http://null.co.in/ http://nullcon.net/

Nmap The Network Scanner

http://null.co.in/ http://nullcon.net/

Module 1: Getting Started

What is Nmap?

• Nmap = Network Mapper• Written By Fyodor

– http://insecure.org• Free!• Open source, Constant development

http://null.co.in/ http://nullcon.net/

Know your protocols

• IP – Internet protocol• TCP – Transmission Control Protocol• UDP – User datagram protocol• ICMP – Internet control message protocol

http://null.co.in/ http://nullcon.net/

Anatomy of a scan

• Step 1: DNS Lookup– (Unless you u an IP address)

• Step 2 :Nmap “Pings” the remote device– (This is not an ICMP echo Request)

• Step 3: Reverse DNS lookup• Step 4: Do the scan!• Step 5: Analyze the scan results

http://null.co.in/ http://nullcon.net/

Module 2: Basic Scans

http://null.co.in/ http://nullcon.net/

• TCP SYN scan (-sS)• TCP connect() scan (-sT)• Ping scan (-sP)• UDP scan (-sU)

http://null.co.in/ http://nullcon.net/

Module 3: Useful scanning options

• Excluding and Including targets Excluding from command line or a file Using a file to list your targets

• Port Number options Limit your scans Focus your efforts

http://null.co.in/ http://nullcon.net/

Excluding Targets

• --exclude <host1,host2………>– Command line only– Must specify each time

• --excludefile <exclude_filename>– One option excludes many hosts– Keep your list handy!

http://null.co.in/ http://nullcon.net/

Including Targets

• -iL <inputfilename>• Address can be separated by tabs,spaces, or lines

http://null.co.in/ http://nullcon.net/

Specifying port numbers

• Specifying port numbers– -p<port range>– -p 23,34,43,123-144

http://null.co.in/ http://nullcon.net/

Module 4: Ping options

• What’s “ping”?• Default pings

– ARP ping– ICMP and TCP ACK ping

• TCP SYN ping• UDP ping• Don’t ping before scanning

http://null.co.in/ http://nullcon.net/

What’s “ping”?

• An Nmap ping confirms the existence of the target system

• An Nmap ping does not(necessarily) refers to an ICMP echo request

• We can disbale this ping requirement with -P0(zero)

http://null.co.in/ http://nullcon.net/

• Nmap uses ARP for the local subnet for ping process

• For the remote ip subnet nmap uses– ICMP echo request & – A TCP ACK on port 80

http://null.co.in/ http://nullcon.net/

Module 5: Network Recon

• Operating system fingerprinting (-O)– Systems with Firewalls & Filter– One port open ,one port closed.

• Version detection(-sV)

http://null.co.in/ http://nullcon.net/

Module 6: Ninja Scanning

• FIN scan(-sF),Xmas tree scan(-sX),Null scan(-sN)– Often called “stealth” scans– One frame transmitted, one frame received– These stealth scans never appears in application

logs. – Microsoft Windows doesn’t responds to these

stealth scans.

http://null.co.in/ http://nullcon.net/

• ACK scan(-sA)– Filtered or unfiltered(not open!)

http://null.co.in/ http://nullcon.net/

Nmap Timing Options

• -T0/Paranoid• -T1/sneaky• -T2/Polite• -T3/Normal• -T4/Aggressive• -T5/Insane

http://null.co.in/ http://nullcon.net/

Random Hosts and Targets

• Randomize hosts(-rH)– Rearrange the Nmap hosts in an Nmap scan– Makes it difficult to see a pattern

• Completely random target addresses– (-iR <num _host>)– Useful for finding specific services– Nmap –sS –PS80 –iR 0 –p 80

http://null.co.in/ http://nullcon.net/

http://null.co.in/ http://nullcon.net/

Thank you