- Nmap Network Scanning
- Chapter4.Port Scanning Overview
- A Quick Port Scanning Tutorial
One of my goals in developing Nmap is to keep the most commonusage simple, while retaining the flexibility for custom and advancedscans. This is accomplished with the command-line interface byoffering dozens of options, but choosing sane defaults when they arenot specified. A newbie can start out with a command as simple asnmap <target>
.Meanwhile, advanced users sometimes specify so many options that theirterminal line wraps around.
A similar balance must be struck with command output. The mostimportant results should stick out even to the occasional user whohasn't even read the man page. Yet the output should be comprehensive andconcise enough to suit professional penetration testers who run Nmapagainst thousands of machines daily. Users smart enough to read thisbook or the Nmap source code benefit from greater control ofthe scanner and insights into what Nmap output really means.
This tutorial demonstrates some common Nmap port scanningscenarios and explains the output. Rather than attempt to becomprehensive, the goal is simply to acquaint new users well enough tounderstand the rest of this chapter.
The simplest Nmap command is just nmap byitself. This prints a cheat sheet of common Nmap options and syntax.A more interesting command is nmap<target>
, which does thefollowing:
Converts
<target>
from a hostname into an IPv4 address using DNS. If an IP address is specified instead of a hostname this lookup is skipped.Pings the host, by default with an ICMP echo request packet and a TCP ACK packet to port 80, to determine whether it is up and running. If not, Nmap reports that fact and exits. I could have specified
-Pn
to skip this test. See Chapter3, Host Discovery (“Ping Scanning”).Converts the target IP address back to the name using a reverse-DNS query. Because of the way DNS works, the reverse name may not be the same as the
<target>
specified on the command-line. This query can be skipped with the-n
option to improve speed and stealthiness.Launches a TCP port scan of the most popular 1,000 ports listed in
nmap-services
. A SYN stealth scan is usually used, but connect scan is substituted instead for non-root Unix users who lack the privileges necessary to send raw packets.See AlsoHow to Use Nmap | UpGuardPrints the results to standard output in normal human-readable format, and exits. Other output formats and locations (files) can be specified, as described in Chapter13, Nmap Output Formats. Example4.2 displays the results when scanme.nmap.org is used as
<target>
.
Example4.2.Simple scan: nmap scanme.nmap.org
# nmap scanme.nmap.org
Starting Nmap ( https://nmap.org )Nmap scan report for scanme.nmap.org (64.13.134.52)Not shown: 994 filtered portsPORT STATE SERVICE22/tcp open ssh25/tcp closed smtp53/tcp open domain70/tcp closed gopher80/tcp open http113/tcp closed authNmap done: 1 IP address (1 host up) scanned in 4.99 seconds
The first output line inExample4.2 simply gives the URL for downloading Nmap. The time Nmap started andversion number are normally provided as well, though these weregenerally removed from this book for consistency and to avoid linewrapping.
The next line provides the target IP address (IPv4 in thiscase), andreverse DNSname (also known as the PTR record)if it isavailable. Nmap promises to show the “interesting ports”, though allports scanned are accounted for. The ports considered mostinteresting because they are open or in a rarely-seen state for thathost are itemized individually. When many ports are in a singlenon-open state, they are considered a default state, and aggregated onto asingle line to avoid diluting the results with thousands ofuninteresting entries. In this case, Nmap notes that 994 ports arefiltered.
The interesting ports table comes next, and provides the keyscan results. The columns vary depending on options used, but inthis case provide the port number and protocol, state, and serviceprotocol for each port. The service here is just a guess made bylooking up the port in nmap-services
. Theservice would be listed as unknown
if any of theports had no name registered in that file. Three of these ports are openand three are closed.
Finally, Nmap reports some basic timing stats before it exits.These stats are the number of targets specified, the number of thosethat the ping scan found to be up, and the total time taken.
While this simple command is often all that is needed, advancedusers often go much further. In Example4.3, the scan is modified withfour options. -p0-
asks Nmap to scan every possibleTCP port, -v
asks Nmap to be verbose about it,-A
enables aggressive tests such as remote OSdetection, service/version detection, and the Nmap Scripting Engine(NSE). Finally, -T4
enables a more aggressive timingpolicy to speed up the scan.
