redistributed in any form, providing no changes are made to the content. Thelatest version can always be found at http://www.nmap-tutorial.com20
Wednesday, December 31, 2008
18 About This Document
This document is copyright c 2003-2006, Andrew J. Bennieston. This documentis provided in several formats, including LaTeX source, and it may be freely
17 Frequently Asked Questions
This section was added as an extra to the original tutorial as it became popular and some questions were asked about particular aspects of an nmap scan. I’ll use this part of the tutorial to merge some of those into the main tutorial itself.
17.1 I tried a scan and it appeared in firewall logs oralerts. What else can I do to help hide my scan?
This question assumes you used a scan command along the lines of:
1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,
2 xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxxNote: Each xxx corresponds to an octet of the IP address/addresses. This isinstructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The threecomma-separated IPs are the decoy IPs to use. It also specifies to use versionscanning (-sV) which attempts to determine precisely which program is runningon a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often pickedup by most firewalls and IDS systems nowdays. It was originally designed toprevent logging of a scan in the logs for whatever server is running on the portthe scanner connects to. In other words, if the scan connects to port 80 to testif its open, Apache (or whatever other webserver they may be using) will log theconnection in its logfiles.
The -sS scan option doesn’t make a full TCP connect (which can be achievedwith the -sT option, or by not running as root) but resets the connection beforeit can be fully established. As such, most servers will not log the connection, butan IDS or firewall will recognise this behaviour (in repeated cases) as typical ofa port scan. This will mean that the scan shows up in firewall or IDS logs andalerts. There are few ways around this, to be honest. Most firewall/IDS softwarenowdays is quite good at detecting these things; particularly if its running on thesame host as the victim (the system you are scanning).
18
Note also, that decoys will not prevent your IP showing entirely; it just liststhe others as well. A particularly well designed IDS may even be able to figureout which is the real source of the scans.
Where speed of scan isn’t essential, the -P0 option is a good idea. Nmapgains timing information from pinging the host, and can often complete its scansfaster with this information, but the ping packets will be sent to the victim fromyour IP, and any IDS worth its CPU cycles will pick up on the pattern of afew pings followed by connects to a variety of ports. -P0 also allows scanning ofhosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or byin-kernel settings).
I mentioned timing in the above paragraph. You can use the -T timing optionto slow the scan down. The slower a scan is, the less likely it is to be detected byan IDS. There are bound to be occasional random connects occurring, people typean IP in wrong or try to connect and their computer crashes half way throughthe connect. These things happen, and unless an IDS is configured extremelystrictly, they generally aren’t reported (at least, not in the main alert logs, theymay be logged if logging of all traffic is enabled, but typically these kind of logsare only checked if theres evidence of something going on). Setting the timing to-T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned inmy main tutorial, you can also set timing options for each aspect of a scan,Timings for individual aspects of a scan can also be set using the –host timeout, –max rtt timeout, –min rtt timeout, –initial rtt timeout,–max parallelism, –min parallelism, and –scan delay options. See theNmap manual for details.
The final note I will add to this answer is that use of the Idle scan method(-sI) means that not a single packet is sent to the victim from your IP (providedyou also use the -P0 option to turn off pings). This is the ultimate in stealth asthere is absolutely no way the victim can determine that your IP is responsiblefor the scan (short of obtaining log information from the host you used as partof your idle scan).
17.2 NMAP seems to have stopped, or my scan is takinga very long while. Why is this?
The timing options can make it take a very long time. I believe the -T Paranoid( -T 0 )option waits up to 5 minutes between packets... now, for 65000 ports,thats 65000 x 5 = 325000 minutes = 225 days!!
-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is thereforemore useful; but scans will still take a long while! You can use -v to get moreverbose output, which will alert you as to the progress of the scan. Using -v twicemakes the output even more verbose.
19
17.3 Will -sN -sX and -sF work against any host, or justWindows hosts?
-sN -sX and -sF scans will work against any host, but Windows computers donot respond correctly to them, so scanning a Windows machine with these scansresults in all ports appearing closed. Scanning a *nix or other system should workjust fine, though. As I said in the main tutorial, -sX -sF and -sN are commonlyused to determine if you’re scanning a Windows host or not, without using the-O fingerprinting option.
