On our previous article on Netcat, we were able to scan ports and see what services are running on a specific machine. Now, we’re gonna see a more specialized tool for these purposes, Nmap, a free and open source tool for network discovery and mapping.
In this blog post, we’ll be seeing how to install, use, and configure Nmap to meet our specific needs.
I. Nmap Installation
For installing Nmap, we have two options: one is to install from your operating system’s package repository and another is to install it from source. Most operating systems today already have nmap in their package repositories. But compiling from source is still an option if you want the latest versions installed though this may still come with some minor bugs (“bleeding edge”).
For the purposes of our demo, we will be using a Mac OSX Yosemite and an Ubuntu Server 14.04 in our Virtual Box. Let’s first go and install Nmap into our Ubuntu setup.
a. Installing from a repository
Nmap is already included in apt-get, Ubuntu package repository. So to install, we just need first to update and system then go and install Nmap:
sudo apt-get update
sudo apt-get install Nmap
b. Building from source
Note: For purposes of this demo on building from source, I provisioned another freshly installed Ubuntu server with Virtual Box.
Building from source takes more steps but nonetheless, also simple and easy.
- First, we need to download and unzip the source code of Nmap. As of time of writing, the latest nmap version is 7.01 which we will also be the one that we will be downloading:
wget http://nmap.org/dist/nmap-7.01.tar.bz2 tar xvf nmap-7.01.tar.bz2
- After we have unzipped the file, we can now compile and install Nmap:
./configure sudo make install
After installation from any of the options above, we can confirm that Nmap is indeed installed by issuing a simple help command with Nmap:
From our previous Netcat post, we were able to touch a little of port scanning. As we said before, ports are the gateways to your computer processes. For each service, there are assigned ports by convention: 80 for HTTP, 443 for HTTTPS, 21 for FTP, etc. But with these conventions, processes can still be assigned to operate on a different port number (i.e. running HTTP on 14343). Ports 1024 and below are usually the ones that are commonly used that is why programs wanting to listen to these ports must be ran as root.
Before we delve into port scanning, let’s first see the two primary protocols on networking: TCP and UDP.
TCP and UDP
Services can listen to ports can use either of this protocol s- and usually they do. TCP protocols are usually used for connections which need reliable service. It is also dubbed as connection-oriented since it needs to complete a handshake before establishing connections. Unlike UDP which just makes the best-effort delivery but guarantees no reliability. That is why UDP is also called the connectionless protocol. Since UDP is connectionless, it is much faster as there is no connection overhead. This is why for most applications requiring fast responses such as video and audio streaming, most of the time, UDP is used.
Above we have touched on how TCP, being connection oriented, requires a successful handshake before connection can be established.
TCP has what we call the three-way handshake in which three passes of messages occur between sender and receiver. These messages include SYN (synchronize) and ACK (acknowledge) packets.
Let’s try illustrating this handshake. Say we have two machines, Bob and Alice. Bob wants to start communicating to Alice, so he first starts with a SYN packet sent to Alice to initiate communication.
If Alice is ready and willing to communicate, she then sends a SYN/ACK pair (her own synchronize packet and an acknowledgement packet to the synchronize packet from Bob). Once Bob receives this SYN/ACK pair, he then sends an ACK to verify and confirm that connection is established.
One of the original and most common use of Nmap is being a port scanner. In order for Nmap to determine if a port is open and/or a host is alive, it attempts to connect to target hosts and ports by sending, most of the time, parts of these handshake. Depending on the response of the target port/host, Nmap gets to determine the status of that specific port.
A. Target / Simulation Environment
Scanning computers, especially those not yours, may lead to abuse complaints (or worse) that is why we should be very careful as to which target computers we choose to scan. One safe option is to setup virtual environments for you to tinker with.
In case you do not want to setup your own virtual machine or don’t have other machines in the network, you may also use a free service provided by the Nmap team at http://scanme.nmap.org.
With this free service though, you won’t be able to change the services running and the ports that they are in but for the purposes of scanning, they could already be enough.
For purposes of flexibility, we will be doing our scans for this demonstation on an Ubuntu Desktop 14.04 installed inside our Virtual Box.
In its simplest and most basic form, Nmap just scans the network with the default scan. By default, wen ran with sudo, it uses the TCP ping scan, which only makes half connections. Once the target port has replied with a SYN/ACK, it no longer replies with an ACK and instead just closes the connection. When not ran with root privileges, it instead uses the connect() method which establishes full connections.
Advantages of TCP ping scans is that since no connections was actually established, since the last ACK was not sent, it is able to escape many logging systems and detection systems. But detecting it is still possible, only the chances are minimized.
To perform a default scan, we setup our Ubuntu machine, and from the ifconfig command, we learn that its IP is 192.168.1.101:
One of our running processes is an Apache web server listening on port 80:
Let’s try doing a default port scan on our target, 192.168.1.101
Our default port scan discovered our running service on port 80. Yay!
Looking further on our virtual machine, we discover that another service, redis-server is also alive in port 6379.
Why wasn’t this seen by our default port scan?
By default, Nmap port scans only query the top 1000 ports (not the first 1000 but the top 1000 most used ports). This is maybe the reason why we didn’t see redis on our port scans.
