Tip

Nmap tutorial: Nmap scan examples for vulnerability discovery

Learn how to use Nmap, the free network scanner tool, to identify various network devices and interpret network data to uncover possible vulnerabilities.

Knowing what services are running on your systems, and being able to identify if and when any of those services change, is the first step in securing your netwsork. Many tools can accomplish this, but any network admin with an interest in security should get to know Nmap intimately.

Nmap first appeared on the scene 14 years ago as a simple network scanner. Since, it has evolved into a behemoth of a network scanning and enumeration tool, incorporating many features beyond simple port scanning. This Nmap tutorial will explain how to use this free tool to identify devices, as well as detect possible network vulnerabilities and infections.

Identifying devices on the network
Creating an inventory of the devices on your network is the perfect way to start to secure it. Without detailed knowledge of which devices are accessible, you cannot determine whether someone (maliciously or not) has connected an unauthorized device to the network, compromising the organisation’s security controls.

For the sake of simplicity, I will use a standard class C network of 192.168.1.0/24 for the following Nmap scan examples.

Nmap can be used as a simple discovery tool, using various techniques (e.g. ARP pings, ICMP requests, TCP and/or UDP pings) to identify live devices on a network. All of these techniques are used when specifying the –sP switch in an Nmap command, for example:

Nmap –sP 192.168.1.0/24

This simple command will send various packets (ARP, ICMP, etc.) to every address within the 192.168.1.0/24 range, and will report any devices that respond. The results will look similar to those in the example below:

c:\>nmap -sP 192.168.1.0/24

Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-05 18:27 GMT Daylight Time
Nmap scan report for 192.168.1.1
Host is up (0.20s latency).
MAC Address: 38:E7:D8:BC:E6:E7 (HTC)
Nmap scan report for 192.168.1.3
Host is up.
Nmap scan report for 192.168.1.4
Host is up (0.31s latency).
MAC Address: 00:1C:DF:58:9D:0A (Belkin International)
Nmap scan report for 192.168.1.254
Host is up (0.0040s latency).
MAC Address: 00:14:7F:35:B3:58 (Thomson Telecom Belgium)
Nmap done: 256 IP addresses (4 hosts up) scanned in 12.10 seconds

 

What’s it running?
Once it's identified the live devices, Nmap can be used to determine which TCP and UDP ports are open, closed or firewalled. Knowing which services are running, and which of those are essential to the running of the business, can help determine a network security baseline. This baseline can serve as a starting point from which to identify any anomalies, allowing for swift investigation. Malware will often open ports on infected devices in order to send and/or receive data; malicious attackers will look for badly configured services (i.e., anonymously accessed FTP servers, unauthenticated administrative Web interfaces, etc.) and exploitable software. Nmap can help to identify any of these problems.

When scanning devices to determine which ports are open, there are various basic scanning options:

-sS –Performs a “stealth” TCP scan (that does not fully complete the “TCP three-way handshake,” and closes the connection once the service responds).

-sT –Performs a full TCP scan (a full connection is established with open TCP ports).

-sU –Performs a UDP scan (as UDP is a connectionless protocol, these scans can take significantly longer than TCP scans).

-p – Tells Nmap which ports to scan (e.g., –p1-65535 will specify every port).

These basic options can be used to give a quick overview of the open ports on any given device, for example:

c:\>nmap -sS -p1-65535 192.168.1.4

Nmap scan report for 192.168.1.4
Host is up (0.017s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
912/tcp   open  apex-mesh
2869/tcp  open  icslap
5357/tcp  open  wsdapi
10243/tcp open  unknown
17500/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown
MAC Address: 00:1C:DF:58:9D:0A (Belkin International)

Nmap done: 1 IP address (1 host up) scanned in 139.26 seconds

 

Nmap includes an advanced option, “--top-ports”, which can be used to test only the most commonly seen ports. This can be used in conjunction with various advanced timing options to reduce the time needed to scan a large number of devices.

Knowing which ports are open is only half the battle, but Nmap does have another weapon at its disposal: a huge database of service fingerprints. Nmap can connect to the open ports it discovers and attempt to identify the services running behind them. For the attacker, version information is critical to knowing whether a service is exploitable. By default, Nmap identifies services based on their entry in the Nmap services file (which was initially based on the IANA assigned ports list). As this isn’t always correct (What’s to stop an attacker from writing a virus that sends out data on the registered SMTP port?), the “-sV” switch can be used to tell Nmap to interrogate discovered open ports to determine software and version information.

