NMAP - Network Mapper
Nmap is the most popular (and most featureful) port scanning tool out there. And although it appears like a small port scanning utility, it has a lot of hidden potential to serve as a powerful hacking tool. This is precisely what we shall try to work out in this particular article.
In a previous article we saw how to use nmap for basic port scanning and network scanning tasks. You need to have those basics
1. Faster network sweep
A common use of nmap is to find online hosts within an ip range. By default nmap takes some time to scan the range depending on the number of hosts it needs to check for. However hackers would optimise the scanning process to scan the range very fast. Lets take a few examples
$ nmap -vv -sP 184.108.40.206-100 Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-13 10:24 IST Initiating Ping Scan at 10:24 Scanning 100 hosts [2 ports/host] Completed Ping Scan at 10:24, 2.38s elapsed (100 total hosts) Initiating Parallel DNS resolution of 100 hosts. at 10:24 Completed Parallel DNS resolution of 100 hosts. at 10:24, 4.28s elapsed Nmap scan report for 220.127.116.11 [host down] Nmap scan report for 18.104.22.168 [host down] Nmap scan report for 22.214.171.124 Host is up (0.025s latency). Nmap scan report for 126.96.36.199 [host down] Nmap scan report for 188.8.131.52 Host is up (0.079s latency). Nmap scan report for 184.108.40.206 Host is up (0.034s latency). Nmap scan report for 220.127.116.11 [host down] ............. Read data files from: /usr/bin/../share/nmap Nmap done: 100 IP addresses (26 hosts up) scanned in 6.67 seconds $
The output has been truncated to keep it easy to read.
In the above example nmap takes around 6.67 seconds to scan 100 hosts. Now this is a bare example. The time range can vary on many factors. So if a whole ip range like 18.104.22.168/16 (256x256 hosts) is to be scanned, it would take a lot more time. This needs to be fast. We are going to use the following 3 options to make the scan faster
1. No dns resolution 'n' - This will tell nmap not to perform dns resolution of the ip addresses, making the process faster.
2. Use the 'T' switch - The T option tells nmap what speed to operate at. T1 is slowest and T5 is fastest
3. max-rtt-timeout - This option specifies the maximum time to wait for the response.
Here is an example
$ nmap -v -n -sP --max-rtt-timeout 500ms 22.214.171.124-100 -T4 Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-13 10:34 IST Initiating Ping Scan at 10:34 Scanning 100 hosts [2 ports/host] Completed Ping Scan at 10:34, 1.97s elapsed (100 total hosts) Nmap scan report for 126.96.36.199 [host down] Nmap scan report for 188.8.131.52 Host is up (0.023s latency). Nmap scan report for 184.108.40.206 [host down] Nmap scan report for 220.127.116.11 [host down] Nmap scan report for 18.104.22.168 Host is up (0.056s latency). Nmap scan report for 22.214.171.124 Host is up (0.026s latency). ............... Read data files from: /usr/bin/../share/nmap Nmap done: 100 IP addresses (26 hosts up) scanned in 1.97 seconds $
This time nmap scanner 100 ips in 1.97 seconds. Thats good speed. The value of max-rtt-timout can be adjusted to further increase the speed of the scan. Lower its value, faster nmap would end the scan.
2. Cleaner output with grep
Nmap shows the report like this
Nmap scan report for 126.96.36.199 [host down] Nmap scan report for 188.8.131.52 Host is up (0.056s latency).
And the report contains the list of all hosts whether they are up or down. However in most cases the hosts of interest are the online/up ones. So its a better idea to list out only the up hosts and that too in a cleaner format. This is done using 2 things. The first is outputtin in greppable format using the option 'oG' and then grepping the output and filtering out the Up hosts. Here is a quick example.
$ nmap -vv -n -sP --max-rtt-timeout 500ms 184.108.40.206-100 -T4 -oG - | grep 'Up' Host: 220.127.116.11 () Status: Up Host: 18.104.22.168 () Status: Up Host: 22.214.171.124 () Status: Up Host: 126.96.36.199 () Status: Up Host: 188.8.131.52 () Status: Up .....
The above format is much neater. It only lists the 'Up' or online hosts and thats what we need. On windows the find/findstr command can be used in place of grep. Its syntax is very similar.
3. Faster port scanning
Just like we increased the speed of network sweep, similary portscans also need to be fast. Portscanning also uses the same options as shown above in the network sweep section, along with few more. Portscanning should always be done using the sS option to ensure syn scanning. The PN option can be used along with it to avoid ping detection.
$ sudo nmap -sS -vv -n -p80 -PN --max-rtt-timeout 500ms 184.108.40.206-100 -T4 -oG - | grep 'open' Host: 220.127.116.11 () Ports: 80/open/tcp//http/// Host: 18.104.22.168 () Ports: 80/open/tcp//http///
The above command scanned for open port 80 on 100 hosts in about 2 seconds. And it lists out only those hosts which have the port open. This is quick and useful.
4. Discover services
The key idea behind port scanning is to discover services that are online or on the network (and those which can be hacked! ). So lets try discovering some online services on random ip ranges.
Find FTP servers
$ sudo nmap -sS -vv -n -PN -p21 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'
The above call to nmap shall list out all the ip addresses that have port 21 open. Hackers would find out such servers then see which of them are vulnerable. For example you could try such a scan on the ip range of some website. It will scan all possible servers in that range.
Find mysql servers
Why only ftp, there are plenty of other services to look for by matching the port numbers on which they run. Mysql for instance runs on port 3306. So find out mysql servers with a similar call to nmap with just a different value for port 'p' parameter.
$ sudo nmap -sS -vv -n -PN -p3306 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'
There are plenty of other services to find out like telnet, http, vnc. Lots of servers out there in the public have these services open that can allow hackers to compromise their systems. So you have to find out such ones and give them a try.
5. Grab daemon banner/welcome message
Nmap has another option 'sV' that shall fetch the daemon banner or welcome message presented by the service upon connecting.
$ sudo nmap -sS -sV -n -PN -p3306 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open' Host: 192.168.1.10 () Ports: 3306/open/tcp//mysql//MySQL (unauthorized)/ Host: 192.168.1.89 () Ports: 3306/open/tcp//mysql//MySQL (unauthorized)/
The 'MySQL (unauthorized)' string in the output is the message given by mysql on connection. The most information piece of information in the welcome message is the version number of the service and anything additional. However here it seems like the welcome message has been modified to not reveal any version information.
6. Find windows machines
Just like we discovered services on remote ip addresses, its possible to find windows xp machines that are directly connected to the internet. You can for example run a nmap scan over the ip addresses allocated by your isp to its users and find out which ips are windows machines that are online. For this we just need to scan for open samba (445) ports.
$ sudo nmap -n -PN -p445 --max-rtt-timeout 500ms 22.214.171.124/24 -T4 -oG - | grep 'open' Host: 126.96.36.199 () Ports: 445/open/tcp//microsoft-ds/// Host: 188.8.131.52 () Ports: 445/open/tcp//microsoft-ds/// Host: 184.108.40.206 () Ports: 445/open/tcp//microsoft-ds/// Host: 220.127.116.11 () Ports: 445/open/tcp//microsoft-ds/// ........
You might be surprised to see the number of users online.
The above shown examples are the basics of how to use port scanning and nmap as a powerful tool to study the network around you. Nmap now also has scripting features which allows to write custom scripts that can be used with nmap to automate and extend the scanning capabilities of nmap to a higher level.