Example4.3.More complex: nmap -p0- -v -A -T4 scanme.nmap.org
# nmap -p0- -v -A -T4 scanme.nmap.org
Starting Nmap ( https://nmap.org )Completed Ping Scan at 00:03, 0.01s elapsed (1 total hosts)Scanning scanme.nmap.org (64.13.134.52) [65536 ports]Discovered open port 22/tcp on 64.13.134.52Discovered open port 53/tcp on 64.13.134.52Discovered open port 80/tcp on 64.13.134.52SYN Stealth Scan Timing: About 6.20% done; ETC: 00:11 (0:07:33 remaining)Completed SYN Stealth Scan at 00:10, 463.55s elapsed (65536 total ports)Completed Service scan at 00:10, 6.03s elapsed (3 services on 1 host)Initiating OS detection (try #1) against scanme.nmap.org (64.13.134.52)Initiating Traceroute at 00:1064.13.134.52: guessing hop distance at 9Completed SCRIPT ENGINE at 00:10, 4.04s elapsedHost scanme.nmap.org (64.13.134.52) appears to be up ... good.Nmap scan report for scanme.nmap.org (64.13.134.52)Not shown: 65530 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)25/tcp closed smtp53/tcp open domain ISC BIND 9.3.470/tcp closed gopher80/tcp open http Apache httpd 2.2.2 ((Fedora))|_HTML title: Go ahead and ScanMe!113/tcp closed authDevice type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.20-1 (Fedora Core 5)Uptime guess: 2.457 days (since Thu Sep 18 13:13:24 2008)TCP Sequence Prediction: Difficulty=204 (Good luck!)IP ID Sequence Generation: All zerosTRACEROUTE (using port 80/tcp)HOP RTT ADDRESS[First eight hops cut for brevity]9 10.36 metro0.sv.svcolo.com (208.185.168.173)10 10.29 scanme.nmap.org (64.13.134.52)Nmap done: 1 IP address (1 host up) scanned in 477.23 seconds Raw packets sent: 131432 (5.783MB) | Rcvd: 359 (14.964KB)
Nmap certainly provided the requested verbosity in Example4.3! Fortunately the extraoutput is easy to understand. The first 13 new lines are runtimeinformation letting the user know what is happening as she staresexpectantly at the terminal, hoping for good news. Whatconstitutes good news depends on whether she is a systemsadministrator who has to fix problems, a pen-tester who needs someissues to report on, or a black-hat cracker trying to exploitthem. About a dozen similar lines were removed for brevity. The “discovered open port” lines provideas-it-happens notification of open ports so that she can start bangingon them before the scan even finishes. The “scan timing” lineprovides a completion time estimate, so she knows whether to keepstaring at the screen or have lunch. Since network conditions(latency, congestion, bandwidth, etc.) and packet filtering rules varyso much, the same scan options may take 30 seconds to complete againstone host and 45 minutes against another. If you want the current time estimate while scanning, just pressenter.
The port table shows no new ports. All the extra ports scannedare in the filtered state, raising the filtered port total from 994to 65,530. While there are no new itemized ports, the entries havechanged. A new VERSION
column provides the application name and version details for the listening service. This comesfrom service detection, one of the features enabled bythe -A
option.Another feature of service detection is that allof the service protocols in the SERVICE
column have actually beenverified. In the previous scan, they were based on the relativelyflimsy heuristic of an nmap-services
port number lookup.That table lookup happened to be correct this time, but it won'talways be.
Another feature added by -A
is the NmapScripting Engine,which is discussed in depth inChapter9, Nmap Scripting Engine. The only script shown here is HTMLtitle
. Dozens of other scripts exist, but none found usefuloutput for this machine. Thetracerouteresults were also addedby -A
. This option is more efficient and morepowerful than most traceroute programs since probes are performed inparallel and Nmap uses scan results to determine a favorable probetype (TCP packets to port 80 in this case).
Most of the remaining new lines come from OS detection (alsoenabled by -A
), which is discussed in depth inChapter8, Remote OS Detection. The final line shows that all this extrainfo came at a price—the scan took almost 100 times longer thanExample4.2, “Simple scan: nmap scanme.nmap.org” to complete (477seconds compared to 5).