Thursday, February 24, 2011

Nmap

5:18 PM secure your world No comments

nmap

nmap is the network mapper tool. nmap can be used to scan your IP addresses (or anyone else's IP addresses for that matter) for open ports. It is important to note that nmap, only scans for open TCP/UDP type ports.

See the nmap man page

nmap runs on Unix and Windows. The windows version uses either the GUI or the command line version. Operation of nmap on both systems is substantially the same.

See the nmap fingerprinting documentation. This information comes with nmap.

Running nmap for OS enumeration
You can use nmap to detect which operating system is on the other end by using what is called active stack fingerprinting. nmap keeps a database that you can update that helps in enumerating what the OS of a remote host is. See the following phrack magazine article explaining active stack fingerprinting.
Here is another article from insecure.orgthat a student found. It gives a very good explanation of how to get through a firewall using nmap to figure out about hosts on the inside.
Using the following Command line:
nmap -O [remote host]
nmap performs the following:

  • host is sent packets of different types on numerous well known ports
  • FIN Probe a FIN packet is sent to an open port. RFC 793 says that port should not respond, NT does.
  • Bad Flag Probe. an undefined TCP flag is sent in a TCP packet header of a SYN packet, Some OS'es like Linux will respond
  • Initial Sequence Number sampling. Different TCP stacks start their ISN with different numbers.
  • Don't Fragment bit monitoring some OS'es set don't fragment bit to yes.
  • TCP Initial window size Different TCP stacks set the window size differently.
  • ACK value Some stacks send back the ACK value you sent, some increment it.
  • ICMP error quenching RFC 1812 limits the rate at which error messages are sent. nmap floods a high-numbered UDP port and counts the error rate.
  • ICMP message quoting OS'es differ in the data sent back with errors.
  • ICMP error message-echoing integrity stacks differ in how they write to the headers when sending error messages.
  • TOS type of service different stacks place different values in the TOS ICMP port unreachable field.
  • TCP Options Different TCP header options are sent to host, handling of these allows some enumeration of OS.

Other nmap commands:

  • nmap -p80 www.somewhere.com -this detects if port is open
  • nmap -sP -PT80 host.on.thenet.com -this performs a TCP ping scan
  • nmap -sS -sU -p 1-65535 10.10.1.1-255 -scan all ports UDP and TCP SYN on 255 hosts
  • etc.
    Other options
  • -sT TCP Connect scan: has a 3 way handshake with host
  • -sS SYN scanning or half open scanning RST/ACK means not listening SYN/ACK means port is listening (best scan to use)
  • -P0 (That is a Capital Pzero) don't ping before scanning (important, since many firewalls block ping and nmap will abort scan if host is not pingable)
  • -sF Send a FIN packet, see if it answers, RFC 793 states that system should send back a RST for all closed ports.
  • -sX christmastree scan,
  • -sN like a FIN packet scan all closed ports should send a RST packet.
  • -sU if a ICMP port unreachable packet is not received back, we can assume that the host is listening on that port, UDP.
download for nmap:
nmap for linux
nmap for windows

0 komentar:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Sweet Tomatoes Printable Coupons