| FAQ |
  |
| Networking : Security : NMAP 101 |
    |
| Question: | How to use NMAP options? | ||||||||||||||
| Answer: | NMAP - Network MAPper
----------------------- This NMAP write-up will explain through examples, the usage of the tool of using nmap and gives you a run-down of the options available, and whether you need root privileges to use them. NMAP is perhaps the best port scanner and thus a very useful tool. If someone were to launch an attack against your network, running NMAP would more than likely give out vital information. The purpose of this article is to teach you how to test the security of your own network, firewall etc., with the aim of improving your overall security. Basic Scanning -------------- NMAP's standard TCP scan is the TCP connect()scan. This scan is usually easy to detect by firewalls and IDS systems, however it is the best an unprivileged user can do. NMAP requires root privileges to perform the more sophisticated (and less easily detectable) scans.
Shown above is the standard command for a TCP Connect() scan. This scan type connects to each port between 1 and 1024, plus those listed in nmap-services which are of interest (eg ports known to be used by trojans or other vulnerable services). UDP Scanning ------------ As well as TCP scans, NMAP offers a UDP scan option, -sU:
This option scans for ports open for the UDP protocol. SYN Scans --------- The TCP SYN scan requires root privileges for raw socket support. The TCP SYN scan doesn't establish a full connection to a host, so it is more difficult to detect. Most modern Intrusion Detection Systems(IDS) do check for excess SYN's floating around though, and if every port is scanned in order it doesn't take much to piece together that a portscan is going on. Most IDSs can do that.
is the typical TCP SYN scan command. Other Scans ----------- These scans are all similar to the SYN scan, in that the require root privileges to use, but are not particularly so easy to detect (IDS's look for SYN scans but not necessarily these ones).
These scans will *not* work against an MS Windows box due to the way Microsoft chose to ignore the rest of the world(as usual ;-)) and do things their own way. :) This can be useful, however, because you can vaguely determine OS type based on running a SYN and a NULL. If the SYN shows up open ports, but NULL doesn't, you're probably looking at a Windows box. (Of course, this usage is more or less obsolete now with the -O OS Fingerprinting option of NMAP) Ping Options ------------ NMAP will ping the host to check that it is alive before scanning. Some hosts block ICMP Echo Requests (pings), however, so the scan will fail but the host will still be up. There is an option to not ping the target, but scan anyway. Of course, this runs the risk of scanning a box that isn't there, but its a risk you have to take: -P0 Timing ------ nmap offers different options for timing its scans. The 'normal' option is fine for most purposes, but to avoid detection, slower timing can be used, or to get a scan completed quickly, faster timing can be used. The timing option has the following format:
You can use either the number or the phrase, e.g.:
both of those commands do the same thing. OS Fingerprinting ----------------- nmap has TCP/IP fingerprinting support, which can help determine remote OS type, and other useful information such as uptime. This option is simple: -O Decoys ------ You can set a series of decoy hosts, to reduce chances of being detected. The option for these is: -D decoy1,decoy2,decoy3... which is the -D parameter, followed by a string of decoys, separated by commas. Port Range ---------- nmap's default behaviour is to scan ports 1-1024 (the so called 'reserved' ports), plus those known to be 'interesting' (trojan ports, for example). You can change this behaviour as follows: -p Examples:
| ||||||||||||||
| last updated 20.08.2004 | |||||||||||||||
| 398 User comments (display) | |||||||||||||||
user rating:  comments on ratings | |||||||||||||||
| [previous FAQ] | |
| List FAQ in this category | List categories | List all FAQ | List programs |
|