Nmap (Basic Nmap usage)

[gr00ve_hacker]

Hi Everybody...First of all dis site is AWESOME...I just joined in 2day and it has lots of useful stuff....
I would like to tell about n00b level Nmap usage...am also a learner and if you find mistakes in it please correct me.

First of all Nmap is Network mapper and u can find it on http://www.insecure.org/" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;

Lesson 1 : Getting started with Nmap
Installing Nmap on Linux (am doing it on Fedora) :

You should have a C++ compiler on your pc.
Download Nmap from http://nmap.org/dist/nmap-5.21.tar.bz2" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;

Now to open terminal and type

Code: Select all

#su

It will ask you for ur password and u will get in ur root account. Now navigate to directory where u have kept ur downloaded file.

Code: Select all

#bzip2 -cd nmap-5.21.tar.bz2|tar xvf -

Explanation:

bzip2 => it uncompresses the file with bzip2
-c => decompresses the file to standard output
d => forces bzip2 to decompress the file
| => pipes the output of preceding command to the successor command (tar)
x => extracts from tarball
v => verbose during the extraction
f => instructs to use the device or filename that follows
- => (hyphen) means tar will use the output of bzip2 as input of tar command

Now all files are placed in Nmap 5.21

Code: Select all

# cd nmap 5.21

Now we will run configure command

Code: Select all

#./configure

this ensures that the files are ok and software will be compiled properly (pre checking)
if there is any missing file or library it will show as error.

Code: Select all

#make

to compile everything at right place

Code: Select all

#make install

to move binaries and other things at their right place.

Now we have successfully installed Nmap
Now check your ip by typing

Code: Select all

ifconfig

and note it down somewhere.
Now in terminal type

Code: Select all

nmap "your ip" (without quotes)

e.g.

Code: Select all

#nmap 192.168.1.2

Congrats you successfully scanned your own ip for open ports.

This is my first post ever. Constructive criticism most welcomed. If you like this, tell me, i will post Lesson 2 (Basics of IP,TCP,UDP and ICMP scanning by Nmap)

[lilrofl]

I haven't used fedora in a while, but I'm fairly sure that you can access nmap through the RPM manager... ie: yum install nmap

Good enthusiasm though, and welcome to Suck-o

[gr00ve_hacker]

I haven't used fedora in a while, but I'm fairly sure that you can access nmap through the RPM manager... ie: yum install nmap

Good enthusiasm though, and welcome to Suck-o

Yeah it can be done but i preferred this method for beginners because it gives them an exposure to compiling programs and using more of Linux (while messing around with bzip2 , tar and c++) which in itself gives a lot of satisfaction and eagerness to learn more.... Anyways I will keep your suggestion in mind for my next posts....Thank you

[leetnigga]

Welcome. Glad to see you're using some form of *nix. Nice job on the tutorial.

As mentioned, most distributions have nmap in their package/ports collection. I would suggest suggesting that as the first method of installation, then mentioning how to compile nmap from source (with your instructions) as an alternative.

You might also want to use the "code" tag for commands, like I will do in my next suggestion.

Code: Select all

#bzip2 -cd nmap-5.21.tar.bz2|tar xvf -

Nowadays, GNU tar and bsdtar have built-in support for filtering archives through bzip2. GNU tar does this with the -j (--bzip2) flag, and bsdtar recognizes bzip2 compression automatically. You might want to use that new feature in your tutorial to simplify the command and be more modern.

[gr00ve_hacker]

Sure i will use code tags in next post and keep other things in mind...Thank you too....

[lilrofl]

Yeah it can be done but i preferred this method for beginners because it gives them an exposure to compiling programs and using more of Linux (while messing around with bzip2 , tar and c++) which in itself gives a lot of satisfaction and eagerness to learn more.... Anyways I will keep your suggestion in mind for my next posts....Thank you

Fair enough

I remember when I started learning linux, I was so frustrated with the amount of work needed to compile source, to compound the issue, I always ran into some error or another, and could rarely fix the problem. Then a friend asked me why I didn't just use my RPM manager... I didn't even know what that was at the time. I still don't like compiling source when I don't have to, but I can understand the desire to introduce the method.

