Results tagged “nmap”

Nmap 5.00 is the latest and greatest version of what is arguably the most useful network utility ever created and it's now available, for all major computer operating systems, from the download page at nmap.org. Nmap is Free and Open Source Software.

The previous stable release of Nmap was version 4.76 way back in September 2008 and much has happened since then - this version of Nmap is packed with new features and numerous improvements.
You can read the official details of this release at http://nmap.org/5/.

So what is Nmap exactly? How about a little introduction:

Nmap Port Scanning

Nmap, the port scanner, is able to discover services running on a networked host by utilising a variety of scanning techniques and probes in order to help you gather important information about the function of the host and the state of the network.

Try this command against scanme.nmap.org (a host provided, as the name suggests, for testing your favourite port scanner):

# nmap scanme.nmap.org

Nmap's abilities make it easy to troubleshoot problems on the network, enforce network policies, test firewall rules and much more. Nmap is a must-have tool for Network Professionals, System Administrators, Security Professionals and just about anyone who uses a computer in a networked environment and who wants to know more about their network environment or just networking in general.

Read more about Nmap Port Scanning techniques at
http://nmap.org/book/man-port-scanning-techniques.html.

Host Discovery

Nmap excels at finding hosts on the network: your network; someone else's network or even the entire Internet. Nmap is able to send a great variety of probes for many network protocols in order to elicit responses from hosts, thus revealing their presence.

Try running a command such as one of the following to find hosts on your local network:

# nmap -sP --reason 10.0.0.0/16
# nmap -sP --reason 192.168.1.0/24

The following will generate 1024 random IP addresses and report any hosts it finds out there on the Internet:

# nmap -sP --reason -iR 1024

Read more about Nmap and Host Discovery at
http://nmap.org/book/man-host-discovery.html.

Nmap Version Detection

Discovering that port 80 is open on a host means that it's a fairly safe bet that the service available via that port is a web server of some kind - port 80 is the standard port for the HTTP protocol. Nmap can tell you exactly which kind of web server down to the product name and it's version number.

Try this command against port 80 of scanme.nmap.org:

# nmap -sV -p80 scanme.nmap.org

Version detection has been a part of the Nmap arsenal for several years and is one of its greatest strengths. The Nmap database of service detection probes and probe responses allows Nmap to identify thousands of services even when those services are running on non-standard ports. No longer is it a good idea to hide services by binding them to non-standard ports (e.g. hiding telnet on some high numbered port such as 50000 instead of its standard port 23) and assuming that the service won't be found. Nmap will quickly reveal the service's true identity!

Read more about Nmap Version Detection at
http://nmap.org/book/man-version-detection.html

Nmap Operating System Detection

Another great feature of Nmap is its ability to detect small differences in the way a host speaks over the network in order to identify the Operating System (OS) running on the host. Under ideal conditions Nmap is able to accurately detect more than 2000 different versions of OS from Apple iPhones to ZyXEL ZyWALL routers and including standard ones such as Ubuntu or Windows Vista and obscure ones running on devices such as Oscilloscopes and Toasters (OK, not really toasters - not yet anyway...).

Try this command against scanme.nmap.org to discover what Operating System it runs:

# nmap -sV -O scanme.nmap.org

Read more about Nmap Operating System Detection at
http://nmap.org/book/man-os-detection.html.

Nmap Scripting Engine

The Nmap Scripting Engine (NSE) allows its users to write custom scripts in the Lua scripting language to perform any kind of networking task imaginable. NSE provides access to Nmap's networking APIs and makes it very easy to send and receive data across the network. Nmap ships with over 50 scripts which complement and extend the discovery of information about a host - tasks such as detecting open proxy services, detecting open mail relays, looking-up Autonomous System Numbers and WHOIS information, detecting and exploiting vulnerabilities and many more.

Try the following command against the web service at scanme.nmap.org to discover the Title of the default web page:

# nmap -p80 --script html-title scanme.nmap.org

There are also more than 30 NSE libraries to allow script-writers to easily implement all sorts of common networking tasks such as sending HTTP requests and parsing the responses, performing DNS queries, talking the SMB protocol to Microsoft Windows machines to name but a few.
The Lua language is easily mastered and its use within NSE is well documented making it very simple to start writing NSE scripts.

Read more about the Nmap Scripting Engine at
http://nmap.org/book/man-nse.html.

