Nmap

Nmap, short for network map, is a program that is used to discover hosts and services on a computer network. Hence, it creates a map of the network. It is often used for network security audits, but it is also useful for routine administrative tasks. When you run Nmap, you receive a list of scanned targets as an output. The output depends upon which options are used, but you will always get a list of interesting ports, what services are running on those ports, and the state of the port (open, filtered, closed, or unfiltered). These states can be defined as follows:

  • Open: If a port is listed as open, then an application is listening on this port; in other words, it is waiting for connections.
  • Filtered: The port is blocked by a firewall. As a result, it could be open or closed, but Nmap cannot tell which is the case.
  • Closed: No applications are listening on the port.
  • Unfiltered: The port responds to Nmap's probes, but Nmap cannot tell if the port is open or closed.

To begin using Nmap, navigate to Diagnostics | NMap. Enter the IP address or hostname you want to scan in the IP or Hostname edit box. In the Interface drop-down box, select the source interface. The Scan Method drop-down box is where you select the manner in which the port scan is done. The options are as follows:

  • SYN: As you probably know, establishing a TCP connection involves a three-way handshake which is initiated with a SYN packet being sent by the client. The server responds with an acknowledgment that the SYN packet was received (SYN-ACK), and the client responds with an acknowledgment to which the server need not respond. With this method, Nmap initially sends a SYN packet. If it receives a SYN/ACK response (or a SYN packet), then the port is marked as open. If Nmap receives an RST (reset) response, the port is marked as closed. If there is no response, the port is marked as filtered.
  • TCP connect(): This method involves issuing a TCP connect() command through the Berkeley Sockets API (this is the API used by FreeBSD). This method is slower and more likely to be logged than a SYN scan.
  • Ping: This method involves sending ping requests to scanned ports.
  • UDP: With this method, Nmap sends a UDP packet to every scanned port. In some cases, a protocol-specific payload is also sent. This potentially increases the response rate in cases where a port is commonly associated with a specific protocol. The remote host will either respond with a UDP packet or not. If a response is received, the port will be marked as open. If there is no response, the port will be marked as Open | Filtered.
  • If an ICMP port unreachable error is received, the port is marked as closed, but other ICMP unreachable errors result in the port as being marked as filtered. One problem with UDP scanning is that it tends to take much longer than TCP scanning; open UDP ports rarely respond (keep in mind UDP is a stateless protocol); therefore, if Nmap doesn't get a response after a timeout period, it will resend a UDP packet just to make sure the packet wasn't lost in transmission. If the port is closed or filtered and an ICMP error is returned, this reply should be returned relatively quickly, but some operating systems limit the number of ICMP replies within a time period. Still, it is good practice to include a UDP scan in your security audit.
  • ARP: This is the preferred method for scanning local hosts. Sending an Address Resolution Protocol) request to a local host is, in most cases, faster and more reliable than doing an IP-based scan, so unless there are other reasons for not using ARP, you should use this on local networks.

There are also several checkboxes, which correspond to different Nmap command line options:

  • -P0: Do not attempt to ping hosts before scanning. Sometimes, networks do not allow ICMP echo requests/responses through their firewall. If you are scanning such a network, you may want to skip this step even though it is part of the Nmap network discovery process.
  • -sV: Attempt to identify service versions. With this option, if a TCP or UDP port is discovered, Nmap version detection will communicate with those ports, and try to determine what is running. It will try to determine the service protocol (for example, FTP, SSH, HTTP, and so on), the application name (for example, Apache), the version number, and sometimes other miscellaneous details.
  • -O: Enable Operating System detection. This activates remote host identification via TCP/IP fingerprinting (it looks at the network stack and compares it with a database of known OS fingerprints to try and determine the OS of the host).

It should be noted that the options on the Nmap page represent only a fraction of the options available for Nmap. They may be enough for your purposes, but it may be beneficial to read the Nmap documentation and, if there is an Nmap option that cannot be invoked from this page, run Nmap from the command line, either by dropping to the shell from the console or via SSH, or by navigating to Diagnostics | Command Prompt.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset