Nmap

Nmap is a *very* frequently used tool for both network testing and penetration testing. However, most people don’t use half of its capability – I’ll talk about some of the more popular options in this post. Nmap is available at insecure.org, and is available for most operating systems – even Windows. However, I’m not going to discuss the fancy GUI in this post, so you’ll have to dig a bit and consider using the cygwin version.

The first, most popular option is the -O option – for telling you what kind of operating system the target has. It’s pretty obvious on how it’s used, but you also have to know that the system has one open port and one closed port to have a pretty solid idea of what the OS is. So, for any systems that are behind a firewall, you won’t get very accurate results.

The second popular option is -p to tell nmap which ports to scan. If the -p option is missing, only common ports will be scanned. So if you’re looking for something funny on an odd port, you might want to use -p1-65535 to scan all TCP ports. You can also scan all UDP ports with -p U:1-65535 (using -sU). A warning though – if the ports are filtered, or you’re scanning UDP, nmap will wait the full 2 minutes for *each* packet to come back as “undeliverable” (rather than a RST), and scanning can take a very long time.

Another common option is the -sS option. This one scans using only a SYN scan, which used to be the way you wanted to scan, but as firewalls and TCP stacks have gotten better, I think that this is a “wasted” option. I say “wasted” because it *does* help the scan go a bit faster using less resources, since the scanners TCP stack doesn’t have to create full connections.

An option that’s been in nmap a while, but I don’t see used much is -sV – it tries to determine what exactly is running on a port rather that just that something’s listening there. It’s still a bit new, but nmap knows all of the common probes to get something to respond to you, so it’s actually pretty good, but verify it for yourself.

A final option that I think people should use more often is -g (with 80 as an argument). It used to be that almost no one filtered on source ports, now they do. So, when nmap starts up by default, it will use random source ports, which may or may not be allowed through the firewall you’re trying to scan. 80 and 443 are good options, as they’re common web ports. There are others based on what you’ve been able to figure out about the target’s environment – do they use a lot of RDP? What about IMAP? Most firewall admins have gotten smart enough to source port filter based on IP address as well, so it may or may not work, but it’s worth trying.

Nmap has *many* other options that aren’t visible by just doing –help – actually *read* the man page. And try it out – on systems you’re authorized to play with.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!