The Nmap manual page should help to determine which scans work alongsidewhich options, and on which target systems they are most effective.
17.4 How do I find a dummy host for the Idle Scan (-sI)?
You simply have to scan for hosts using sequential IPID sequences, these are(often) suitable for use as a dummy host for the -sI Idle Scan.
17.5 What does ”Host seems down. If it is really up, butblocking our ping probes, try -P0” mean?
When Nmap starts, it tries to ping the host to check that it is online. Nmap alsogains timing information from this ping. If the remote host, or a system on thepath between you and the remote host, is blocking pings, this ping will not bereplied to, and Nmap will not start scanning. Using the -P0 option, you can turnoff ping-on-start and have Nmap try to scan anyway.
17.6 Where can I find NmapFE?
NmapFE is a graphical front-end for Nmap.NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSXis available at http://faktory.org/m/software/nmap/ NmapFE for Windowsis under development as part of NmapFE++, a new frontend for Linux, OSXand Windows. Information is available at http://www.insecure.org/nmap/SoC/NmapFE.html
This question assumes you used a scan command along the lines of:
1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,
2 xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxxNote: Each xxx corresponds to an octet of the IP address/addresses. This isinstructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The threecomma-separated IPs are the decoy IPs to use. It also specifies to use versionscanning (-sV) which attempts to determine precisely which program is runningon a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often pickedup by most firewalls and IDS systems nowdays. It was originally designed toprevent logging of a scan in the logs for whatever server is running on the portthe scanner connects to. In other words, if the scan connects to port 80 to testif its open, Apache (or whatever other webserver they may be using) will log theconnection in its logfiles.
The -sS scan option doesn’t make a full TCP connect (which can be achievedwith the -sT option, or by not running as root) but resets the connection beforeit can be fully established. As such, most servers will not log the connection, butan IDS or firewall will recognise this behaviour (in repeated cases) as typical ofa port scan. This will mean that the scan shows up in firewall or IDS logs andalerts. There are few ways around this, to be honest. Most firewall/IDS softwarenowdays is quite good at detecting these things; particularly if its running on thesame host as the victim (the system you are scanning).
18
Note also, that decoys will not prevent your IP showing entirely; it just liststhe others as well. A particularly well designed IDS may even be able to figureout which is the real source of the scans.
Where speed of scan isn’t essential, the -P0 option is a good idea. Nmapgains timing information from pinging the host, and can often complete its scansfaster with this information, but the ping packets will be sent to the victim fromyour IP, and any IDS worth its CPU cycles will pick up on the pattern of afew pings followed by connects to a variety of ports. -P0 also allows scanning ofhosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or byin-kernel settings).
I mentioned timing in the above paragraph. You can use the -T timing optionto slow the scan down. The slower a scan is, the less likely it is to be detected byan IDS. There are bound to be occasional random connects occurring, people typean IP in wrong or try to connect and their computer crashes half way throughthe connect. These things happen, and unless an IDS is configured extremelystrictly, they generally aren’t reported (at least, not in the main alert logs, theymay be logged if logging of all traffic is enabled, but typically these kind of logsare only checked if theres evidence of something going on). Setting the timing to-T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned inmy main tutorial, you can also set timing options for each aspect of a scan,Timings for individual aspects of a scan can also be set using the –host timeout, –max rtt timeout, –min rtt timeout, –initial rtt timeout,–max parallelism, –min parallelism, and –scan delay options. See theNmap manual for details.
The final note I will add to this answer is that use of the Idle scan method(-sI) means that not a single packet is sent to the victim from your IP (providedyou also use the -P0 option to turn off pings). This is the ultimate in stealth asthere is absolutely no way the victim can determine that your IP is responsiblefor the scan (short of obtaining log information from the host you used as partof your idle scan).
17.2 NMAP seems to have stopped, or my scan is takinga very long while. Why is this?
The timing options can make it take a very long time. I believe the -T Paranoid( -T 0 )option waits up to 5 minutes between packets... now, for 65000 ports,thats 65000 x 5 = 325000 minutes = 225 days!!
