J
Jarret W. Buse
Guest
NMAP Installation and Basics
Many System Administrators (Admins) need a way to find security issues on the network and close them. If a security issue is found, Admins have time to close the problem before it is breached by a hacker.
NOTE: Please use the information responsibly.
NMAP stands for Network Mapper. The program is used as a security scanner to discover hosts and services on a network. Details on the hosts and services can also be determined to allow a “network map”.
NOTE: Be aware that some of the information in this article was also covered in the article “Metasploit: Port Scanning”.
NMAP was originally written for Linux, but has been ported to Windows, Solaris, HP-UX, BSD, AmigaOS and IRIX. The main website for NMAP can be found at https://nmap.org/.
NMAP has the following abilities:
A Graphical User Interface (GUI) does exist as a front-end for NMAP called Zenmap. To install the two on a Debian system, use the following commands:
To install NMAP and Zenmap on a Red Hat based system, use the commands:
NOTE: The “sudo apt-get upgrade” and the “yum update” are only needed afterwards to check if any updated files have been released for NMAP or Zenmap.
Once installed, we can open Zenmap to have access to the basic functions of NMAP. Zenmap is shown in Figure 1 after it starts.
FIGURE 1
NOTE: Make sure you use sudo to start zenmap (“sudo zenmap”) from a terminal or you will see Figure 2. Without Root privileges, some of NMAP's functions will work, but not all of them.
FIGURE 2
From Figure 1, there are a few options you can set yourself in Zenmap. The main option is the Target. The Target is an individual or group of systems on which to perform a scan. Enter in a single TCP/IP Address or a range. The range can be specified as “10.0.0.1-100” which is the range of 10.0.0.1 to 10.0.0.100. A whole subnet can be used by specifying the Classless Inter-Domain Routing (CIDR) for the subnet. For example, to cover the range of 10.0.0.1 to 10.0.0.255, the Target would be “10.0.0.0/24”. Target addresses which do not exist are quickly disregarded and not checked. Even on a network with a handful of systems, a scan of the entire subnet should take long.
The next item you can set is the Profile. Initially, Zenmap has eleven basic Profiles which are:
Now, after each scan is a listing of the parameters being sent to NMAP. The Regular Scan (number 10) has no options being sent to it. With no options other than the IP Address, NMAP can still show a lot of information about the Target(s).
So, let's finish up this article by covering the parameters being used in the Profiles.
The Profiles help you perform some general scans. Install both applications and try the Profiles to see what they produce.
Many System Administrators (Admins) need a way to find security issues on the network and close them. If a security issue is found, Admins have time to close the problem before it is breached by a hacker.
NOTE: Please use the information responsibly.
NMAP stands for Network Mapper. The program is used as a security scanner to discover hosts and services on a network. Details on the hosts and services can also be determined to allow a “network map”.
NOTE: Be aware that some of the information in this article was also covered in the article “Metasploit: Port Scanning”.
NMAP was originally written for Linux, but has been ported to Windows, Solaris, HP-UX, BSD, AmigaOS and IRIX. The main website for NMAP can be found at https://nmap.org/.
NMAP has the following abilities:
- discover Hosts
- scan Ports
- detect Operating Systems (OS)
- detect applications and their versions on the Hosts
- interact with Target Hosts by scripts
- find open Ports on a Host system
- audit security on a network
- take network inventory
- generate traffic to a Host system
- find exploits to attack Hosts
A Graphical User Interface (GUI) does exist as a front-end for NMAP called Zenmap. To install the two on a Debian system, use the following commands:
- sudo apt-get install nmap
- sudo apt-get install zenmap
- sudo apt-get upgrade (used to upgrade all installed apps)
To install NMAP and Zenmap on a Red Hat based system, use the commands:
- yum install nmap
- yum install zenmap
- yum update (used to update all installed apps)
NOTE: The “sudo apt-get upgrade” and the “yum update” are only needed afterwards to check if any updated files have been released for NMAP or Zenmap.
Once installed, we can open Zenmap to have access to the basic functions of NMAP. Zenmap is shown in Figure 1 after it starts.
FIGURE 1
NOTE: Make sure you use sudo to start zenmap (“sudo zenmap”) from a terminal or you will see Figure 2. Without Root privileges, some of NMAP's functions will work, but not all of them.
