Nmap - Network Administrator Tool

Nmap or Network Map is a network exploration tool and security scanner. Nmap is primarily a *nix tool, but ports of the program do exist for Windows platforms. I will demonstrate some primary uses for nmap although any number of uses could be explored, including nefarious activity. I will focus on its usefulness as a network analysis and exploration tool.

Overview

Nmap does many different types of scans; however the most popular are a ping sweep or TCP port scan. The type of scan being performed is often the first parameter. Other scans include SYN, Stealth FIN, Xmas Tree and NULL scans. Window, RPC and ACK scans are also useful for testing firewall rule-sets. These are highly specialized and beyond the scope of this HOW-TO. We will explore the Operating System (OS) fingerprinting and the Listing scan which are simple and somewhat useful on a large scale.

The first parameter is the type of scan and is denotes with -sX where X is the type of scanning. For our purposes we will explore the Ping scan (nmap -sP) and the TCP scan (nmap -sT).

Selecting a Target

The next most important parameter is the TARGET or what you will be scanning. This can be any number of IP addresses or networks. You can specify these any number of ways, but nmap is picky and can be dangerous. Please be certain you know what you are scanning.

You can simply specify a target via DNS lookup:

nmap -sP target-host.com

This will simply ping the host and you will get output similar to:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host xx.xx.xxx.xxx.xxxxx.xxx (x.x.x.x) appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

You can also scan an entire network by adding a CIDR block prefix, a number between 0 and 32. /24 indicates a 24 bit mask in relation to the IP address.

nmap -sP target-host.com/24

Would be valid although ugly. This would simply lookup the IP address for target-host.com and scan that 24 bit subnet mask's hosts.

IP Addresses are much easier to use and more clear about what you are scanning. You may specify these in multiple ways. IPv4 addresses are called dotted quads - meaning they are 4 numbers from 0 to 255 separated by the period. An internal network address might be 192.168.1.5. The /24 network would cause nmap to scan 192.168.1.0 through 192.168.1.255. nmap -sP 192.168.1.5/24 is the command to cause this.

Other ways to specify IP addresses to nmap are more human readable. We could scan every 254^th IP address on any 192.168 network with any third octet like so:

nmap -sP 192.168.*.254

You can also use dashes: to scan the 254^th address on every third octet from 1 to 20, like so:

nmap -sP 192.168.1-20.254

You can even randomly scan any 4^th octet like so:

nmap -randomize_hosts -sP 192.168.1.*

To scan for a TCP port to be open on any IP address, we simply change the scanning type from Ping to TCP port and add the port parameter with -p, like so:

nmap -sT -p 80 192.168.1.*

This would scan all IP addresses on our local network for anyone running a web server (usually found on port 80).

This is useful for finding that switch we installed this morning that listens on a telnet port 23 somewhere in the lower range of our network:

nmap -sT -p 23 192.168.1.0-127

If we just want to create a list of IP addresses based upon a scheme we previously laid out, we would change the scan parameter to perform a List instead of an actual scan. To list every IP address in 192.168.3.x we could simply do:

nmap -sL 192.168.3.*

This would produce output similar to the following:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.1.0) not scanned
Host (192.168.1.1) not scanned
...
Host (192.168.1.254) not scanned
Host (192.168.1.255) not scanned
Nmap run completed -- 256 IP addresses (0 hosts up) scanned in 0 seconds

With Other Tools

To isolate out just the IP Addresses we could specify a bit of output piping under unix using awk and grep, like so:

nmap -sL 192.168.1.* | grep "^Host" | awk -F '(' '{print $2}' | awk -F ')' '{print $1}'

This will produce a much cleaner list easily importable into spreadsheets or databases.

Advanced

Nmap also does a cool job of finding out the Operating System (OS) of our target via a series of TCP requests and then matching the results to known OS types.

nmap -O target-host.com

See this wikipedia article for more information on OS fingerprinting.

Nmap is an awesome tool that is never far from my side. Perhaps it will also be useful to you.