Nmap – network mapper tool to scan network device and get more information.
- By default: Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request followed by probes and scan types.
- -A, to enable OS and version detection, script scanning, and traceroute
- -V – to detect version
- -v – verbose output
- -O : OS detection:
- First Host discovery is performed and then port discovery on each discovered host.
- Host discovery technique; by sending probes
- -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
- -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
- -PO [protocol list]: IP Protocol Ping
- Scan technique:
- -sS : TCP SYN scan (Default mode)
- -sF/sA/sW: TCP FIN/ACK/Window scans
- -sU/-sO: UDP/IP protocol Scan
- Window scan: open ports use a positive window size (even for RST packets) while closed ones have a zero window.
State of a port: (in the nmap output)
- Open– port is open to accept connection
- Closed – port is closed and cannot accept any connection
- Filtered – firewall or any filter is blocking nmap to determine whether the port is open/closed.
- Unfiltered – device response to nmap probe but nmap couldn’t determine whether the port is open/closed
Nmap works based on below concept:
- If we send TCP ACK to a host without any SYN, the host will respond with RST.
- If we send SYN to a port which is not open, the host will respond with RST [with ACK].
- If we send SYN to a port which is open, the other end host will respond with SYN-ACK to establish connection.
- If we send UDP packet to a port which is closed, the host will send ICMP port unreachable message.
- If we send UDP packet to a port which is open, the host will accept it and never respond.
Eg: Scan 10.11.131.3. Enable verbose mode, OS detection and disable DNS resolution of this host.
[root@server2 ~]# nmap -v -n -O 10.11.131.3 Starting Nmap 4.68 ( http://nmap.org ) at 2011-08-25 03:53 UTC Initiating ARP Ping Scan at 03:53 Scanning 10.11.131.3 [1 port] Completed ARP Ping Scan at 03:53, 0.02s elapsed (1 total hosts) Initiating SYN Stealth Scan at 03:53 Scanning 10.11.131.3 [1715 ports] Discovered open port 21/tcp on 10.11.131.3 Discovered open port 22/tcp on 10.11.131.3 Discovered open port 23/tcp on 10.11.131.3 <snip> Discovered open port 514/tcp on 10.11.131.3 Discovered open port 680/tcp on 10.11.131.3 Discovered open port 691/tcp on 10.11.131.3 Discovered open port 798/tcp on 10.11.131.3 Discovered open port 6001/tcp on 10.11.131.3 Completed SYN Stealth Scan at 03:53, 0.04s elapsed (1715 total ports) Initiating OS detection (try #1) against 10.11.131.3 Host 10.11.131.3 appears to be up ... good. Interesting ports on 10.11.131.3: Not shown: 1699 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet <snip> 32779/tcp open sometimes-rpc21 MAC Address: 00:11:0A:30:21:06 (Hewlett Packard) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.32 (likely embedded) Uptime: 1.281 days (since Tue Aug 23 21:08:31 2011) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/share/nmap OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.788 seconds Raw packets sent: 1735 (77.100KB) | Rcvd: 1748 (81.150KB) [root@server2 ~]#