-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is thereforemore useful; but scans will still take a long while! You can use -v to get moreverbose output, which will alert you as to the progress of the scan. Using -v twicemakes the output even more verbose.
19
17.3 Will -sN -sX and -sF work against any host, or justWindows hosts?
-sN -sX and -sF scans will work against any host, but Windows computers donot respond correctly to them, so scanning a Windows machine with these scansresults in all ports appearing closed. Scanning a *nix or other system should workjust fine, though. As I said in the main tutorial, -sX -sF and -sN are commonlyused to determine if you’re scanning a Windows host or not, without using the-O fingerprinting option.
The Nmap manual page should help to determine which scans work alongsidewhich options, and on which target systems they are most effective.
17.4 How do I find a dummy host for the Idle Scan (-sI)?
You simply have to scan for hosts using sequential IPID sequences, these are(often) suitable for use as a dummy host for the -sI Idle Scan.
17.5 What does ”Host seems down. If it is really up, butblocking our ping probes, try -P0” mean?
When Nmap starts, it tries to ping the host to check that it is online. Nmap alsogains timing information from this ping. If the remote host, or a system on thepath between you and the remote host, is blocking pings, this ping will not bereplied to, and Nmap will not start scanning. Using the -P0 option, you can turnoff ping-on-start and have Nmap try to scan anyway.
17.6 Where can I find NmapFE?
NmapFE is a graphical front-end for Nmap.NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSXis available at http://faktory.org/m/software/nmap/ NmapFE for Windowsis under development as part of NmapFE++, a new frontend for Linux, OSXand Windows. Information is available at http://www.insecure.org/nmap/SoC/NmapFE.html
16 Typical Scanning Session
First, we’ll sweep the network with a simple Ping scan to determine which hostsare online.
1 [chaos]# nmap -sP 10.0.0.0/24
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:19 BST
1 [chaos]# nmap -sP 10.0.0.0/24
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:19 BST
5 Host 10.0.0.1 appears to be up.
6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
7 Host 10.0.0.2 appears to be up.
8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
9 Host 10.0.0.4 appears to be up.
10 Host 10.0.0.5 appears to be up.
11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds
14
Now we’re going to take a look at 10.0.0.1 and 10.0.0.2, both listed as Netgearin the ping sweep. These IPs are good criteria for routers (in fact I know that10.0.0.1 is a router and 10.0.0.2 is a wireless access point, since it’s my network,but lets see what Nmap makes of it...)We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprintingand version detection.
1 [chaos]# nmap -sS -A 10.0.0.1
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:23 BST
5 Insufficient responses for TCP sequencing (0),
6 OS detection may be less accurate
7 Interesting ports on 10.0.0.1:
8 (The 1671 ports scanned but not shown below are in state:
9 closed)
10 PORT STATE SERVICE VERSION
11 80/tcp open tcpwrapped
12 MAC Address: 00:09:5B:29:FD:96 (Netgear)
13 Device type: WAP
14 Running: Compaq embedded, Netgear embedded
15 OS details: WAP: Compaq iPAQ Connection Point or
16 Netgear MR814
17
18 Nmap finished: 1 IP address (1 host up) scanned in
19 3.533 seconds
The only open port is 80/tcp - in this case, the web admin interface for therouter. OS fingerprinting guessed it was a Netgear Wireless Access Point - in factthis is a Netgear (wired) ADSL router. As it said, though, there were insufficientresponses for TCP sequencing to accurately detect the OS.Now we’ll do the same for 10.0.0.2...
1 [chaos]# nmap -sS -A 10.0.0.2
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
4 at 2006-07-14 14:26 BST
5 Interesting ports on 10.0.0.2:
6 (The 1671 ports scanned but not shown below are in state:
7 closed)
8 PORT STATE SERVICE VERSION
9 80/tcp open http Boa HTTPd 0.94.11
10 MAC Address: 00:0F:B5:96:38:5D (Netgear)15
11 Device type: general purpose
12 Running: Linux 2.4.X|2.5.X
13 OS details: Linux 2.4.0 - 2.5.20
14 Uptime 14.141 days (since Fri Jun 30 11:03:05 2006)
15
16 Nmap finished: 1 IP address (1 host up) scanned in 9.636
17 seconds
Interestingly, the OS detection here listed Linux, and the version detectionwas able to detect the httpd running. The accuracy of this is uncertain, thisis a Netgear home wireless access point, so it could be running some embeddedLinux!Now we’ll move on to 10.0.0.4 and 10.0.0.5, these are likely to be normalcomputers running on the network...
