How to use Nmap to scan a networkDate: Jan 27, 2009
If you're in charge of penetration testing or network audits, you absolutely need to know how to use Nmap. In this in-depth demonstration, Peter Giannoulis of www.theacademypro.com takes a look at the popular port scanner and OS identifier.
Follow along as Peter explains how to use Nmap commands to map a network and find what ports are opening on a specific system.
Check out other demos of free tools at our SearchSecurity.com screencast page.
Read the full transcript from this video below. Please note the full transcript is for reference only and may include errors. To report an error, contact email@example.com.
How to use Nmap to scan a network
Peter Giannoulis: Hey, everybody. This is Peter Giannoulis, from the Academy.ca, and welcome to this month's SearchSecurity.com screencast. This month we're going to look at everybody's favorite port scanner/OS identification tool, that being Nmap, available at Insecure.org. What is Nmap? Basically, it's a freely available network mapper. It will assist you in finding or mapping out your network using ping-sweeping techniques or using the port scanner to find out what ports are opening on a specific system. So, it will allow you to do audits of systems, mapping of networks and so on. It is, by far, the most popular port scanner in the world. Probably one of the best things is that you can run it on any OS you want. Almost any flavor of Linux, Mac, Windows operating systems, all the way from the [Windows] 9x times, all the way up to Vista, believe it or not. It runs on everything. So, that's a great thing. Let's continue here, and we'll talk about where we can get Nmap and basically go ahead and install it, and so on.
Insecure.org is the actual website that hosts the Nmap tool. There's a ton of information there and documentation, and you can join the mailing list and all that good stuff but, if you just want to go right ahead and download the Nmap tool, you can go to Nmap.org/download.html. That's exactly what we're going to do. We've already downloaded the tool, but I'm going to show you the website here. This is the exact page where you'll see the source code distribution, the versions of Windows, Linux, Mac, and so on that you can download. We've downloaded the Windows installer. So, that's what we're going to go with now.
So, we got on our desktop. We double-click on it. We're going to go ahead, and install it. It's a really simple 'next', 'next' install. There's just a couple things that I'd like to point out. One is I'm going to deselect the Win PCap install, here. You do need it to run Nmap. I've already got it installed on this system because I've got Wireshark and other tools that rely on it on the system. So, we are going to go ahead and click on 'next,' and we'll install it in the default location of Program Files/Nmap, and there you go.
Nmap really takes a whacking 15 seconds to install. You'll see, now, that we have a nice little desktop icon. So, let's go ahead and double-click that and introduce you to the new GUI. You'll see, if you haven't played with Nmap for a while, the new GUI is actually really, really nice.
So, what we're going to do first is, we're going to look at this from a couple of different perspectives. We're going to look at it from a novice perspective and more the expert side, or someone that's been using the tool a lot longer. So, what I want to do first, here, is I want to actually go into the 'tool' menu and go ahead and create a new profile, using a wizard or the command wizard. You'll see here, you have the option to choose novice or expert. We're going to go with the novice this time, and I'll show you what the expert does later. Then, we'll click on next.
Now, in the next section, here, you have the option of keeping 'profile' selected or choosing 'command.' If you chose command, you can actually type the Nmap command you want to run, but if you knew all the switches, you probably wouldn't be doing the novice command wizards. So, we'll go ahead and leave the defaults there and we'll give our profile a name of 'Novice Profile.' So, we'll click on forward.
Now, in here, you can actually choose the type of scan you want to use. I want to use the TCP connect scan. So, the -sT option, if you look at the command line at the top there, you'll see that it's teaching you how to use the command line, as well, which is actually really important because there could be specific times where you don't have access to the actual GUI. Now, there's a bunch of different scans here, and I'm not going to get into the specifics of each one because it's totally out of the scope of this video, but if you know your TCP handshakes, and so on, and you know your SIM, SNAC [SP], AC [SP] , a lot of these will totally make sense. Their help files are amazing, so use them by clicking on the button on the left, there.
The reason why I want to do the 'connect scan' The 'connect scan' does create a little more noise and generates tons of firewall logs but it also gives you the best, or more detailed, scan. So, we'll go ahead and choose that. You'll see we have the operating system detection. We're not going to use that right now. You'll have the option of telling Nessus how to scan, how many packets to send out, and so on. You'll see, you have the 'paranoid,' where it doesn't send as many packets, in order to avoid detection but you also have the 'insane,' which means, 'go all out and hammer the host that we're going to scan.' We're going to leave that as 'none' and, basically, use the defaults and go to 'forward.'
Now, in here, you'll see, we have the ping options. So, we can say, 'Don't Ping before Scanning,' use the typical ICMP scan, or ping, use an ICMP timestamp request and so on. You might want to use some of those options if you, basically, want to get back specific results from the host, in order to map it properly. I find that, most of the time, if you're just doing a port scan, the 'Don't Ping before Scanning' is probably the best option because if you ping before scanning, and Nmap expects a reply from your ICMP echo request packet, it will stop the scan because you're obviously saying 'Ping. If you're not alive, don't continue.' We're going to go ahead and choose 'ICMP ping,' in this case, just to show you how that works. So, we'll go ahead and click on 'forward.' In here, you can choose different scripting options. We're not going to do any of that. It's totally out of the scope of the video. In here, or the -p option, you can choose the ports you want to scan.
