If you run a computer network, be it home WiFi or a global enterprise system, you need a way to investigate the machines connected to your network. When
traceroutewon't cut it, you need a port scanner.
nmapis the port scanner. It's a powerful, sophisticated tool, not to mention a movie star. The documentation on
nmapis voluminous: there's an entire book, with a free online edition, as well as a detailed manpage. In this post I'll show you just a few of the cool things
The law and ethics of port scanning are complex. A network scan can be detected by humans or automated systems, and treated as a malicious act, resulting in real costs to the target. Depending on the options you choose, the traffic generated by
nmapcan range from "completely innocuous" to "watch out for admins with baseball bats". A safe rule is to avoid scanning any network without the explicit permission of its administrators — better yet if that's you.
You'll need root privileges on the scanning system to run most interesting
nmaplikes to bypass the standard network stack when synthesizing esoteric packets.
A firm handshakeLet's start by scanning my home network for web and SSH servers:
root@lyle# nmap -sS -p 192.168.1.0/24 Nmap scan report for PORT STATE SERVICE/tcp filtered ssh/tcp open http Nmap scan report for PORT STATE SERVICE/tcp filtered ssh/tcp filtered http Nmap scan report for PORT STATE SERVICE/tcp open ssh/tcp closed http Nmap done: IP addresses ( hosts up) scanned in seconds
-pto ask for a scan of TCP ports and , the most popular ports for SSH and web servers respectively. If you don't specify a
nmapwill scan the most commonly-used ports. You can give a port range like
-p1-5000, or even use
-p-to scan all ports, but your scan will take longer.
We describe the subnet to scan using CIDR notation. We could equivalently write
-sSrequests a TCP
nmapwill start a TCP handshake by sending a
SYNpacket. Then it waits for a response. If the target replies with
SYN/ACK, then some program is accepting our connection. A well-behaved client should respond with
nmapwill simply record an
openport and move on. This makes an
SYNscan both faster and more stealthy than a normal call to
If the target replies with
RST, then there's no service on that port, and
nmapwill record it as
closed. Or we might not get a response at all. Perhaps a firewall is blocking our traffic, or the target host simply doesn't exist. In that case the port state is recorded as
You can scan UDP ports by passing
-sU. There's one important difference from TCP: Since UDP is connectionless, there's no particular response required from an open port. Therefore
nmapmay show UDP ports in the ambiguous state
open|filtered, unless you can prod the target application into sending you data (see below).
To save time,
nmaptries to confirm that a target exists before performing a full scan. By default it will send ICMP echo (the ubiquitous "ping") as well as TCP
ACKpackets. You can use the
-Pfamily of options to customize this host-discovery phase.
nmaphas the ability to generate all sorts of invalid, useless, or just plain weird network traffic. You can send a TCP packet with no flags at all (null scan,
-sN) or one that's lit up "like a Christmas tree" (Xmas scan,
-sX). You can chop your packets into little fragments (
--mtu) or send an invalid checksum (
--badsum). As a network administrator, you should know if the bad guys can confuse your security systems by sending weird packets. As the manpage advises, "Let your creative juices flow".
There's a second benefit to sending weird traffic: We can identify the target's operating system by seeing how it responds to unusual situations.
nmapwill perform this OS detection if you specify the
Since the first target has both an open and a closed port,
root@lyle# nmap -sS -O 192.168.1.0/24 Nmap scan report for Not shown: filtered ports PORT STATE SERVICE/tcp closed telnet/tcp open http MAC Address: 00:1C:10:33:6B: (Cisco-Linksys) Device type: WAP|broadband router Running: Linksys embedded, Netgear embedded, Netgear VxWorks .X ... Nmap scan report for Not shown: filtered ports PORT STATE SERVICE/tcp open netbios-ssn/tcp open microsoft-ds MAC Address: 00:1F:A:F:C: (Hon Hai Precision Ind.Co.) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING) : Microsoft Windows Vista|2008|7 (98%) ... Nmap scan report for All scanned ports on are closed MAC Address: 7C:61:93:53:9F:E5 (Unknown) Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SCAN(V=5.21%OT=%CT=1%CU=42921%PV=Y%DS=1%DC=D%G=N%M=7C6193%TM=4DCD) SEQ(CI=Z%II=I) T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) ...
nmaphas many protocol corner cases to explore, and it easily recognizes a Linksys home router. With the second target, there's no port in the
nmapisn't as confident. It guesses a Windows OS, which seems especially plausible given the open NetBIOS ports. In the last case
nmaphas no clue, and gives us some raw findings only. If you know the OS of the target, you can contribute this fingerprint and help make
Behind the portIt's all well and good to discover that port is open, but what's actually listening there?
nmaphas a version detection subsystem that will spam a host's open ports with data in hopes of eliciting a response. Let's pass
-sVto try this out:
root@lyle# nmap -sS -sV Nmap scan report for Not shown: closed ports PORT STATE SERVICE VERSION/tcp open ssh OpenSSH p Debian (protocol )/tcp open http thttpd b 29dec2003
nmapcorrectly spotted an HTTP server on non-standard port . The SSH server on port (usually HTTPS) is also interesting. I find this setup useful when connecting from behind a restrictive outbound firewall. But I've also had network admins send me worried emails, thinking my machine has been compromised.
nmapalso gives us the exact server software versions, straight from the server's own responses. This is a great way to quickly audit your network for any out-of-date, insecure servers.
Since a version scan involves sending application-level probes, it's more intrusive and can cause more trouble. From the book:
In the nmap-service-probes included with Nmap the only ports excluded are TCP port through . These are common ports for printers to listen on and they often print any data sent to them. So a version detection scan can cause them to print many pages full of probes that Nmap sends, such as SunRPC requests, help statements, and X probes.
This behavior is often undesirable, especially when a scan is meant to be stealthy.
Trusting the sourceIt's a common (if questionable) practice for servers or firewalls to trust certain traffic based on where it appears to come from.
nmapgives you a variety of tools for mapping these trust relationships. For example, some firewalls have special rules for traffic originating on ports 53, 67, or 20. You can set the source port for
nmap's TCP and UDP packets by passing
You can also spoof your source IP address using
-S, and the target's responses will go to that fake address. This normally means that
nmapwon't see any results. But these responses can affect the unwitting source machine's IP protocol state in a way that
nmapcan observe indirectly. You can read about
nmap's TCP idle scan for more details on this extremely clever technique. Imagine making any machine on the Internet — or your private network — port-scan any other machine, while you collect the results in secret. Can you use this to map out trust relationships in your network? Could an attacker?