1 [chaos]# nmap -sS -P0 -A -v 10.0.0.4
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:31 BST
5 DNS resolution of 1 IPs took 0.10s. Mode:
6 Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
7 Initiating SYN Stealth Scan against 10.0.0.4 [1672 ports] at 14:31
8 Discovered open port 21/tcp on 10.0.0.4
9 Discovered open port 22/tcp on 10.0.0.4
10 Discovered open port 631/tcp on 10.0.0.4
11 Discovered open port 6000/tcp on 10.0.0.4
12 The SYN Stealth Scan took 0.16s to scan 1672 total ports.
13 Initiating service scan against 4 services on 10.0.0.4 at 14:31
14 The service scan took 6.01s to scan 4 services on 1 host.
15 For OSScan assuming port 21 is open, 1 is closed, and neither are
16 firewalled17 Host 10.0.0.4 appears to be up ... good.
18 Interesting ports on 10.0.0.4:
19 (The 1668 ports scanned but not shown below are in state: closed)
20 PORT STATE SERVICE VERSION
21 21/tcp open ftp vsftpd 2.0.3
22 22/tcp open ssh OpenSSH 4.2 (protocol 1.99)
23 631/tcp open ipp CUPS 1.1
24 6000/tcp open X11 (access denied)
25 Device type: general purpose
26 Running: Linux 2.4.X|2.5.X|2.6.X
27 OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or
28 Gentoo 1.2 Linux 2.4.19 rc1-rc716
29 TCP Sequence Prediction: Class=random positive increments
30 Difficulty=4732564 (Good luck!)
31 IPID Sequence Generation: All zeros
32 Service Info: OS: Unix
33
34 Nmap finished: 1 IP address (1 host up) scanned in 8.333 seconds
35 Raw packets sent: 1687 (74.7KB) | Rcvd: 3382 (143KB)
From this, we can deduce that 10.0.0.4 is a Linux system (in fact, the one I’mtyping this tutorial on!) running a 2.4 to 2.6 kernel (Actually, Slackware Linux10.2 on a 2.6.19.9 kernel) with open ports 21/tcp, 22/tcp, 631/tcp and 6000/tcp.All but 6000 have version information listed. The scan found the IPID sequenceto be all zeros, which makes it useless for idle scanning, and the TCP Sequenceprediction as random positive integers. The -v option is needed to get Nmap toprint the IPID information out!Now, onto 10.0.0.5...
1 [chaos]# nmap -sS -P0 -A -v 10.0.0.5
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
4 at 2006-07-14 14:35 BST
5 Initiating ARP Ping Scan against 10.0.0.5 [1 port] at 14:35
6 The ARP Ping Scan took 0.01s to scan 1 total hosts.
7 DNS resolution of 1 IPs took 0.02s. Mode: Async
8 [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
9 Initiating SYN Stealth Scan against 10.0.0.5 [1672 ports] at 14:35
10 The SYN Stealth Scan took 35.72s to scan 1672 total ports.
11 Warning: OS detection will be MUCH less reliable because we did
12 not find at least 1 open and 1 closed TCP port
13 Host 10.0.0.5 appears to be up ... good.
14 All 1672 scanned ports on 10.0.0.5 are: filtered
15 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
16 Too many fingerprints match this host to give specific OS details
17 TCP/IP fingerprint:
18 SInfo(V=4.01%P=i686-pc-linux-gnu%D=7/14%Tm=44B79DC6%O=-1%C=-1%M=00142A)
19 T5(Resp=N)
20 T6(Resp=N)
21 T7(Resp=N)
22 PU(Resp=N)
23
24 Nmap finished: 1 IP address (1 host up) scanned in 43.855 seconds
25 Raw packets sent: 3369 (150KB) | Rcvd: 1 (42B)
17No open ports, and Nmap couldn’t detect the OS. This suggests that it isa firewalled or otherwise protected system, with no services running (and yet itresponded to ping sweeps).We now have rather more information about this network than we did whenwe started, and can guess at several other things based on these results. Usingthat information, and the more advanced Nmap scans, we can obtain further scanresults which will help to plan an attack, or to fix weaknesses, in this network.
