NMap, or the Network Mapper, is an excellent tool for network auditing and discovery and one which I use several times a day. NMap is the kind of application I would very readily pay for, but I am fortunate that NMap is free and open-source.
Let’s go over a couple examples of how you can use NMap.
If I wanted to know how many hosts responded to a ping in the 192.168.1.0/24 subnet I could use the following NMap command:
nmap -sP 192.168.1.0/24
this command executes what is commonly referred to as a “ping sweep” which, in so many words, sweeps the 192.168.1.0 subnet (/24 is CIDR notation indicating an entire class C subnet of 254 usable hosts) for hosts that respond to a ping. This command will output hosts one at a time with MAC address info, IPs, and it will guess at the type of physical machine detected. This is a very useful first step because it tells you IPs of hosts that send back and ICMP echo reply as well as their MAC address which will allow you to track down a misbehaving device. Let’s say that the above command told you that 192.168.1.25 was up and you wanted to know a little bit more about it than NMap suspects it is some kind of Dell computer. You could use the following:
nmap 192.168.1.25
This type of scan is very basic and as you can see has no options specified. This will scan a single host for open ports 1024 and lower as well as any ports you’ve specified in the nmap-services file. This scan will return information about the open ports discovered as well as listing the common protocol associated with those open ports. If you want to do a non-sequential scan you can add the -r flag in there which may help you avoid a poorly configured intrusion detection system like so:
nmap -r 192.168.1.25
In this example the output of the host scan indicates that ports 21 (ftp) and 22 (ssh) are listening. This, by itself, doesn’t tell me much about this host so let’s attempt to match this machines OS fingerprint to known fingerprints in the NMap database:
nmap 192.168.1.25 -O -p 21,22
this command tells NMap to investigate the device with IP 192.168.1.25 using the open ports we detected and try and tell us what the operating system is. If you can’t specify and open port NMap may throw up a warning message indicating that without an open TCP port it may have trouble fingerprinting the OS. NMap runs for a moment and tells me that this machine is 64.3% likely to be running the FreeBSD 4.3. That’s kind of still pretty wide-open since it’s only 2/3 likely to be FreeBSD and 1/3 likely to be something else like NetBSD, OpenBSD, or Mac OS X Darwin. Heck, it could even be Linux or something embedded. Maybe if we investigate those open ports we can find out what kind of services are running there. We can do that using:
nmap 192.168.1.25 -sV -p 22
this command scans the IP specified and is looking for the version of ssh running there. Mine reports that openSSH version 3.9p1. Knowing this I could then look for a vulnerability specific to this openSSH version and attempt to exploit it. Or, I could surmise that this is a Unix machine running openSSH.
There are many options when using NMap, and you can check out the man page for those, but the examples above are useful for getting some basic info about hosts and subnets.
No comments yet
Comments feed for this article