Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Scanner IP Address : 192.168.8.93

Requirement :

1. Nmap (nmap.org)

1. Open your console (CTRL + ALT + T) and then type nmap command to view the help. Actually from this help page you can read yourself because there’s so many options you can use to perform your scanning technique.

2. The simple or basic scanning technique was just run your nmap following with a target IP address.

 

v4L@bt:~# nmap 192.168.8.91

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-16 21:24 CST
Nmap scan report for localhost (192.168.8.91)
Host is up (0.00070s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2869/tcp open  icslap
MAC Address: 08:00:27:7E:C9:A3 (Cadmus Computer Systems)

Nmap done: 1 <strong>IP</strong> address (1 host up) scanned in 1.48 seconds


nmap1

3. Nmap also can scan a whole of your network address to know which host alive or dead (try by yourself).

 

v4L@bt:~# nmap 192.168.8.0/24

Information :

if your IP was 192.168.1.9, then your nmap command should be nmap 192.168.1.0/24 but you can learn more about this CIDR notation in computer networking.

If you see the nmap help, there’s so many switch you can use but in this tutorial I will not describe all of that switch because you can read more on nmap official website help page.

-v : Increase verbosity level (use -vv or more for greater effect)

-S &lt;IP_Address&gt; : Spoof source address -- used to trick the firewall/IDS

-e &lt;iface&gt; : Use specified interface

-Pn : Treat all hosts as online -- skip host discovery

-sV : Probe open ports to determine <strong>service</strong>/version info -- very <strong>useful</strong> to get detailed information about the <strong>service</strong>

-T&lt;0-5&gt; : Set timing template (higher is faster)--see picture below

-O : Enable <strong>OS</strong> detection

nmap2

4. I will use the above switch to perform a scanning in my network.

 

v4L@bt:~# nmap -S 192.168.8.123 -e eth0 -Pn -sV -T4 -v -O 192.168.8.0/24

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-16 20:46 CST
NSE: Loaded 9 scripts for scanning.
Initiating ARP Ping Scan at 20:46
Scanning 256 hosts [1 port/host]
Completed ARP Ping Scan at 20:46, 1.55s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 20:46
Completed Parallel DNS resolution of 256 hosts. at 20:46, 0.00s elapsed
Nmap scan report for 192.168.8.0 [host down]

<strong>--CODE SNIP IT'S TOO LONG--</strong>

Nmap scan report for localhost (192.168.8.88)
Host is up (0.0012s latency).
All 1000 scanned ports on localhost (192.168.8.88) are filtered
MAC Address: 12:34:56:78:90:12 (Unknown)
Too many fingerprints match this host to give specific <strong>OS</strong> details
Network Distance: 1 hop

Nmap scan report for localhost (192.168.8.90)
Host is up (0.021s latency).
Not shown: 993 filtered ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
554/tcp   open  rtsp?
2869/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5357/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 00:21:5D:F4:3A:D8 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
<strong>OS</strong> fingerprint not ideal because: Missing a closed TCP port so results incomplete
No <strong>OS</strong> matches for host
Network Distance: 1 hop
Service Info: <strong>OS</strong>: Windows

Nmap scan report for localhost (192.168.8.91)
Host is up (0.0020s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp?
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows <strong>XP</strong> microsoft-ds
2869/tcp open  http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
MAC Address: 08:00:27:7E:C9:A3 (Cadmus Computer Systems)
No exact <strong>OS</strong> matches for host (If you know what <strong>OS</strong> is running on it, see http://nmap.org/submit/ ).
TCP/<strong>IP</strong> fingerprint:
<strong>OS</strong>:SCAN(V=5.59BETA1%D=9/16%OT=21%CT=1%CU=32221%PV=Y%DS=1%DC=D%G=Y%M=080027%
<strong>OS</strong>:TM=4E73458A%P=i686-pc-linux-gnu)SEQ(CI=I%II=I%TS=0)SEQ(CI=I%II=I)OPS(O1=
<strong>OS</strong>:M5B4NW0NNT00NNS%O2=%O3=%O4=%O5=%O6=)OPS(O1=NNT11%O2=%O3=%O4=%O5=%O6=)WIN
<strong>OS</strong>:(W1=FAF0%W2=0%W3=0%W4=0%W5=0%W6=0)ECN(R=Y%DF=N%T=80%W=0%O=%CC=N%Q=)T1(R=
<strong>OS</strong>:Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=80%S=O%A=O%F=AS%RD=0%Q=)
<strong>OS</strong>:T1(R=Y%DF=Y%T=80%S=O%A=O%F=A%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O
<strong>OS</strong>:=%RD=0%Q=)T3(R=Y%DF=N%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=80%
<strong>OS</strong>:W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
<strong>OS</strong>:)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z%A=
<strong>OS</strong>:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
<strong>OS</strong>:K=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 1 hop
Service Info: <strong>OS</strong>: Windows

Nmap scan report for localhost (192.168.8.92)
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE              VERSION
80/tcp  open  http                 Apache httpd 2.2.16 ((Debian))
111/tcp open  rpcbind (rpcbind V2) 2 (rpc #100000)
MAC Address: 08:00:27:8E:01:56 (Cadmus Computer Systems)
<strong>OS</strong> fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No <strong>OS</strong> matches for host
Network Distance: 1 hop

Nmap scan report for localhost (192.168.8.94)
Host is up (0.0026s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd 5.0
23/tcp   open  telnet        Microsoft Windows 2000 telnetd
25/tcp   open  smtp          Microsoft ESMTP 5.0.2195.2966
80/tcp   open  http          Microsoft IIS httpd 5.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds  Microsoft Windows <strong>XP</strong> microsoft-ds
1025/tcp open  NFS-or-IIS?
1026/tcp open  LSA-or-nterm?
MAC Address: 08:00:27:33:FD:68 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows 2000
<strong>OS</strong> details: Microsoft Windows 2000 SP0
Network Distance: 1 hop
Service Info: Host: 2000sp2; <strong>OS</strong>: Windows

Read data files from: /usr/local/bin/../share/nmap
<strong>OS</strong> and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 <strong>IP</strong> addresses (6 hosts up) scanned in 127.68 seconds
           Raw packets sent: 9126 (410.968KB) | Rcvd: 4191 (169.016KB)


5. I give different color in nmap scan result. As you can see, in my subnet there’s 5 hosts marked as up and alive. The first host(blue color) was my O.S with firewall installed. Below was the picture when my firewall detected some alert in my PC.

nmap3

As you can see from the alert above, the firewall detected that connection came from IP Address 192.168.8.123 but the real scanner IP address was 192.168.8.93 that’s because the -S, -e and -Pn switch I’ve used in scanning method.

6. When you do a scan, and you get some open port in 135 or 139 or 445 that machine should be a Windows machine.

Because nmap was also an application and created by human, so maybe there’s some inaccurate result when this program scans the network especially when guess the Operating System.

7. If there’s no open port 135 or 139 or 445, it should be another Operating System, maybe Linux or Mac OSX, Solaris, etc(see the brown color – 192.168.8.92). To know what operating system, actually there’s many ways but here I will try simple banner grabbing by telnet to the opening port of that host.

There it is…that host was running a Debian Operating System. ?

Counter measures :

1. Install a firewall to block requests from scanner

2. If you have some service running and there’s an open port, mask or delete the server information when an error triggered.

Take your time to comment on this article.