6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
7 Host 10.0.0.2 appears to be up.
8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
9 Host 10.0.0.4 appears to be up.
10 Host 10.0.0.5 appears to be up.
11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds
14
Now we’re going to take a look at 10.0.0.1 and 10.0.0.2, both listed as Netgearin the ping sweep. These IPs are good criteria for routers (in fact I know that10.0.0.1 is a router and 10.0.0.2 is a wireless access point, since it’s my network,but lets see what Nmap makes of it...)We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprintingand version detection.
1 [chaos]# nmap -sS -A 10.0.0.1
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:23 BST
5 Insufficient responses for TCP sequencing (0),
6 OS detection may be less accurate
7 Interesting ports on 10.0.0.1:
8 (The 1671 ports scanned but not shown below are in state:
9 closed)
10 PORT STATE SERVICE VERSION
11 80/tcp open tcpwrapped
12 MAC Address: 00:09:5B:29:FD:96 (Netgear)
13 Device type: WAP
14 Running: Compaq embedded, Netgear embedded
15 OS details: WAP: Compaq iPAQ Connection Point or
16 Netgear MR814
17
18 Nmap finished: 1 IP address (1 host up) scanned in
19 3.533 seconds
The only open port is 80/tcp - in this case, the web admin interface for therouter. OS fingerprinting guessed it was a Netgear Wireless Access Point - in factthis is a Netgear (wired) ADSL router. As it said, though, there were insufficientresponses for TCP sequencing to accurately detect the OS.Now we’ll do the same for 10.0.0.2...
1 [chaos]# nmap -sS -A 10.0.0.2
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
4 at 2006-07-14 14:26 BST
5 Interesting ports on 10.0.0.2:
6 (The 1671 ports scanned but not shown below are in state:
7 closed)
8 PORT STATE SERVICE VERSION
9 80/tcp open http Boa HTTPd 0.94.11
10 MAC Address: 00:0F:B5:96:38:5D (Netgear)15
11 Device type: general purpose
12 Running: Linux 2.4.X|2.5.X
13 OS details: Linux 2.4.0 - 2.5.20
14 Uptime 14.141 days (since Fri Jun 30 11:03:05 2006)
15
16 Nmap finished: 1 IP address (1 host up) scanned in 9.636
17 seconds
Interestingly, the OS detection here listed Linux, and the version detectionwas able to detect the httpd running. The accuracy of this is uncertain, thisis a Netgear home wireless access point, so it could be running some embeddedLinux!Now we’ll move on to 10.0.0.4 and 10.0.0.5, these are likely to be normalcomputers running on the network...
1 [chaos]# nmap -sS -P0 -A -v 10.0.0.4
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:31 BST
5 DNS resolution of 1 IPs took 0.10s. Mode:
6 Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
7 Initiating SYN Stealth Scan against 10.0.0.4 [1672 ports] at 14:31
8 Discovered open port 21/tcp on 10.0.0.4
9 Discovered open port 22/tcp on 10.0.0.4
10 Discovered open port 631/tcp on 10.0.0.4
11 Discovered open port 6000/tcp on 10.0.0.4
12 The SYN Stealth Scan took 0.16s to scan 1672 total ports.
13 Initiating service scan against 4 services on 10.0.0.4 at 14:31
14 The service scan took 6.01s to scan 4 services on 1 host.
15 For OSScan assuming port 21 is open, 1 is closed, and neither are
16 firewalled17 Host 10.0.0.4 appears to be up ... good.