Hopefully it will create more curiosity then frustration in this case.

[gr00ve_hacker]

Disclaimer :All the information provided in this tutorial is for educational purposes only. Am in no way is responsible for any misuse of the information. (There is no show off in becoming a criminal )

OK guys... Time to move on.....
Lesson 2: Basics of IP,TCP,ICMP and UDP scanning
First of all always prefer *nix for using Nmap because Fyodor always launches Nmap updates for Linux first and then for windows...Moreover Linux is Good For Everything...

First you should know what are ports.. Go here for that http://en.wikipedia.org/wiki/TCP_and_UDP_port" onclick="window.open(this.href);return false;

Nmap provides us about 1500 queries and about 15 scanning methods.

Now lets assume that you have a machine with ip 192.168.1.2 in your local network.

When you run

Code: Select all

#nmap 192.168.1.2

there are 3 possibilites
1. Either a port is closed.
2. Port is open to all.
3. No reply (filtered) (Firewall most probably).

Now read about 3 way handshake from http://en.wikipedia.org/wiki/Three-way_ ... ablishment" onclick="window.open(this.href);return false;

Before sending actual data TCP performs 3 way handshake with Destination:

1. A SYN packet FROM SOURCE to DESTINATION
Explanation:
It includes all initilisation parameters and port numbers that will be useful for data transfer.

2. A ACK/SYN packet from DESTINATION to SOURCE
Explanation:
Destination sends acknowledgment with its set of conditions and port numbers.

3. A ACK packet from SOURCE to DESTINATION
Explanation:
Its a confirmation and connection has been setup. No real data is sent till now but these packets have a lot of extra info.

In UDP neither a handshake is performed nor any confirmation is received.

ICMP : It does not involve Data transfer just some info messages.

Nmap by default always performs a series of 4 steps before it actually scans a remote host (these can be disabled by user though)
1. DNS lookup
2. ping the target to confirm if its alive (in network)
3. Reverse DNS lookup (step 1 and 3 are different (Use Google to know more)).
4. Scan

Waiting for your comments. Lesson 3 will have basics of 1st actual scan (TCP SYN scan).

[gr00ve_hacker]

Disclaimer :All the information provided in this tutorial is for educational purposes only. Am in no way is responsible for any misuse of the information

Lesson 3: Introductions over we will now see the real power of Nmap

Note: When we type

Code: Select all

#nmap 192.168.1.2

Scanning starts and there is very little output...If you are too impatient and want to see the scan status press any key except v , d, p or ? (These are default debugging keys)

There are 4 most basic types of scan types in Nmap
1. TCP SYN scan (-sS)
2. TCP Connect scan (-sT)
3. Ping scan (-sP)
4. UDP scan (-sU)

In this Lesson I will concentrate over TCP SYN scan

First of all you need to have root privileges to do this scan because Nmap needs to frame ip packets.This is the default type of scan in root. If you simply type

Code: Select all

#nmap 192.168.1.2

it is the TCP SYN scan that takes place.

We will here specify the TCP SYN scan by

Code: Select all

#nmap -sS 192.168.1.2

Remember this here for reference : ----> Means SOURCE (running Nmap) to DESTINATION (remote host which we are scanning)
and <---- means DESTINATION to SOURCE

Case 1 :
Nmap initiates a 3 way handshake (refer to lesson 2 to know what it means)
1. SYN+port x ---->
2. SYN+ACK <----
3. RST ---->

and Port is identified as open.

Explanation:
1. A SYN packet FROM SOURCE to DESTINATION
It includes all initilisation parameters and port numbers that will be useful for data transfer.

2. A ACK/SYN packet from DESTINATION to SOURCE
Destination sends acknowledgment with its set of conditions and port numbers.

3. A RST packet from SOURCE to DESTINATION (Its the main part)
Now instead of sending a ACK packet Nmap sends the remote host a RST packet and session is closed before it could actually start Meaning we did not even connect to remote machine but came to know its open port... WE ARE NOT IN LOGS !!!!