Along with identifying the services running on open ports, the "–O" switch can be used to tell Nmap to detect which operating system a device is running, including vendor, OS version and the purpose of the device.

c:\>nmap -sS -sV -O -PN -p1-65535 192.168.1.4

Nmap scan report for 192.168.1.4
Host is up (0.13s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
554/tcp   open  rtsp?
912/tcp   open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
2869/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5357/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
17500/tcp open  ssl/unknown
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  unknown
49155/tcp open  msrpc       Microsoft Windows RPC
49158/tcp open  msrpc       Microsoft Windows RPC
49159/tcp open  unknown
MAC Address: 00:1C:DF:58:9D:0A (Belkin International)
Device type: general purpose
Running: Microsoft Windows 2008|Vista|7
OS details: Microsoft Windows Server 2008, Microsoft Windows Vista SP0 or SP1, 
Server 2008 SP1, or Windows 7
Network Distance: 1 hop
Service Info: OS: Windows

OS and Service detection performed. Please report any incorrect results at http:
//nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1711.70 seconds

 

The scan above has identified the device as Microsoft Windows Server 2008, Windows Vista or Windows 7.

What next?
Whilst Nmap isn’t a full-blown vulnerability scanner, it can be used to help identify vulnerabilities on the network. One of Nmap's most powerful features is its scripting engine, which can help automate a myriad of tasks, from recording service banner information to vulnerability identification.

Using the “--script=” option allows specific scripts to be loaded into Nmap and executed after the port scan has completed. Combining the “banner.nse” and “http-headers.nse” scripts can allow quick and simple enumeration of banner information across the network. The example below shows a Thomson router in its default configuration.

C:\>nmap -sS -sV -O --top-ports 1000 --script=banner.nse,http-head
ers.nse 192.168.1.254

Nmap scan report for 192.168.1.254
Host is up (0.048s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        Alcatel Speedtouch ADSL router ftpd
| banner: 220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to c
|_hange.
23/tcp   open  telnet     Alcatel/Thomson SpeedTouch DSL router admin interface
|_banner: \xFF\xFB\x01
80/tcp   open  http       Alcatel/Thomson SpeedTouch ADSL http config 1.0
| http-headers:
|   Content-Length: 139
|   WWW-Authenticate: Digest realm="SpeedTouch", nonce="0620JT7UW:00-14-7F-35-B3
-58:132844:912833", qop="auth"
|   WWW-Authenticate: Basic realm="SpeedTouch"
|
|_  (Request type: GET)
443/tcp  open  tcpwrapped
| http-headers:
|   Content-Length: 139
|   WWW-Authenticate: Digest realm="SpeedTouch", nonce="0620JT7UW:00-14-7F-35-B3
-58:132847:726442", qop="auth"
|   WWW-Authenticate: Basic realm="SpeedTouch"
|
|_  (Request type: GET)
1723/tcp open  pptp       THOMSON (Firmware: 1)
MAC Address: 00:14:7F:35:B3:58 (Thomson Telecom Belgium)
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: broadband router|firewall|printer|general purpose|WAP|specialized
Running (JUST GUESSING): Thomson embedded (92%), Nokia IPSO 4.X (90%), HP embedded (88%), Ricoh embedded (88%), IBM AIX 5.X (87%), AirSpan embedded (85%), Rockwell Automation embedded (85%)
Aggressive OS guesses: Thomson ST 536i ADSL modem (92%), Nokia firewall (IPSO 4.1Build19) (90%), Nokia IP650 firewall (IPSO 4.0 and CheckPoint Firewall-1/VPN-1

software) (90%), Thomson SpeedTouch 510 DSL modem (90%), HP LaserJet 4300 printer (88%), Ricoh Aficio 1224C or AP400N printer (88%), IBM AIX 5.3 (87%), AirSpan
ProST WiMAX access point (85%), Rockwell Automation 1769-L23E-QB1 PLC (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SpeedTouch; Device: broadband router

OS and Service detection performed. Please report any incorrect results at http:
//nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.17 seconds

 

Using Nmap, we have discovered the device is running FTP, telnet, http, https and pptp servers. Combining the information received from 1) the banners, 2) the http headers and 3) operating system guess, we can deduce the device is a Thomson router.

Much more can be gathered through scripts, as well: from anonymous FTP logins, SNMP information and SSH versions, to Microsoft Windows username enumeration, brute-force logon attacks and email spoofing. The list of available scripts increases on an almost daily basis, and scripts can be created easily by users to fit their needs.

Using the "-oX" switch, the scan can be output to XML and imported into a spreadsheet for further analysis.

Conclusion
Nmap is an extremely useful, free tool that can allow organisations to keep tabs on the state of their networks. Running these types of scans on a regular basis can help maintain a reasonable level of assurance that:

1.   You know what devices are on the network, and can easily discover if and when something new has been added.

2.   You know what services are running on every device, and can easily discover if a service has been created (whether malicious or not).

3.    You can use the information discovered to help mitigate some vulnerabilities on the network.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close