18 Interesting ports on 10.0.0.4:
19 (The 1668 ports scanned but not shown below are in state: closed)
20 PORT STATE SERVICE VERSION
21 21/tcp open ftp vsftpd 2.0.3
22 22/tcp open ssh OpenSSH 4.2 (protocol 1.99)
23 631/tcp open ipp CUPS 1.1
24 6000/tcp open X11 (access denied)
25 Device type: general purpose
26 Running: Linux 2.4.X|2.5.X|2.6.X
27 OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or
28 Gentoo 1.2 Linux 2.4.19 rc1-rc716
29 TCP Sequence Prediction: Class=random positive increments
30 Difficulty=4732564 (Good luck!)
31 IPID Sequence Generation: All zeros
32 Service Info: OS: Unix
33
34 Nmap finished: 1 IP address (1 host up) scanned in 8.333 seconds
35 Raw packets sent: 1687 (74.7KB) | Rcvd: 3382 (143KB)
From this, we can deduce that 10.0.0.4 is a Linux system (in fact, the one I’mtyping this tutorial on!) running a 2.4 to 2.6 kernel (Actually, Slackware Linux10.2 on a 2.6.19.9 kernel) with open ports 21/tcp, 22/tcp, 631/tcp and 6000/tcp.All but 6000 have version information listed. The scan found the IPID sequenceto be all zeros, which makes it useless for idle scanning, and the TCP Sequenceprediction as random positive integers. The -v option is needed to get Nmap toprint the IPID information out!Now, onto 10.0.0.5...
1 [chaos]# nmap -sS -P0 -A -v 10.0.0.5
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
4 at 2006-07-14 14:35 BST
5 Initiating ARP Ping Scan against 10.0.0.5 [1 port] at 14:35
6 The ARP Ping Scan took 0.01s to scan 1 total hosts.
7 DNS resolution of 1 IPs took 0.02s. Mode: Async
8 [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
9 Initiating SYN Stealth Scan against 10.0.0.5 [1672 ports] at 14:35
10 The SYN Stealth Scan took 35.72s to scan 1672 total ports.
11 Warning: OS detection will be MUCH less reliable because we did
12 not find at least 1 open and 1 closed TCP port
13 Host 10.0.0.5 appears to be up ... good.
14 All 1672 scanned ports on 10.0.0.5 are: filtered
15 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
16 Too many fingerprints match this host to give specific OS details
17 TCP/IP fingerprint:
18 SInfo(V=4.01%P=i686-pc-linux-gnu%D=7/14%Tm=44B79DC6%O=-1%C=-1%M=00142A)
19 T5(Resp=N)
20 T6(Resp=N)
21 T7(Resp=N)
22 PU(Resp=N)
23
24 Nmap finished: 1 IP address (1 host up) scanned in 43.855 seconds
25 Raw packets sent: 3369 (150KB) | Rcvd: 1 (42B)
17No open ports, and Nmap couldn’t detect the OS. This suggests that it isa firewalled or otherwise protected system, with no services running (and yet itresponded to ping sweeps).We now have rather more information about this network than we did whenwe started, and can guess at several other things based on these results. Usingthat information, and the more advanced Nmap scans, we can obtain further scanresults which will help to plan an attack, or to fix weaknesses, in this network.
15 Other Nmap Options
15.1 IPv6
The -6 option enables IPv6 in Nmap (provided your OS has IPv6 support). Currentlyonly TCP connect, and TCP connect ping scan are supported. For otherscantypes, see http://nmap6.sourceforge.net
The -6 option enables IPv6 in Nmap (provided your OS has IPv6 support). Currentlyonly TCP connect, and TCP connect ping scan are supported. For otherscantypes, see http://nmap6.sourceforge.net
15.2 Verbose Mode
Highly recommended, -vUse -v twice for more verbosity. The option -d can also be used (once ortwice) to generate more verbose output.
15.3 Resuming
Scans cancelled with Ctrl+C can be resumed with the –resume ¡logfilename¿option. The logfile must be a Normal or Grepable logfile (-oN or -oG).13
15.4 Reading Targets From A File
-iL ¡inputfilename¿ reads targets from inputfilename rather than from the commandline.The file should contain a hostlist or list of network expressions separated byspaces, tabs or newlines. Using a hyphen as inputfile makes Nmap read fromstandard input.
15.5 Fast Scan
The -F option scans only those ports listed in the nmap services file (or theprotocols file if the scan type is -sO). This is far faster than scanning all 65,535ports!!