FIGURE 2
From Figure 1, there are a few options you can set yourself in Zenmap. The main option is the Target. The Target is an individual or group of systems on which to perform a scan. Enter in a single TCP/IP Address or a range. The range can be specified as “10.0.0.1-100” which is the range of 10.0.0.1 to 10.0.0.100. A whole subnet can be used by specifying the Classless Inter-Domain Routing (CIDR) for the subnet. For example, to cover the range of 10.0.0.1 to 10.0.0.255, the Target would be “10.0.0.0/24”. Target addresses which do not exist are quickly disregarded and not checked. Even on a network with a handful of systems, a scan of the entire subnet should take long.
The next item you can set is the Profile. Initially, Zenmap has eleven basic Profiles which are:
- Comprehensive Full Port Scan (-sV -p 1-65535 -T5 -O -A -v -v)
- Intense Scan (-T4 -A -v)
- Intense Scan plus UDP (-sS -sU -T4 -A -v)
- Intense Scan, all TCP Ports (-p 1-65535 -T4 -A -v)
- Intense Scan, no PING (-T4 -A -v -Pn)
- Ping Scan (-sn)
- Quick Scan (-T4 -F)
- Quick Scan Plus (-sV -T4 -O -F --version-light)
- Quick Traceroute (-sn --traceroute)
- Regular Scan (no options are used)
- Slow Comprehensive Scan (-sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)")
Now, after each scan is a listing of the parameters being sent to NMAP. The Regular Scan (number 10) has no options being sent to it. With no options other than the IP Address, NMAP can still show a lot of information about the Target(s).
So, let's finish up this article by covering the parameters being used in the Profiles.
- Comprehensive Full Port Scan
- -sV – Probe open ports to determine service/version info
- -p 1-65535 – scan ports 1 to 65,535 (all ports)
- -T5 – uses highest timing template (1-5)
- -O – detect Operating System (OS)
- -A – Enable OS detection, version detection, script scanning, and traceroute
- -v -v – enable high verbosity (-vv)
- -sV – Probe open ports to determine service/version info
- Intense Scan
- -T4 – uses second highest timing template (1-5)
- -A – Enable OS detection, version detection, script scanning, and traceroute
- -v – enable verbosity
- Intense Scan plus UDP
- -sS – TCP SYN scan
- -sU – UDP scan
- -T4 – uses second highest timing template (1-5)
- -A – Enable OS detection, version detection, script scanning, and traceroute
- -v – enable verbosity
- Intense Scan, all TCP Ports
- -p 1-65535 – scan ports 1 to 65,535 (all ports)
- -T4 – uses second highest timing template (1-5)
- -A – Enable OS detection, version detection, script scanning, and traceroute
- -v – enable verbosity
- Intense Scan, no PING (-T4 -A -v -Pn)
- -T4 – uses second highest timing template (1-5)
- -A – Enable OS detection, version detection, script scanning, and traceroute
- -v – enable verbosity
- -Pn – acts as if all Hsts are online, no discovery
- Ping Scan
- -sn – Ping scan, but disable Port scan
- Quick Scan
- -T4 – uses second highest timing template (1-5)
- -F – perform a fast mode which scans fewer ports than the default scan
- Quick Scan Plus
- -sV – Probe open ports to determine service/version info
- -T4 – uses second highest timing template (1-5)
- -O – detect Operating System (OS)
- -F – perform a fast mode which scans fewer ports than the default scan
- --version-light – Limit to the most likely probes (0-9; 2)
- Quick Traceroute
- -sn – Ping scan, but disable Port scan
- --traceroute – Trace hop path to each host
- Regular Scan (no options)
- Slow Comprehensive Scan
- -sS – TCP SYN scan
- -sU – UDP scan
- -T4 – uses second highest timing template (1-5)
- -A – Enable OS detection, version detection, script scanning, and traceroute
- -v – enable verbosity
- -PE – ICMP Echo request
- -PP – ICMP Timestamp request
- -PS80,443 – TCP SYN discovery on ports 80 and 443
- -PA3389 – TCP ACK discovery on Port 3389
- -PU40125 – UDP discovery on Port 40125
- -PY – SCTP discovery
- -g 53 – use Host source Port 53
- --script "default or (discovery and safe)" – use the default script or the “discovery and safe” script
The Profiles help you perform some general scans. Install both applications and try the Profiles to see what they produce.