Nmap and Accompanying Tools

Nmap has become a suite of tools for Network discovery, exploration and management and as well as the main Nmap executable, Nmap 5.0 now comes with the Zenmap GUI, Ndiff and Ncat:

Nmap and the Zenmap Graphical User Interface

Zenmap is a cross-platform graphical user interface for Nmap with several really cool tricks up its sleeves. The killer features of Zenmap include a graphical view of the network Topology and its ability to Aggregate the results of multiple scans into a single place.
Using the results of Nmap traceroute output (option: --traceroute) Zenmap draws an actual map of the network which includes the routers between you and the target host. Result Aggregation allows you to perform multiple scans and Zenmap extends the map to include any new hosts discovered. Information about any host is available for viewing right there on the map making it a great way to build-up a picture of hosts on the network. The map is displayed as a series of concentric circles each representing a 'hop' with your host at the centre, but the map can be redrawn with any host at the centre allowing you to view the network from different perspectives. The map can even be exported as an image for viewing outside of the Zenmap interface.

For people new to Nmap, the Profile Editor is a fantastic way to learn about and experiment with the huge array of Nmap options. The Profile Editor explains each of the options and presents them in an easy to use interface which allows you to select options by ticking boxes, selecting items in drop-downs and so on. Zenmap profiles are a great way to save Nmap commands which you use regularly and Zenmap ships with several ready-made profiles to get you started.

Command line junkies need not use the Zenmap Profile Editor at all - commands can be typed directly into the Zenmap Interface and using Nmap this way is just as quick as from the command line with all of the added benefits that Aggregation and Topology bring. Zenmap also produces both the normal output associated with a command terminal as well as Nmap XML output which means you don't have to worry about specifying Nmap output options - Zenmap allows you to simply save the output to a file once a scan is finished and you can even save multiple scans to a single directory in a couple of mouse clicks.

Zenmap has other features too such as: maintaining a database of recent scans so that you can search them to find specific hosts or services you're interested in; enabling comparisons between the results of two scans to quickly see the differences in the output; and novel ways to display information about scanned hosts.

Read more about Zenmap at
http://nmap.org/book/zenmap.html and marvel at just how useful it is.

Ndiff and Nmap Output comparisons

Nmap can produce its output in XML format and a common desire is to compare the output of two scans of the same host or network taken at different times. Ndiff is a separate command line tool, shipped alongside Nmap, which allows you to quickly see the differences between the outputs of two scans in a similar way that Unix diff works. Ndiff is Nmap aware and excels at showing you changes in available hosts on the network and changes in port states of a host - making it really useful for keeping abreast of changes on the network. Zenmap leverages Ndiff for its scan comparison functionality.

Read more about Ndiff at
http://nmap.org/ndiff/.

Ncat - Netcat for the 21st Century

Ncat is a modern re-implementation of Netcat and is fundamentally a tool for reading from and writing to the network. Ncat has a nearly limitless number of uses like acting as a simple TCP, UDP or SSL client to a variety of network services, providing network functionality to non-networked applications, acting as a server to which clients can connect and cool things like becoming a proxy server, a chat client/server and the brokering of connections between clients. It features security measures such as access control lists for client connections and proxy authentication.

Like the rest of the Nmap toolset, Ncat runs on all major operating systems and has no trouble communicating with an Ncat running on a different operating system.

Read more about Ncat at
http://nmap.org/ncat/.

Nmap Network Scanning - Fyodor's Nmap book

Nmap's author Fyodor has also authored Nmap Network Scanning - the "Official Nmap Project Guide to Network Discovery and Security Scanning". The book is a 468 page treasure trove of information about how to effectively harness the power of Nmap in the real world including a 42 page reference of all Nmap options. The book is available for purchase and several of its chapters are available in the free online-edition at
http://nmap.org/book/toc.html

This has been a short introduction to Nmap 5.00 and its associated tools which I hope you've found useful. If you want to know more about Nmap, you will find everything you need to know at http://nmap.org/.

Happy Nmapping!

UPDATE 2009-04-01:
The newest beta of the network exploration and auditing tool Nmap 4.85BETA5 is now available for download at nmap.org/download.
Among the changes, which you can read about in the CHANGELOG, is an especially handy tool which can detect machines compromised with the Conficker (aka Downadup aka Kido) worm.
The smb-check-vulns.nse script has been updated by its author Ron Bowes to include specially crafted RPC messages and detection of the giveaway response returned by a machine compromised with Conficker.