I want to scan port 1 to 100, for now. I'm going to go ahead and click on 'forward.' This is the actual cool page. We are not going to do this in this video but you can set your own source IP address in order to decoy where you're coming from, set your own source port, really cool things. You, basically, can construct the packet the way you want it to be.
Then, go ahead and click on 'forward.' Some more different options here, debugging levels, fragmenting packets. We're going to leave those at the defaults and click on 'forward' and 'apply.'
So, now, what we want to do is go into our 'profile' drop-down and find the profile we've just created, which is the 'Novice Profile.' The only thing we're missing now is a target. So, we're going to go ahead and choose our target, which is 192.168.10.87. We'll go ahead and click on 'scan.' Now, you're going to see, in a hurry, that this scan takes about half a second. You'll see, what did we get back? 'Host seems down. If it is really up, it's blocking our ping probes.' So, essentially, the host that we're trying to scan is not responding to our ping, just like we were mentioning earlier in the video. So, let's go in and let's actually edit that profile.
We'll go back into 'profile.' We'll say, 'edit the current profile,' and we'll go into the 'ping' option and deselect 'ICMP ping' and select the 'Don't Ping before Scanning' option. Then, go ahead and press 'OK.'
Now, let's run the scan again and see what happens. So, hit 'scan' and you'll see in just a second, here. So, there we go, 'TCP port 22, normally associated with the SSH service.' Our actual port scan is complete because we're actually port scanning from port 1 to 100, and that's what came up.
Let's open up a DOS window here and telnet to that port, just for 100% accuracy. Let's see if it's actually up and running, and Nmap was right. So, telnet to port 22 and you'll see, SSH version 2, or SSH2 open SSH version 4.3. So, great. That scan was successful.
I find, if you're someone who actually does this on a regular basis, Nmap is a great tool, and it's very reliable but it's just a tool. The best thing to do is always manually go in and find out, and if something is really open the way Nmap is bringing it back.
Let's run another scan. Let's go into 'scan.' We're going to leave our 'connect scan' but we're actually going to go into 'ports to scan' and 'ports 100 to 500,' and let's see what Nmap brings back for us. So, 101 to 500, we'll press 'OK' and we'll go ahead and run our scan again. We'll see what Nmap brings back. Usually, this will take a bit of time. I've actually cut a bit out of this video so that we don't have to sit here and watch it. Depending on, obviously, how many ports you choose and the type of scan you choose, Nmap will come back with different types of results.
So, there's a bunch of different things you can do when running this tool. I would suggest running it in a lab environment with a bunch of different OSes, and run it with all the different options and see what it actually brings back.
OK. So, there we go. The host is up. It took 342 seconds to run the scan, but, obviously, we didn't wait that long. That's how long it took. You'll see, it brought back some typical Microsoft ports or Microsoft networking ports, as well as, 443, or HTTP. But it's also saying 'state closed,' so there are a bunch of different things related to why this means that it's in a closed state. OK? I suggest that you guys read the help documentation, so that you actually go through that.
So, let's move forward. We're going to go ahead in and do the 'command wizard' and choose 'expert.' Then, what happens, when you do that is, it actually brings up exactly what I just chose at the beginning, which is 'new profile.' We're going to go say, 'expert profile,' and it brings up this stuff, as opposed to, a wizard that says, 'what do you want to do?' It's almost the same, but the other one guides you just a bit more. So, you'll see, we chose 'operating system detection,' 'don't ping,' and we're going to go ahead and scan host 87 again. We'll choose from the drop-down or 'expert profile' and, actually, let's scan 201 this time. We'll go ahead and click on 'scan.'
Now, just for the guys who are probably saying, 'Well, that's not really expert.' Right? It may not be. Let's bring up a DOS window again. This is the way that Nmap was typically run. If we want to do a scan right now, I'll tell you what I'm typing in just a second. Nmap -pn, basically means 'don't ping.' - sT, means 'run a connect scan,' a TCP connect scan. Then, you would put your IP in. We press 'enter' and we let this run. We'll see what this actually brings back.
That's the way people that have been using Nmap for a long time typically do it. They run it on a Linux host or even the Windows version without a GUI. The Nmap scan is done, and you'll see all the open ports that it's found. Let's do a telnet to port 80 to ensure that that port's actually open. We can actually do some banner grabbing, ourselves, here. So, we'll telnet to 201, on port 80, and type 'get HTTP' and 'enter.' What we find? Apache 2.2.3. So, that's just a quick thing for you guys to, basically, learn. Sanitize your banners. It's really important.
So, in summary, Nmap is a freely available network mapper, port scanner. It's extremely popular. It's been around for a long time. It's an OS identification tool, as well, and supports a ton of different operating systems. If you're on the novice level, and you're just getting into info security, this is a tool you have to learn how to use. It is absolutely one of the tools you have to have on a CD that you use or on your laptop. It's part of your toolkit, especially if you're performing penetration tests, vulnerability assessments and audits, and so on.
So, anyway, thanks a lot guys for coming out. This is this month's SearchSecurity.com screencast. We will see you guys next month. Take it easy, guys.