15.6 Time-To-Live
The -ttl ¡value¿ option sets the IPv4 packets time-to-live. The usefulness of this isin mapping paths through networks and determining ACL’s on firewalls (settingthe ttl to one past the packet filter can help to determine information about thefiltering rules themselves). Repeated Nmap scans to a single port using differingttl values will emulate a traceroute style network path map (Try it, its greatfun for a while, until you get bored and realise traceroute does it all for youautomatically!).
Highly recommended, -vUse -v twice for more verbosity. The option -d can also be used (once ortwice) to generate more verbose output.
15.3 Resuming
Scans cancelled with Ctrl+C can be resumed with the –resume ¡logfilename¿option. The logfile must be a Normal or Grepable logfile (-oN or -oG).13
15.4 Reading Targets From A File
-iL ¡inputfilename¿ reads targets from inputfilename rather than from the commandline.The file should contain a hostlist or list of network expressions separated byspaces, tabs or newlines. Using a hyphen as inputfile makes Nmap read fromstandard input.
15.5 Fast Scan
The -F option scans only those ports listed in the nmap services file (or theprotocols file if the scan type is -sO). This is far faster than scanning all 65,535ports!!
15.6 Time-To-Live
The -ttl ¡value¿ option sets the IPv4 packets time-to-live. The usefulness of this isin mapping paths through networks and determining ACL’s on firewalls (settingthe ttl to one past the packet filter can help to determine information about thefiltering rules themselves). Repeated Nmap scans to a single port using differingttl values will emulate a traceroute style network path map (Try it, its greatfun for a while, until you get bored and realise traceroute does it all for youautomatically!).
14 Outputting Logs
Logging in Nmap can be provided by the -oN, -oX or -oG options. Each oneis followed by the name of the logfile. -oN outputs a human readable log, -oX
outputs an XML log and -oG outputs a grepable log. The -oA option outputs inall 3 formats, and -oS outputs in a format I’m sure none of you would ever wantto use (try it; you’ll see what I mean!)The –append-output option appends scan results to the output files you specifiedinstead of overwriting their contents.
13 OS Fingerprinting
The -O option turns on Nmap’s OS fingerprinting system. Used alongside the-v verbosity options, you can gain information about the remote operating system
and about its TCP Sequenmce Number generation (useful for planning Idlescans).An article on OS detection is available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html
12 Timing and Hiding Scans
12.1 TimingNmap
adjusts its timings automatically depending on network speed and responsetimes of the victim. However, you may want more control over the timing in orderto create a more stealthy scan, or to get the scan over and done with quicker.The main timing option is set through the -T parameter. There are six predefinedtiming policies which can be specified by name or number (starting with0, corresponding to Paranoid timing). The timings are Paranoid, Sneaky, Polite,Normal, Aggressive and Insane.
adjusts its timings automatically depending on network speed and responsetimes of the victim. However, you may want more control over the timing in orderto create a more stealthy scan, or to get the scan over and done with quicker.The main timing option is set through the -T parameter. There are six predefinedtiming policies which can be specified by name or number (starting with0, corresponding to Paranoid timing). The timings are Paranoid, Sneaky, Polite,Normal, Aggressive and Insane.
A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes betweeneach packet sent. This makes it almost impossible for a firewall to detect a portscan in progress (since the scan takes so long it would most likely be attributedto random network traffic). Such a scan will still show up in logs, but it will beso spread out that most analysis tools or humans will miss it completely.A -T Insane (or -T5) scan will map a host in very little time, provided youare on a very fast network or don’t mind losing some information along the way.Timings for individual aspects of a scan can also be set using the –host timeout,–max rtt timeout, –min rtt timeout, –initial rtt timeout, –max parallelism, –min parallelism,and –scan delay options. See the Nmap manual for details.
12.2 Decoys
The -D option allows you to specify Decoys. This option makes it look like thosedecoys are scanning the target network. It does not hide your own IP, but itmakes your IP one of a torrent of others supposedly scanning the victim at the11same time. This not only makes the scan look more scary, but reduces the chanceof you being traced from your scan (difficult to tell which system is the ”real”source).
