NMAP Tutorial

OS: Windows Alright NMAP is a popular scanner used for figuring out information about servers like what operating system they may be running on what ports are open. It offers a loggin system that allows a user to log all the results for their scanning session so they can pass it on to others For this tutorial I am going to just scan a single website and explain a common 'error' message some users may recieve. The website for this Tutorial i will be using is... www.meow.com some random site Now lets get started first off get nmap from our downloads section Got it okay scanned it okay fucked it okay now place these files in your system32 folder or a folder you store your CLI(command line interface) programs in. Open CMDand type nmap and you will get the following syntax and options... lun0s@~E:\cmds>nmap Nmap 4.20 ( http://insecure.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL : Input from list of hosts/networks -iR : Choose random targets --exclude : Exclude hosts/networks --excludefile : Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers : Specify custom DNS servers --system-dns: Use OS's DNS resolver SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI : Idlescan -sO: IP protocol scan -b : FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomize SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity : Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T[0-5]: Set timing template (higher is faster) --min-hostgroup/max-hostgroup : Parallel host scan group sizes --min-parallelism/max-parallelism : Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time. --max-retries : Caps number of port scan probe retransmissions. --host-timeout : Give up on target after this long --scan-delay/--max-scan-delay : Adjust delay between probes FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu : fragment packets (optionally w/given MTU) -D : Cloak a scan with decoys -S : Spoof source address -e : Use specified interface -g/--source-port : Use given port number --data-length : Append random data to sent packets --ip-options : Send packets with specified ip options --ttl : Set IP time-to-live field --spoof-mac : Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP checksum OUTPUT: -oN/-oX/-oS/-oG : Output scan in normal, XML, s: Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume : Resume an aborted scan --stylesheet : XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Insecure.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection --datadir : Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sP 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -P0 -p 80 Now that is a decent amount of information there but you won't use it all in one day just take small steps for now and follow what I do if you wanna try more don't be afraid whats the worse that can happen... meow.com's admins get their cats to attack you AHAHHAHAAH Now if you run nmap with out admin privilages you will get the following error message.... lun0s@~E:\cmds>nmap www.meow.com Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-25 15:27 Eastern Daylight Time dnet: Failed to open device eth0 QUITTING! You will need to either have admin privilages or get an admin account password and do run ass by right clicking. Now typically i just get every port and then save it as an xml file so i will stick to that for now =P the command for nmap can be fairly long but in the end it is well worth it now time to map out meow.com and see what we can get The command i will be using can be changed and altered in any way you guys may want. nmap -p 1-65500 -sV -O -oX results.xml www.meow.com Port State Service Product Version Extra info 22 tcp open ssh OpenSSH 3.9p1 protocol 1.99 53 tcp open domain ISC Bind 9.2.4 80 tcp open http Apache httpd 2.0.52 (CentOS) 443 tcp open ssl OpenSSL As you can see they only have four ports open and we also get information about what services are running on them. From this we can see that their running Apache 2.0.52 The scan wasn't ment to get just the web server they are running but they services other ports maybe running so we could write/use exploits to make these work in our favour. Please if you are white hat don't bother looking to use this to secure your site nmap is an elite tool mwuahaha....We also get other information that might be useful like...Firewall statistics experiment and see what you can come up with have fun guys and thanks for reading.