Nmap is one of those essential tools that you find yourself always reaching for after a few years of system administration. It’s an excellent tool for network mapping but more importantly for our purposes it can be used for security auditing. The main ways I use Nmap are as a port scanner and in some cases to identify the OS of the IP being scanned. These are by no means the only uses. Nmap has a ton of option and in addition can be extended with scripts.
The most common uses of Nmap are
- Scanning a range of IP’s to see which ones are live (See my previous article here)
- Scanning an IP or network to see what ports are open (And possibly what’s running on them)
- Identify the OS of a machine at a particular IP address or Network
2 and 3 are what we’re going to cover today.
Imagine for a moment we have an IP address or network we’re interested in and we want to know if there are any exploitable services running we could sit there and try telneting each and every possible port or we can throw Nmap into the game. Like I said before Nmap has a metric ton of options so here’s a few
Scan an IP address to see what privileged ports are open
sudo nmap 192.168.1.85
And you’ll get a listing like the following back
Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-17 22:33 PDT Interesting ports on 192.168.1.85: Not shown: 1704 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afpovertcp 1723/tcp open pptp MAC Address: 00:1A:70:22:0F:GC (Cisco-Linksys) Nmap done: 1 IP address (1 host up) scanned in 0.732 seconds
Well sure we know what ports are open now and what’s “probably” running on them but if we want to exploit them we need to know what version of Apache or Bind or whatever is running at that IP. So lets run the following command
sudo nmap -sV 192.168.1.85
This tells Nmap to try and fingerprint the service running on any ports it sees open. So we get a response like the following back now
Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-17 22:38 PDT Interesting ports on 192.168.1.85: Not shown: 1704 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) 548/tcp open afpovertcp? 1723/tcp open pptp linux (Firmware: 1) MAC Address: 00:1A:70:22:0F:GC (Cisco-Linksys) Service Info: Host: local; OS: Linux Host script results: |_ Discover OS Version over NetBIOS and SMB: Unix Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.721 seconds
There we go that’s better. Now we know what version of Apache, SSH, Samba, etc that’s running on this server. Now we can filter through Metasploit for example and see if any of these versions have vulnerabilities we can exploit.
Now say we just wanted to know what OS was running at that IP. You could use the command below.
sudo nmap -O 192.168.1.85
And it would throw back this
Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-17 22:44 PDT Interesting ports on 192.168.1.85: Not shown: 1704 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afpovertcp 1723/tcp open pptp MAC Address: 00:1A:70:22:0F:GC (Cisco-Linksys) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.18 (Gentoo, x86) Uptime: 13.636 days (since Thu Sep 4 07:28:11 2008) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.120 seconds
Notice that we get a little more detail on the OS, like it’s uptime and the Linux Kernel version. (Don’t worry it’ll recognize Windows and OS X as well) Just be aware that it’s not always 100% acurate. For example it says here “OS details: Linux 2.6.18 (Gentoo, x86)” but in reality it’s an Ubuntu box running Kernel 2.6.24. So never put all your eggs in one basket and completely trust these fingerprints, always try and verify your intel if possible.
In all the previous examples I’ve scanned an IP address. Any of these commands can be run with a single IP address as in the examples above or you can scan an entire network. You specify the network using the network prefix notation eg 192.168.1.0/24 (192.168.1.0 to 192.168.1.255) or by specifying ranges eg 192.168.1.0-255
So a scan of the 192.168.1.0 network would be
sudo nmap 192.168.1.0/24
Nmap also has some tricks you can use to try and get around Intrusion Detection systems (IDS) or Firewalls. My favorite is the “Decoy” switch. The decoy switch runs some other concurrent scans pretending to be from different IP addresses you specify. This draws attention away from your IP, think of it as gathering a crowd. You become less conspicuous as an individual (IP address) if an IDS sees scans from several different addresses.
The decoy switch looks like this
sudo nmap -D 192.168.2.45,192.168.4.85,192.168.68.1 192.168.1.85
Check here for a full list of Nmaps IDS/Firewall evasion/spoofing tools
This article barely scratches the surface of what Nmap can do check out the Nmap Refrence Guide for an expanded list of Nmap options and techniques.
One of the best resources for different nmap techniques are some of the different security mailing lists. A list of some of the more active ones is provided on the Nmap website here. I found the Penetration Testing list particularly useful and interesting.
As always if you have any questions, comments or suggestions please post them in the comment section below.