12.3 FTP Bounce
The FTP protocol (RFC 959) specified support for a ”proxy” ftp, which alloweda connection to an FTP server to send data to anywhere on the internet. Thistends not to work with modern ftpds, in which it is an option usually disabled inthe configuration. If a server with this feature is used by Nmap, it can be usedto try to connect to ports on your victim, thus determining their state.This scan method allows for some degree of anonymity, although the FTPserver may log connections and commands sent to it.
12.4 Turning Off Ping
The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PToption switches on TCP Pings, you can specify a port after the -PT option to bethe port to use for the TCP ping.Disabling pings has two advantages: First, it adds extra stealth if you’rerunning one of the more stealthy attacks, and secondly it allows Nmap to scanhosts which don’t reply to pings (ordinarily, Nmap would report those hosts asbeing ”down” and not scan them).In conjunction with -PT, you can use -PS to send SYN packets instead ofACK packets for your TCP Ping.The -PU option (with optional port list after) sends UDP packets for your”ping”. This may be best to send to suspected-closed ports rather than openones, since open UDP ports tend not to respond to zero-length UDP packets.Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP TimestampRequest), -PM (Netmask Request) and -PB (default, uses both ICMP EchoRequest and TCP ping, with ACK packets)
12.5 Fragmenting
The -f option splits the IP packet into tiny fragments when used with -sS, -sF,-sX or -sN. This makes it more difficult for a firewall or packet filter to determinethe packet type. Note that many modern packet filters and firewalls (includingiptables) feature optional defragmenters for such fragmented packets, and willthus reassemble the packet to check its type before sending it on. Less complexfirewalls will not be able to cope with fragmented packets this small and will mostlikely let the OS reassemble them and send them to the port they were intendedto reach. Using this option could crash some less stable software and hardwaresince packet sizes get pretty small with this option!12
12.6 Idle Scanning
See the section on -sI for information about idle scans.
12.2 Decoys
The -D option allows you to specify Decoys. This option makes it look like thosedecoys are scanning the target network. It does not hide your own IP, but itmakes your IP one of a torrent of others supposedly scanning the victim at the11same time. This not only makes the scan look more scary, but reduces the chanceof you being traced from your scan (difficult to tell which system is the ”real”source).
12.3 FTP Bounce
The FTP protocol (RFC 959) specified support for a ”proxy” ftp, which alloweda connection to an FTP server to send data to anywhere on the internet. Thistends not to work with modern ftpds, in which it is an option usually disabled inthe configuration. If a server with this feature is used by Nmap, it can be usedto try to connect to ports on your victim, thus determining their state.This scan method allows for some degree of anonymity, although the FTPserver may log connections and commands sent to it.
12.4 Turning Off Ping
The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PToption switches on TCP Pings, you can specify a port after the -PT option to bethe port to use for the TCP ping.Disabling pings has two advantages: First, it adds extra stealth if you’rerunning one of the more stealthy attacks, and secondly it allows Nmap to scanhosts which don’t reply to pings (ordinarily, Nmap would report those hosts asbeing ”down” and not scan them).In conjunction with -PT, you can use -PS to send SYN packets instead ofACK packets for your TCP Ping.The -PU option (with optional port list after) sends UDP packets for your”ping”. This may be best to send to suspected-closed ports rather than openones, since open UDP ports tend not to respond to zero-length UDP packets.Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP TimestampRequest), -PM (Netmask Request) and -PB (default, uses both ICMP EchoRequest and TCP ping, with ACK packets)
12.5 Fragmenting
The -f option splits the IP packet into tiny fragments when used with -sS, -sF,-sX or -sN. This makes it more difficult for a firewall or packet filter to determinethe packet type. Note that many modern packet filters and firewalls (includingiptables) feature optional defragmenters for such fragmented packets, and willthus reassemble the packet to check its type before sending it on. Less complexfirewalls will not be able to cope with fragmented packets this small and will mostlikely let the OS reassemble them and send them to the port they were intendedto reach. Using this option could crash some less stable software and hardwaresince packet sizes get pretty small with this option!12
12.6 Idle Scanning
See the section on -sI for information about idle scans.
Subscribe to:
Posts (Atom)