To be able to also inspect other ports as well, especially those not belonging to the top 1000, Nmap provides a way to specify desired port ranges.
Specifying Scan Ranges
Services can be assigned to any ports from 1 to 65,535. And system administratots usually do place their service on high numbered ports to avoid detection by normal scans. With this scanning with just the 1000 ports may not be enough to find the “hiding” services. We need to specify a larger or more specific range that we are interested in:
a. Specific ports:
We can specify a specific port we want inspected with the -p flag:
nmap 192.168.1.101 -p 80
nmap 192.168.1.101 -p 6379
Here, when we targeted port 6379, it was already seen as open by Nmap.
b. Specific Range of IP Addresses
We can also scan a range of IP addresses by specifying them in their CIDR form:
nmap 192.168.1.0/24 -p 6379
Also in case, you need more information such as MAC Addresses, you may run the nmap command with root privileges:
sudo nmap 192.168.1.0/24 -p 6379
c. Specific port range
When we aren’t sure of the specific port our target process is running, we may just specify a specific port range that we want to probe. Also, this could be useful if we want a larger range of ports than our top 1000.
Specifying a port range is also still donw via the -p flag immediately followed by the port range you are interested in.
nmap 192.168.1.101 -p50-7000
c. All ports
The Nmap team has also provided a shortcut, the -p- flag, if you want all ports scanned. Using this though might take more time since more ports are queried.
nmap 192.168.1.101 -p-
Service Version Scan
In addition to knowing which ports are alive and open, it is also useful to know what exact services are running on these ports. This is especially useful if someone is running a service on a non-default port (i.e. http on 14343). Doing service version scans also provide us with the versions of the running services. This is useful especially if one is looking for vulnerabilities that are only present in certain versions of the software. It is important to tell what version is running and the vulnerabilities that can be exploited.
Now let’s run a service scan on our Ubuntu VM. We see that ports 21 and 80 are both open. Port 21 is usually used for FTP (file transfer protocol).
Now let’s further inspect this and determine what are the actual services running on these ports:
With our -sV flag on, we learned that it is actually a redis server that is running on our port 21 and not a FTP client.
We can also notice that the service scan took longer (18.80 seconds vs 1.24 seconds) as it still grabbed the banners of services it discovered.
Logging Scan: Logging Results to Logfiles
Surely, being able to scan networks realtime is a convenience. But sometimes, we also need to keep a history of network behaviour and states we have captured via Nmap. For these purpose, Nmap provides the -oA flag to be followed by your preferred base_filename.
nmap scanme.nmap.org -oA logname
With these command, three resulting files will be created:
1. <base_filename>.xml: results of scan in XML format
2.<base_filename>.nmap: human readable output
3.<base_filename>.gnmap: grep-able nmap output
Now that we have seen how to know which ports are open on a computer and which services are running on them, we now answer one basic prerequisite question. How do we know which hosts are online?
If we don’t have a specific IP address in mind whose ports we want to scan, fret not! Nmap provides commands to do ping sweeps. Given a range of IP addresses, it will determine which ports are online (even if some hosts tend to appear to be offline).
nmap -sn 192.168.1.0/24
What ping sweeps do is send ping / ICMP echo requests to which machines are designed to respond to. Ping sweeps are more efficient than port scans if you’re still identifying who your target host is as it only pings a few ports (and not the whole range nor the top 1000) to determine if a host is up.
C. Timing and Optimization
Nmap also provides the option for you to adjust the timings of your scan with the -T flag followed by a number from 1 to 5, with 5 indicating the fastest scan. Port scans by default are running on T3.
Surely, faster scans will provide quicker results and decrease waiting time, but this may also make your scan more vulnerable to detection by the target host. Also, some system administrators, as security measures, deliberately make hosts respond a little bit longer to requests. Having faster scans with shorter timeout allowances may overlook these actually alive hosts.
To just see a comparison of the speed of these scans, let’s try to run a T1 (sneaky) and a T5 (insane) all-port scan on our Ubuntu VM.
nmap 192.168.1.104 -p- -T5
nmap 192.168.1.104 -p- -T1
We can see from these that a T5 scan is significantly much faster than a T1 scan which is on the other side of the speed spectrum. The T5 scan was able to complete the scan on all ports in less than 5 seconds as opposed to our T1 scan only completing 0.02% in 5 minutes.
D. OS Detection
Nmap also provides the capability to determine what OS is running on a certain host:
sudo nmap scanme.nmap.org -O -Pn -vv -n
The -O flag allows us to detect the operating system. When used with this flag, Nmap must be ran with root privileges. Let’s go and try to detect the operating system of scanme.nmap.org:
Since Nmap is not so sure as to what the OS is, it gives out possibilities with their respective probabilities which is already very useful rather than not having any hints at all. 🙂
So there, we saw some of the basic scans and capabilities of Nmap. There is still so much more that Nmap has to offer, scripting engines and all, which deserves further reading! Check it out as well on the Nmap official website.
Lastly, we should not forget that just like any tool, the use of Nmap should be taken with diligence and care. 🙂
Thanks for reading!