 192.168.1.0/24 --exclude 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:53 CST
[...]
Nmap done: 255 IP addresses (7 hosts up) scanned in 49.33 seconds
Excluding a single IP from a scan
The --exclude option is useful if you want to exclude specific hosts when scanning a large number of addresses. In the example above host 192.168.1.1 is excluded from the group of targets being scanned.
The --exclude option accepts single hosts, ranges, or entire network blocks (using CIDR notation) as demonstrated in the next example.
$ nmap 192.168.1.0/24 --exclude 192.168.1.1-100
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 19:57 CST
[...]
Nmap done: 156 IP addresses (5 hosts up) scanned in 48.79 seconds
Excluding a range of IP addresses from a scan
In the example above, 256 addresses are specified using CIDR and a range of 100 addresses are excluded, which results in 156 addresses being scanned.
Exclude Targets Using a List
The --excludefile option is related to the --exclude option and can be used to provide a list of targets to exclude from a network scan.
$ cat list.txt
192.168.1.1
192.168.1.5
192.168.1.100
Text file with hosts to exclude from a scan
The example below demonstrates using the --excludefile argument to exclude the hosts in the list.txt file displayed above.
Usage syntax: nmap [targets] --excludefile [list.txt]
$ nmap 192.168.1.0/24 --excludefile list.txt
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 20:01 CST
Nmap scan report for 192.168.1.101
Host is up (0.0098s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
3689/tcp open rendezvous
5000/tcp open upnp
7000/tcp open afs3-fileserver
7100/tcp open font-service
62078/tcp open iphone-sync
[...]
Nmap done: 253 IP addresses (5 hosts up) scanned in 81.09 seconds
Excluding a list of hosts from a network scan
In the above example, the targets in the list.txt file are excluded from the scan. You can utilize this feature to add systems on your network that you don't want to disturb while performing an audit.
Perform an Aggressive Scan
The -A parameter instructs Nmap to perform an aggressive scan.
Usage syntax: nmap -A [target]
# nmap -A 10.10.4.31
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 09:10 CST
Nmap scan report for 10.10.4.31
Host is up (0.0031s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http 3Com switch http config
| http-title: Web user login
|_Requested resource was index.htm
MAC Address: CC:3E:5F:5B:BE:80 (Hewlett Packard)
Device type: switch
Running: H3C Comware 5.X
OS CPE: cpe:/o:h3c:comware:5.20
OS details: H3C Comware 5.20
Network Distance: 1 hop
Service Info: Device: switch
TRACEROUTE
HOP RTT ADDRESS
1 3.08 ms 10.10.4.31
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.95 seconds
Output of an aggressive scan
The aggressive scan selects some of the most commonly used options within Nmap and is provided as a simple alternative to typing a long string of command line arguments. The -A parameter is a synonym for several advanced options (like -O -sC --traceroute) which can also be accessed individually and are covered later in this guide. The resulting output includes more information than what is shown in a typical Nmap scan such as the device type and operating system.
Scan an IPv6 Target
The -6 parameter is used to perform a scan of an IP version 6 target.
Usage syntax: nmap -6 [target]
# nmap -6 fe80::2572:dd3a:34fe:daa9
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:10 CST
Nmap scan report for myserver (fe80::2572:dd3a:34fe:daa9)
Host is up (0.0011s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
1099/tcp open rmiregistry
1521/tcp open oracle
3389/tcp open ms-wbt-server
5080/tcp open onscreen
8080/tcp open http-proxy
9999/tcp open abyss
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
MAC Address: 00:0C:29:C2:E7:8E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds
Scanning an IPv6 address
The example above displays the results of scanning an IP version 6 system. Most Nmap options support IPv6 with the exception of multiple target scanning using ranges and CIDR, as they are pointless on IPv6 networks.
Note: The host, target, and interconnecting systems must all support the IPv6 protocol in order for a -6 scan to work.