The script may be run like so:

nmap -PN -p139,445 -n -v --script smb-check-vulns --script-args safe=1 <targets>

which might result in:

Interesting ports on cleanhost1.com (192.168.0.1):
PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

Interesting ports on compromised2.com (192.168.0.2):
PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

The MS08-067 and regsvc DoS checks are not performed when "--script-args safe=1" is specified on the command line and is the reason you will see "NOT RUN" next to the host script result entry. The MS08-067 check can determine whether or not the KB958644 Microsoft patch for the vulnerability exploited by Conficker has been applied. There's a very good chance that this check will crash the server service of a vulnerable machine which is why it is suggested that the "safe" argument is specified to prevent the crash. If you want to perform the check, omit "--script-args safe=1" from the command.

If you have a large number of hosts in your organisation you may be interested in some great advice posted to the nmap-developers mailing list on tuning the nmap parameters to speed the process up, as well as a handy perl script for parsing nmap xml output files to extract the conficker results.

The background to this update to smb-check-vulns.nse may be interesting to anyone curious about or involved in defending against Conficker.

Researchers at Rheinische Friedrich-Wilhelms-Universitat Institute of Computer Science, Felix Leder and Tillmann Werner (members of the Honeynet Project) discovered that Conficker, which patches the MS08-067 vulnerability of its host, responds with a uncommon error codes when sent specific RPC messages.  These responses are entirely different than those that may be elicited from a normal patched or unpatched host thus making remote detection of compromised hosts a possibility.

Remote detection of Conficker is a real boon for system administrators who can now scan their entire organisation and determine whether there are compromised hosts on its networks without having to visit each machine or trawl through and decipher stacks of logs generated by network security monitoring tools.

Leder and Tillmann have posted details of their research into Conficker and methods/tools to detect and contain compromised hosts and there is a more detailed analysis available from them in a paper entitled "Containing Conficker - To Tame a Malware".

Several scanning tools are being or have already been updated to take advantage of this ability to remotely detect Conficker, as noted in a blog post by Dan Kaminsky, though it's worth noting that Nmap is free and will almost certainly get the job done quicker!

UPDATE: 3 February 2009
Nmap 4.85 BETA3 is now available - this release fixes a few minor issues and contains a couple of small tweaks.

Version 4.85 BETA2 of Nmap, everyone's favourite network security scanner, has been released.  This version includes a huge amount of improvements, bug fixes and new features.  The full list of significant changes can be found in the CHANGELOG.  Here are some notable ones:

• Nmap Port Scanning algorithms have been improved to increase performance without sacrificing the accuracy for which Nmap is loved.  On average, scans are now 30% faster!
• The accuracy of Nmap 2nd Generation Operating System Detection was improved which should result in significantly better OS determination.
• Port scan performance has been improved by changing the list of high priority ports (those more likely to be responsive) which Nmap shifts closer to the beginning of scans.  The new port list is: 21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256, 443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900, 8080 and 8888.
• Nmap now ships with Ndiff, a marvellous utility written in Python which compares two Nmap XML output files and generates a report showing the differences between them.  This allows you to perform scans of the same network periodically and detect changes in port states, service versions, responsive hosts and so on.  Read more about Ndiff at http://nmap.org/ndiff/.
• Nmap now ships with Ncat, a much-improved reimplementation of Netcat brought up-to-date with IPv6 support, connection brokering support, proxying and, of course, is cross platform like Nmap.  Read more about Ncat at http://nmap.org/ncat/.
• Nmap scripts now have a sensible naming scheme and have been renamed accordingly.  This benefits users because calling scripts by name is easier with more intuitive names and also because the script filename is printed in Nmap output and it's now much easier to see which script produced a particular output.  It benefits script writers because the ID field is no longer used - one less thing to remember when writing scripts.
• The NSIS Nmap installer for Windows now installs on the all new Windows 7.
• Nmap Scripting Engine (NSE) now has libraries that handle MSRPC, NetBIOS and SMB protocols and several scripts that utilise these libraries to interrogate Windows machines for lots of interesting information such as user, group, shares, processes, sessions and domain enumeration.
• NSE scripts and libraries are now documented.  The documentation is generated from comments in the scripts themselves using a LuaDoc implementation designed for Nmap named NSEdoc.  This is a real help when you want to write a script as well as for curious folk wanting to know the how and the why of script execution.  The full documentation is available online at http://nmap.org/nsedoc/.
• Nmap now correctly inserts the path to the XSL stylesheet in XML output on Windows machines.  This means you can now open Nmap XML output files in your favourite web browser from any directory without having to supply the --stylesheet argument on the command line.

