Nmap works by sending out different types of TCP packets to a specified range of network IP addresses. By analysing the responses it receives back, the mapper can deduce a lot of information about the devices attached to the network. As most Nmap scans send and receive raw packets, they are only available to privileged users. Therefore, you should use a Windows administrator account, or have root access if you're on a Unix or Linux machine. (If you don't have the necessary privileges or are scanning an IPv6 network, you can perform a TCP connect scan instead, which allows an operating system to initiate a TCP connection to a remote device.)
By regularly scanning your network, you can spot unexpected changes in the status of services on your system and know whether unauthorised or unnecessary programs have started running on a device. Shutting down superfluous services, closing unneeded ports or writing the appropriate firewall rules to make them unavailable to the outside world improves the overall security of your network. The results from an Nmap scan will ultimately provide an inventory of devices and the services running on them, which can be used for asset tracking, compliance checks and network design and debugging.
Basic Nmap scans that find open ports
For basic network audits, I would recommend starting with a TCP SYN stealth scan, which can find open ports without having to complete a full TCP connection or 'handshake.' The scan works against any compliant TCP stack rather than depending on the idiosyncrasies of specific platforms. It can be used to quickly examine thousands of ports with little possibility of disrupting network devices. The TCP SYN stealth scan also allows clear, reliable differentiation between ports in open, closed and filtered states.
Before you start, though, it's important to explain to senior management and colleagues how and why you intend to run such a scan against the network; otherwise the investigation may be interpreted as a hostile attack. Until you're fully familiar with using Nmap, I would run a list scan prior to running any other type. This baseline scan will produce a list of each host on the network or networks without sending any packets to them. So, to sanity check the number and range of IP addresses set to be scanned, use the following list scan [sL] command:
nmap –sL 10.0.0.0-255
To run a TCP SYN stealth (-sS) scan, use:
nmap –sS 10.0.0.0-255
The above TCP SYN stealth command instructs Nmap to scan all ports up to and including 1024 -- as well as higher numbered ports listed in the Nmap-services file -- on the 256 IP addresses between 10.0.0.0 and 10.0.0.255.
Don't worry about trying to remember the hundreds of different Nmap options as they are all well-documented and straightforward to use. For example, there are numerous options for specifying which ports are scanned, such as –p, which allows you to specify the ports you want to scan.
So nmap –p U:53,T:21-25 www.yourorg.com, for example, will scan just UDP port 53 and TCP ports 21 to 25.
The Zenmap Command Wizard makes it easy to construct quite complex scans, and it is a great tool for learning how to use different options.
Nmap offers various output formats for both human and machine consumption, including XML, which can be imported into a database or parsed by programs for further analysis. For example, by adding the options -oX and –oN, you can save the regular output for your own review while creating an XML version of the same scan for programmatic analysis, as in:
nmap –A –oX scanreport.xml –oN scanreport.txt www.yourorg.com.
There are also options for controlling the detail of the output as well as various debugging messages.
Nmap commands that identify network services and application versions
Once you have inventoried the visible network devices and ports, you need to know which services, and which version of the service, are running on them. This information is not only important for the purpose of receiving a full inventory, but also to determine which exploits the network may be vulnerable to. All discovered services need to be patched, and it's a good idea to ensure that you are on each service vendor's notification list to keep up to date with new vulnerabilities and patches.
To enable application version detection during a scan, simply add the –sV option. A better alternative, however, is –A, which enables both OS detection and version detection: nmap –A www.yourorg.com.
This scan will use the nmap-service-probes database to try and determine the service protocol, the application name, the version number, hostname, device type, OS family and other miscellaneous details, like the SSH protocol version or whether an X server is open to connections. If Nmap was compiled with OpenSSL support, it can even connect to an SSL server to deduce the service listening behind that encryption layer. Another advantage of running version detection is that Nmap will try to get a response from any TCP and UDP ports that a simple port scan couldn't determine were open or filtered. It can then change the state to open if it succeeds.
The reason that it is so important to discover all the open ports on your network is that a port is a virtual or logical data connection that can be used by programs to exchange data directly. This means an unclosed port is a gateway to your system which hackers will be looking to exploit.
Other important Nmap scans, commands and considerations
In order to better differentiate between open and closed ports, certain Nmap scans take advantage of particular idiosyncrasies of specific platforms or protocols in order to return a more complete result. For example, Nmap's TCP Null (option –sN), FIN (option –sF) and Xmas (option –sX) scans all exploit a subtle loophole in the TCP protocol specification whereby if Nmap receives an RST (reset) packet, the port can be considered closed, while no response means it is open or possibly filtered. These scans can also pass through certain non-stateful firewalls and packet filtering routers.
And, of course, Nmap provides the TCP ACK scan (option -sA) to help map out firewall rule sets. This scan doesn't determine whether a port is open or closed, but it can tell if it's filtered and whether the device filtering the port is only blocking incoming SYN packets or is stateful.
As you can see, Nmap can discover a great deal about a network which you can use to your advantage. Hopefully you now feel able to experiment with some of Nmap's many scans to explore your network. In the next article I'll look at some real-life examples of how to make the most of this powerful aid.
This was first published in April 2009