nmap - the network scanner
DESCRIPTION
NMAP by Rohit Parab @ null Mumbai Meet, May, 2011TRANSCRIPT
http://null.co.in/ http://nullcon.net/
Nmap The Network Scanner
http://null.co.in/ http://nullcon.net/
Module 1: Getting Started
What is Nmap?
• Nmap = Network Mapper• Written By Fyodor
– http://insecure.org• Free!• Open source, Constant development
http://null.co.in/ http://nullcon.net/
Know your protocols
• IP – Internet protocol• TCP – Transmission Control Protocol• UDP – User datagram protocol• ICMP – Internet control message protocol
http://null.co.in/ http://nullcon.net/
Anatomy of a scan
• Step 1: DNS Lookup– (Unless you u an IP address)
• Step 2 :Nmap “Pings” the remote device– (This is not an ICMP echo Request)
• Step 3: Reverse DNS lookup• Step 4: Do the scan!• Step 5: Analyze the scan results
http://null.co.in/ http://nullcon.net/
Module 2: Basic Scans
http://null.co.in/ http://nullcon.net/
• TCP SYN scan (-sS)• TCP connect() scan (-sT)• Ping scan (-sP)• UDP scan (-sU)
http://null.co.in/ http://nullcon.net/
Module 3: Useful scanning options
• Excluding and Including targets Excluding from command line or a file Using a file to list your targets
• Port Number options Limit your scans Focus your efforts
http://null.co.in/ http://nullcon.net/
Excluding Targets
• --exclude <host1,host2………>– Command line only– Must specify each time
• --excludefile <exclude_filename>– One option excludes many hosts– Keep your list handy!
http://null.co.in/ http://nullcon.net/
Including Targets
• -iL <inputfilename>• Address can be separated by tabs,spaces, or lines
http://null.co.in/ http://nullcon.net/
Specifying port numbers
• Specifying port numbers– -p<port range>– -p 23,34,43,123-144
http://null.co.in/ http://nullcon.net/
Module 4: Ping options
• What’s “ping”?• Default pings
– ARP ping– ICMP and TCP ACK ping
• TCP SYN ping• UDP ping• Don’t ping before scanning
http://null.co.in/ http://nullcon.net/
What’s “ping”?
• An Nmap ping confirms the existence of the target system
• An Nmap ping does not(necessarily) refers to an ICMP echo request
• We can disbale this ping requirement with -P0(zero)
http://null.co.in/ http://nullcon.net/
• Nmap uses ARP for the local subnet for ping process
• For the remote ip subnet nmap uses– ICMP echo request & – A TCP ACK on port 80
http://null.co.in/ http://nullcon.net/
Module 5: Network Recon
• Operating system fingerprinting (-O)– Systems with Firewalls & Filter– One port open ,one port closed.
• Version detection(-sV)
http://null.co.in/ http://nullcon.net/
Module 6: Ninja Scanning
• FIN scan(-sF),Xmas tree scan(-sX),Null scan(-sN)– Often called “stealth” scans– One frame transmitted, one frame received– These stealth scans never appears in application
logs. – Microsoft Windows doesn’t responds to these
stealth scans.
http://null.co.in/ http://nullcon.net/
• ACK scan(-sA)– Filtered or unfiltered(not open!)
http://null.co.in/ http://nullcon.net/
Nmap Timing Options
• -T0/Paranoid• -T1/sneaky• -T2/Polite• -T3/Normal• -T4/Aggressive• -T5/Insane
http://null.co.in/ http://nullcon.net/
Random Hosts and Targets
• Randomize hosts(-rH)– Rearrange the Nmap hosts in an Nmap scan– Makes it difficult to see a pattern
• Completely random target addresses– (-iR <num _host>)– Useful for finding specific services– Nmap –sS –PS80 –iR 0 –p 80
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/
Thank you