Aside from these, there have been numerous improvements to NSE and the Zenmap GUI and it would be well worth your time to upgrade to the new version.  Get it from http://nmap.org/download.

Nmap 4.75 was released on Sunday 7 September 2008 and, since it includes some great new features, I thought I'd mention a few of them here.  The currently available version of Nmap is actually 4.76 which was released on Saturday 13 September 2008 and which fixed some bugs found in the 4.75 release.  Go get it: http://nmap.org/download

New features

• Fyodor spent the Summer scanning millions of hosts on the Internet in an effort to gather data which could inform decisions on how to improve Nmap in terms of speed, accuracy and host and port discovery.  Out of this WorldScan project came the data on how often many of the TCP and UDP ports are found to be open and this frequency data has been added to the nmap-services file used by Nmap during its scans.  This is a major benefit to Nmap users:

• Nmap's default scan (nmap <target>) now interrogates the top 1000 most frequently open TCP or UDP ports.  Previously, the first 1024 ports as well as all named ports above 1024 were scanned (1715 TCP and 1488 UDP) and this improvement means that the number of ports scanned is dramatically reduced whilst increasing the chance that the ports scanned will be open i.e. improving the default scans ability to find open ports.  About 93% of open TCP ports and roughly 98% of open UDP ports are found (on average) with the default scan.
  
• Nmap's fast scan (nmap -F <target>) now scans the top 100 most frequently open TCP or UDP ports.  This scan previously scanned 1276 TCP and 1017 UDP ports and whilst, faster than the default scan, wasn't particularly deserving of it's name - it is now.  73% of open TCP and 90% of open UDP ports are found with the Fast scan.
• --top-ports <number> allows you to scan <number> of the most frequently open ports.  For example nmap -sS --top-ports 3674 finds, on average, 100% of open TCP ports and nmap -sU --top-ports 1017 finds, on average, 100% of open UDP ports (making scanning every one of the 65535 ( -p- ) largely unnecessary).

• There have been several significant improvements to Zenmap, the Nmap GUI.  The most visible of these is the Topology System which uses --traceroute information to draw a map of the network.  That's right, a visualisation of the network topology in the form of a map!  Have a look at http://nmap.org/book/zenmap-topology.html to see what I mean.  The map starts with the scanning host at the centre of a set of concentric rings representing increasing numbers of network hops.  The scanned hosts are placed according to the number of hops between them and the scanning machine.  It's possible to redraw the map with any of the hosts at the centre of the map by simply clicking a host whilst the "Change Focus" control is selected and the result is a sweet animation as the hosts are rearranged to show the network from the perspective of the selected host.
• Zenmap Scan Aggregation http://nmap.org/book/zenmap-scanning.html#aggregation is another improvement to Zenmap which allows you to build-up a picture of the network by adding scans.  For instance, you might start with nmap -sP -PE --traceroute <targets> to get an overall picture of the topology of the network and then perform more detailed scans of each of the hosts found and the information acquired builds into a more complete picture (literally if you look at the Topology tab).
• The Nmap Scripting Engine has been significantly improved making it easier to write custom scripts to perform all sorts of network, host and application discovery tasks.  There are new NSE libraries to make scripting of common tasks a painless exercise and there are new scripts to give you more information about your targets.

So these are just a few of the new features you can try for yourself and there are more on the horizon.  You can see a complete list of changes to Nmap in the changelog at http://nmap.org/changelog.html

Here's an example of a scan which is faster, more accurate and results in more information than previous versions:

nmap -sSV -F --script default,discovery scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-27 16:05 GMT Standard Time
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 95 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
25/tcp  closed smtp
53/tcp  open   domain  ISC BIND 9.3.4
80/tcp  open   http    Apache httpd 2.2.2 ((Fedora))
|_ HTML title: Go ahead and ScanMe!
113/tcp closed auth

Host script results:
|  Whois: Record found at whois.arin.net
|  netrange: 64.13.134.0 - 64.13.134.63
|  netname: NET-64-13-143-0-26
|  orgname: Titan Networks
|  orgid: INSEC
|_ country: US stateprov: CA
|  AS Numbers:
|  BGP: 64.13.128.0/21 and 64.13.128.0/18 | Country: US
|    Origin AS: 10565 - SVCOLO-AS - Silicon Valley Colocation, Inc.
|_     Peer AS: 3561 6461

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.09 seconds

How Cool?