Case 2:
Nmap initiates a 3 way handshake
1. SYN + port x ---->
2. RST <----

The port is Identified as closed.

Explanation:
1. A SYN packet FROM SOURCE to DESTINATION
It includes all initilisation parameters and port numbers that will be useful for data transfer.

2. As the port 'x' on remote host is closed it sends us a RST packet that it cant trade with us using its port 'x' and Nmap classifies the port as closed.

Case 3:
Nmap initiates a 3 way handshake
1. SYN + port x ---->
Nmap waits till time out period and if nothing comes back port is identified as filtered (fire-walled).

Advantages of using this scan:
Its doesn't create a session so we don't appear in logs
Disadvantages :
It requires root access and a large number of RST's are sent over the network .. If its monitored the destination admin can get alarmed.


In lesson 3 we will learn the basics of TCP Connect scan......

[gr00ve_hacker]

Disclaimer :All the information provided in this tutorial is for educational purposes only. Am in no way is responsible for any misuse of the information

Lesson 3: TCP connect() scan

This is default type of scan if you are NOT working as root .

We will here specify the TCP SYN scan by :

Code: Select all

#nmap -sT 192.168.1.2

Remember this here for reference : ----> Means SOURCE (running Nmap) to DESTINATION (remote host which we are scanning)
and <---- means DESTINATION to SOURCE

Case 1 :
Nmap initiates a 3 way handshake (refer to lesson 2 to know what it means)
1. SYN+port x ---->
2. SYN+ACK <----
3. ACK ----> (Here comes difference between TCP connect and TCP SYN scan)
4. RST ---->

and Port is identified as open.

Explanation:
1. A SYN packet FROM SOURCE to DESTINATION
It includes all initilisation parameters and port numbers that will be useful for data transfer.

2. A ACK/SYN packet from DESTINATION to SOURCE
Destination sends acknowledgment with its set of conditions and port numbers.

3. A ACK packet from SOURCE to DESTINATION
Now this means that we have created a session with that remote host (and we are in logs !!!)

4. A RST packet SOURCE to DESTINATION to end the just created session.

For closed and filtered port procedure is same as above TCP SYN scan.

Disadvantages of using this scan:
Its creates a session so we appear in logs.
It takes additional sources on remote machine.
Advantages :
It does not require root access.

[gr00ve_hacker]

Disclaimer :All the information provided in this tutorial is for educational purposes only. Am in no way is responsible for any misuse of the information

Lesson 3: Ping scan

We will here specify the Ping scan by :

Code: Select all

#nmap -sP 192.168.1.2

Nmap sends ICMP echo request and device sends back ICMP echo reply. It happens only once per IP address, so its pretty fast (You only have to know whther target is alive or not).

Advantages:
1. Fast and generates very common type of traffic level.
2. Doesnt require any special access.

Disadvantages.
1. It cannot be used (paired with) with other scan types.

[gr00ve_hacker]

Disclaimer :All the information provided in this tutorial is for educational purposes only. Am in no way is responsible for any misuse of the information

Lesson 3:UDP scan

We will here specify the UDP scan by :

Code: Select all

#nmap -sU 192.168.1.2

We need to have root privileges to do this scan.

Some UDP ports send back info but some do not even respond.
Thus if there is no response , Nmap categorizes it as open or filtered port.

If port is closed Nmap will recieve an ICMP echo request that port is unreachable.

It is the only nmap scan for identifying open UDP ports

Remember: What TCP SYN scan is for TCP ports , UDP scan is for UDP ports.

Advantages :
1. Low burden on bandwidth because there are no formal handshakes.
2. Works good especially on Microsoft devices because there is no port limiting.

Disadvantages :
1. Requies root acess.
2. Many *nix devices limit UDP ports

The biggest deal is many spywares use UDP ports and this scan is quite usefull for identifying them.

Now the 4 basics types of scans are over...Every modern system has now its security so we will now move on to 2 much useful scans in next chapter ... FTP bounce and Idlescan... to scan through Firewalls