Network Scanning with Nmap

Overview

Nmap is a powerful network scanning tool which allows you to discover available hosts and resources. Nmap can be very useful for discovering what open doors exist on your network, including services, ports, operating systems, and other fingerprinting information. You should be aware that scanning a network with nmap, without prior permission, can be considered a form of network attack at worst, or network trespassing at best.

You can download nmap for Linux, Windows or MAC at: http://nmap.org/download.html . Though typically a Linux command line tool, you can install nmap for Windows and run it from the command line, or from a graphical user interface, by installing the Zenmap graphical front end. You can install Zenmap by running the Windows self installer and accepting the installation defaults.

NMAP for Windows

If you are running a Windows desktop operating system and you are new to nmap, I recommend using nmap by running the Zenmap graphical interface. When running nmap from the command line the user has a large array of scanning options and parameters. Zenmap simplifies the use of nmap by limiting the options to a predefined set of pull down options.

 

The image below is taken from the http://nmap.org website, download page

 

Using NMAP and Zenmap

Using nmap with Zenmap is pretty simple. After launching the program, you need to input the target IP address, the IP address range, or the domain name that you want to scan, next you choose the scanning profile, and then run the scan. The different scanning profiles use predefined choices, providing different scanning options and creating differing results. The power of nmap comes from all of the scanning parameters and options that are available. Running nmap from the command line gives you complete access to all of the command options and parameters.

In the scan below, I input the target IP addresses 172.16.11.100-105 which will scan hosts 100 to 105. For the scanning profile, I chose the Intense scan, no ping pull down option. You can see the complete scan, as if it were given from the command line by looking at the command input box.

    nmap -T4 -A -v -Pn 172.16.11.100-105

nmap is the command which launches the program,
The -T4 argument signifies faster execution,
The -A argument enables OS and version detection, script scanning, and traceroute,
The -v argument enables output verbosity
The -Pn argument bypasses the host discovery and for the pupose of the scan treats all hosts as if they were online.

Nmap Scan Types

Looking at nmap from the command line options or parameters There are four major nmap scan types:

  • TCP connect scan (-sT) – this scan performs a tcp three way handshake with the target computer. You can specify which particular ports you want to scan by also using the -p and supplying the range of numbers you want to scan, like -p1-1023 which would scan ports one to one thousand twenty four. This is a reliable scan to identify open ports on a target host, however it is also easily recognizable by intrusion preventions systems, if you are trying to scan anonymously.
  • SYN scan (-sS) – this scan is also called a stealth scan, in that it starts a three way handshake but does not complete. Though harder to detect, it is detectable by current day firewalls.
  • UDP scan (-sU) – this scan will test to see if there are open udp ports on a target computer. Since udp is a connectionless protocol, this scan will simply tell us whether a port is blocked by returning an icmp unreachable message or if it is open by receiving no message. You could receive a false positive because no response could indicate that the ICMP request or reply was blocked by a network firewall and not the target host.
  • ACK scan (-sA) – this scan will simply test to see if a port is block (filtered) or not. The scan sends out ack packets and waits to see if there is either no response (blocked) or if there is a reset packet (RST) response which would signify an open port.

 

 Scan a range of IP addresses

Examining the scan results of a single network host, from the host details tab

The scan results has identified an open port at 3389, and a probable operating system type

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *