Nmap on Linux


Nmap is a very powerful tool with lots of options and features to visualize your network. Check which services are running on various hosts and find suspicious malicious programs running in your network. Even though Nmap is the swiss-army knife for network scanning, most of its benefits can be gained by the average Network Administrator without diving deep in to its complications. Chances are, most of the time you will find yourself using common switches even if you know all of them.

The basic syntax for Nmap is:

nmap 192.168.0.1

the above command scans the given host with defaults - standard TCP connect method (-sT option) and known ports (those specified in the /etc/services file. You may need to scan a whole subnet, in which case you can use:

nmap 192.168.0.1/24
nmap 192.168.0.*

both the command would do the same here.

One of the simplest scan methods that I come up with almost every day is the Ping Scan:

nmap -sP 192.168.0.1
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-01-11 11:35 WIT
Host web.smiert.org (192.168.0.1) appears to be up.
MAC Address: 00:14:5E:1B:15:F0 (Unknown)
Nmap run completed -- 1 IP address (1 host up) scanned in 0.283 seconds

the -sP option simply pings the host and reports back whether the host is up or down. Run in the local network, it gives you some additional detail such as MAC Address and the Company for which the NIC card is registered. It is also possible to ping sweep your entire network by specifying a network address and the bitmask.

Stealth Scanning might come in handy too (-sS):

nmap -sS 192.168.0.1

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-01-11 11:36 WIT
Interesting ports on web.smiert.org (192.168.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
967/tcp open unknown
4444/tcp open krb524
8080/tcp open http-proxy
MAC Address: 00:14:5E:1B:15:F0 (Unknown)

Nmap run completed -- 1 IP address (1 host up) scanned in 0.353 seconds

The -sT method (default) makes a full connection to that port to see whether the port is open. But in a stealth scan a SYN packet is sent to the host and waits until a SYN from the target host is received to see whether the port is open or closed. In other words does not make a full connection, which reduces the chance of being seen on a target log file.

Scan specific ports and port ranges (-p) :

nmap -sS 192.168.0.1 -p 22,80,50-500

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-01-11 13:15 WIT
Interesting ports on web.smiert.org (192.168.0.1):
(The 448 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
MAC Address: 00:14:5E:1B:15:F0 (Unknown)

Nmap run completed -- 1 IP address (1 host up) scanned in 0.301 seconds

the above command scans the target host for ports 25, 80 and the range between 50 and 500.

OS detection (-O):

nmap -sS 192.168.0.1 -O

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-01-11 13:16 WIT
Interesting ports on web.smiert.org (192.168.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
967/tcp open unknown
4444/tcp open krb524
8080/tcp open http-proxy
MAC Address: 00:14:5E:1B:15:F0 (Unknown)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.18 - 2.6.4 (x86)
Uptime 36.737 days (since Wed Dec 5 19:35:30 2007)

Nmap run completed -- 1 IP address (1 host up) scanned in 2.366 seconds

the -O option displays the Operating System and its version running on target system. This may not be accurate and may sometimes fail to identify the target OS. But most of the time you’ll end up being lucky…trust me…!

Detect the version of running services (-sV):

nmap -sV 192.168.0.1

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-01-11 13:17 WIT
Interesting ports on web.smiert.org (192.168.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((Red Hat))
111/tcp open rpcbind 2 (rpc #100000)
443/tcp open ssl/http Apache httpd 2.0.52 ((Red Hat))
967/tcp open rpc
4444/tcp open krb524?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:14:5E:1B:15:F0 (Unknown)

Nmap run completed -- 1 IP address (1 host up) scanned in 10.524 seconds

You may also use the -A switch to request Nmap to check for OS version as well as Services version which is easier. There are many other options such as -D (decoy), -sU (UDP scan), etc; not specified in this tutorial that might be useful to you. Please check the nmap documentation and evolve you knowledge on Nmap.

Popular posts from this blog

Howto configure boot device order on ILOM

To ensure the system can be installed using the DVD drive, the boot device order in the BIOS has to be configured correctly so that the DVD drive takes precedence over the internal hard drives. 1 Log into the ILOM. 2 Start the system if it is not already running: > start /SYS else reset the system: > reset /SYS 3 Log onto the system’s console: > start /SP/console 4 When prompted, press Esc 2 to enter setup. 5 Once the setup menu has loaded, navigate across to the Boot screen by using the right arrow key. 6 Using the down arrow key, select the Boot Device Priority item and press Enter. 7 Confirm that the item [CD/DVD] is higher in the list than the item [Hard Drive]. The order can be changed by selecting the relevant item and using the +/- keys to move the item up or down in the list. 8 Once the order is correct, save any changes made by pressing Esc and then navigate right to the Exit screen. Select the item Save Changes and Exit and press Enter, then confirm
Read more

SAN Switch Config Command

Login via console Fabric OS (swd77) swd77 console login: admin Password: Note: password default is "password" - set hostname swd77:admin> switchName swcdr1 Committing configuration... Done. swcdr1:admin> - set IP Address swcdr1:admin> ipaddrset Ethernet IP Address [192.168.0.25]: 192.168.0.11 Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [0.0.0.0]: Fibre Channel Subnetmask [0.0.0.0]: Gateway IP Address [192.168.0.25]: 0.0.0.0 Issuing gratuitous ARP...Done. 2008/07/14-18:46:43, [WEBD-1007], 494,, INFO, swcdr1, HTTP server will be restarted due to change of IP Address IP address is being changed...Done. Committing configuration...Done. - Configure basic parameter swcdr1:admin> switchDisable swcdr1:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] 22008/07/14-18:50:40, [FW-1424], 24,, WARNING, swcdr1, Switch status changed from HEALTHY to MARGINAL. 2008/07/14-18:50:40, [FW-1439], 25,, WARNING, swcdr
Read more

Howto cstm on HP-UX

If we want to show all machine information, just use cstm. # cstm Running Command File (/usr/sbin/stm/ui/config/.stmrc). -- Information -- Support Tools Manager Version C.46.05 (C) Copyright Hewlett Packard Co. 1995-2002 All Rights Reserved Use of this program is subject to the licensing restrictions described in "Help-->On Version". HP shall not be liable for any damages resulting from misuse or unauthorized use of this program. cstm> Map all device in this system with : cstm> map Dev Last Last Op Num Path Product Active Tool Status === ==================== ========================= =========== ============= 1 system system (1014) Information Successful 2 memory IPF_MEMORY (1014) Information Successful ------------ We want to know info about memory information cstm>sel d 2 cstm>
Read more