Nmap - Windows - CMD- Scan- Options - Example

Posted on Friday, July 20, 2012 by Tenderfoot


Nmap
Nmap is network exploration tool and port scanner. It was created by Fyodor and can be downloaded from www.insecure.org free of charge. I have always had issues with the Win32 port of Nmap so I have only used it from Linux. Nmap is available for most Linux distributions.
A few things to be aware of when using Nmap is it will ping the target before it scans to see if it is up. If the target is blocking ICMP the scan may fail. This initial ping can be prevented by using the -P0 switch which will then allow Nmap to continue the port scan.
When specifying a target the following syntax can be used:

nmap target option

The target is the host or network to be scanned and the options are the list of ports and type of scan. target can be entered as a hostname (www.yahoo.com), the IP address (87.248.113.14), or CIDR addressing (192.168.1.1/24). Nmap can also be told to use an input file for target specification. There are additional methods of target specification listed in the Nmap man pages.

Options can be the scan type (SYN scan, ACK scan, list scan etc..), can be turning off certain functions such as DNS resolution or ping, can be setting the options for output such as to XML or text file, can be setting OS or version detection, can be setting up scanning through a FTP server or another host, or can be selecting the ports to be scanned. Ports can be entered in as a list (-p 21,23,80) or as a range (-p 1-1024,3389,5000) or by port type for UDP or TCP (-p U:161,53 T:80,443).

The following are some basic examples of Nmap scans.
1. Ping Scan (ping sweep)
nmap -sP 10.20.2.1/24

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:23 GMT
Host 10.20.2.4 appears to be up.
MAC Address: 00:0C:F1:5E:0B:05 (Intel)
Host 10.20.2.6 appears to be up.
MAC Address: 00:30:C1:21:0B:9C (Hewlett-packard)
Host 10.20.2.69 appears to be up.
MAC Address: 00:E0:81:6C:94:53 (Tyan Computer)
Host 10.20.2.70 appears to be up.
MAC Address: 00:60:B0:20:D0:C0 (Hewlett-packard CO.)
Host 10.20.2.71 appears to be up.
MAC Address: 00:00:84:AE:70:BF (Ricoh Company)
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.398 seconds


This scan was used to quickly identify host that are up on a particular range of IP addresses.

2. Basic Host Scan
nmap 10.20.2.41
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:13 GMT
Interesting ports on 10.20.2.41:
(The 1666 ports scanned but not shown below are in state: closed)
PORT
 STATE SERVICE
21/tcp
 open ftp
23/tcp
 open telnet
80/tcp
 open http
280/tcp
 open http-mgmt
443/tcp
 open https
515/tcp
 open printer
631/tcp
 open ipp
9100/tcp open
 jetdirect
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
This scan picks a performs a TCP connect scan of a selected host. This scan would likely be picked up by an IDS. The basic scan would scan all ports including 1024 and below and certain high numbered ports listed in the nmap-services file. This file can be customised for your own environment. To peform a fast scan use the -F switch. This will just scan ports listed in the nmap-services file. Nmap will also automatically randomise the ports to be scanned, this can be disabled with the -r switch.

3. Version Scan
nmap 10.20.2.41 -sV -p 23
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:14 GMT
Interesting ports on 10.20.2.41:
PORT
 STATE SERVICE VERSION
23/tcp open
 telnet HP JetDirect printer telnetd (No password)
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Service Info: Device: printer
Nmap finished: 1 IP address (1 host up) scanned in 2.059 seconds
This scan picked a particular port and attempted to enumerate the service listening on that port.

4. OS Scan
nmap 10.20.2.41 -O -p 23,81
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:16 GMT
Interesting ports on 10.20.2.41:
PORT
 STATE SERVICE
23/tcp open
 telnet
81/tcp closed hosts2-ns
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Device type: print server
Running: HP embedded
OS details: HP printer w/JetDirect card
Uptime 74.890 days (since Wed Aug 15 16:55:33 2007)
Nmap finished: 1 IP address (1 host up) scanned in 2.579 seconds
This scan performed an OS scan on the host and correctly identified it as a HP Printer.

5. SYN Scan (Half-Open Scan)
nmap 10.20.2.41 -sS -p 23,80
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:17 GMT
Interesting ports on 10.20.2.41:
PORT
 STATE SERVICE
23/tcp open
 telnet
80/tcp open
 http
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 0.440 seconds
This scan performed a half-open scan (-sS) on ports 23 & 80. Half-open means that a full TCP connect scan was not completed. A SYN packet was sent from Nmap followed by a RST packet if a SYN/ACK was received (indicating an open port). If a RST packet was received by Nmap the port will be listed as closed. You must have root permissions to perform a SYN scan otherwise the scan will drop down to a full TCP Connect scan. SYN scans are relatively stealthy and are very fast for the reasons already mentioned. If Nmap receives no response or if an ICMP unreachable is received by Nmap the port is marked as filtered.

6. Stealthy Scan
nmap 10.20.2.41 -sS -p 23,80 -T 1
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:22 GMT
Interesting ports on 10.20.2.41:
PORT
 STATE SERVICE
23/tcp open
 telnet
80/tcp open
 http
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 45.422 seconds
This scan performs a half-open scan but the packets are sent at a very slow rate (-T 1). This is to avoid detection by an IDS. Note the time that Nmap took to scan compared to the previous examples.

7. Idle Scan (Zombie Scan)
nmap 10.20.2.41 -p 23 -T 2 -sI 10.20.2.70 -P0
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:29 GMT
Idlescan using zombie 10.20.2.70 (10.20.2.70:80); Class: Incremental
Interesting ports on 10.20.2.41:
PORT
 STATE SERVICE
23/tcp open
 telnet
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 7.650 seconds
In this example Nmap has used another host (-sI 10.20.2.70) to perform the scan on behalf of the attacker. The way this works is Nmap sends a packet to the Zombie to check the IP ID and then sends it’s scan to Target but spoofs the IP ofthe Zombie (10.20.2.70). Nmap then checks the IP ID of the Zombie to see how much it has increased by. This tells Nmap whether the port was open or closed due to response (ACK or RST) sent from the real target to the zombie. It has also prevented nmap from pinging the host (-P0) at the beginning of the scan.

Useful Nmap Options
-sT: Full TCP connect scan.
-sS: SYN scan. Stealthier than a TCP connect scan.
-sFFIN scan. Stealthy. A RST indicates the port is closed
-sR: Scans RPC services and attempts to identify listening programs.
-sI: Idle scan.
-bBounces the scan of a FTP server.
-sX: Xmas tree scan. All flags are set. A RST indicates a port is closed, no response may mean the port is open.
-sU: Scan for status of UDP ports.
-sL: Performs a list scan. Will attempt to perform a reverse lookup of hosts
-sPPing scan, not a scan as such but can be used initially to locate alive hosts.
-OOS Fingerprinting.
-sVIdentifies the service and version in some cases.
-ABoth version and OS fingerprinting.
-T 1: Timing is slow (1). Can be increased to 2, 3, 4 or 5 (5 being the fastest)
-sA: TCP ACK scan. This may get through certain packet filtering devices.
-iL : Input from list of hosts/networks
-sP: Ping Scan - go no further than determining if host is online
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-r: Scan ports consecutively - don't randomize
-D: : Cloak a scan with decoys
-S: : Spoof source address
-e: : Use specified interface
-g/--source-port : Use given port number
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.
-oA: : Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES


ScanLine (sl)
ScanLine does not have anywhere near the same amount of functionality as a tool such as Nmap. But it can be used to quickly identify if a port is open, a host is up . To perform a basic scan with ScanLine (sl) use the following syntax:
Sl 192.168.1.1 
This will ping the host and perform a basic scan of known ports below is the result.
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 1 IP started at Thu Oct 25 21:51:36 2007
--------------------------------------------------------
192.168.1.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 21 80 1723
UDP ports:
We can see from the result that it has found open TCP ports 21, 80, 1723
As some devices are configured to drop ICMP sl may assume the host is not up if it get’s no response and quit. To prevent this use the –p option. The –t or –u option can also be specified followed by port numbers to address only certain ports.Below is an example of this.
sl -vpbt 80 192.168.1.1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Adding IP 192.168.1.1
Banner grabbing enabled.
No pinging before scanning.
Scan of 1 IP started at Thu Oct 25 22:01:16 2007
Scanning 1 IP...
------------------------------------------------------
192.168.1.1
Responds with ICMP unreachable: No
TCP ports: 80
TCP 80:
[HTTP/1.0 401 Unauthorized Access Denied]
------------------------------------------------------
Scan finished at Thu Oct 25 22:01:16 2007
1 IP and 1 port scanned in 0 hours 0 mins 0.05 secs
Above you can see that I have discovered a web server listening on port 80.
You can also specify a range of ports or addresses to sl such as:
sl –pt 21,23,80-250 192.168.1.1-10
The output of scan can also be output to a file using the –o switch followed by a filename.
For additional info on the other switches available use sl /?


Netcat
Netcat can pretty much do anything from being a proxy, transfer files, a chat client, a backdoor and yes, port scanning.Now, it’s not fast and it’s not pretty but it’ll do it. The syntax is below.
nc -vv -z -n -w1 192.168.1.1 23 80 34
And the output is……..
(UNKNOWN) [192.168.1.1] 23 (?): connection refused
(UNKNOWN) [192.168.1.1] 80 (?) open
(UNKNOWN) [192.168.1.1] 34 (?): TIMEDOUT
sent 0, rcvd 0: NOTSOCK
So I can see that I have open ports 23 and 80.

Links

No Response to "Nmap - Windows - CMD- Scan- Options - Example"

Leave A Reply