Nmap Your Network

[January 16, 2002]
Nmap Your Network
By: Jeff Fellinge
Feature
InstantDoc #23655
Web Exclusive from Windows IT Pro

SideBar Basic Port Scanning in Action, Nmap’s OS Fingerprinting, A Port-Scanning Primer

Nmap is command-line driven, which facilitates scripting and post-run analysis. The application output shows the host, the state of the port (open, closed, or filtered), and the service running on that port.

How Nmap Works
You can run Nmap interactively or from the command line by using a set of switches to govern its operation. After you install Nmap, go to a command prompt and change to your Nmap directory. (If you use Nmap frequently, consider adding it to a path variable.) Run Nmap alone for its command syntax. Figure 1 shows the syntax for the basic command-line switches. The following four basic Nmap scan types should get you started on mapping your network. (More advanced scans that Nmap supports are described in the Nmap Help file and on the Insecure.Org Web site.)

TCP connect() port scan (-sT switch)
TCP synchronization (SYN) stealth port scan (-sS switch)
UDP port scan (-sU switch)
Ping scan (-sP switch)

To map a network from the Win32 version of Nmap, I've found the Ping scan and the TCP SYN scan to be the most practical. The Ping scan sends an Internet Control Message Protocol (ICMP) echo request packet and TCP acknowledge (ACK) packet to determine whether a host is up, which is useful in determining the number of hosts on a given subnet. The best way to understand the TCP SYN scan is to compare it with the TCP connect() scan. In a TCP connect() scan, the scanner uses the OS's native system call to open a full TCP connection. In other words, the scanner opens a three-way handshake—SYN, SYN-ACK, and ACK—between two hosts. A fully executed handshake indicates that the remote host port is open. The TCP SYN scan creates a half-open connection. This scan differs from the TCP connect() scan in that the TCP SYN scan sends a reset (RST) flag instead of the final ACK flag (i.e., SYN, SYN-ACK, or RST). If the remote host is listening and the port is open, the remote host responds with a SYN-ACK and Nmap sends an RST. If the port is closed, the remote host sends an RST and Nmap moves to the next port. I found the TCP SYN scan to work significantly faster than the TCP connect() scan. As Figure 2 shows, with the default timing options, scanning one host on a LAN took Nmap less than 1 second for the Ping scan (at callout A in Figure 2), about 1 second for the TCP SYN scan (at callout B), and slightly longer than 6 minutes for the TCP connect() scan (at callout C).

Next, choose the IP address range and ports that you want to scan. The interface supports flexible syntax. For example, to scan the 192.168.0 network, you can enter either 192.168.0.x/24 or 192.168.0.0-255. Optionally, you can use the -p switch to specify the ports you want to scan. If you don't specify which ports to scan, Nmap defaults to scanning ports 1 through 1024, in addition to the ports listed in nmap-services.

To see what Nmap is doing while it's running, you can use the verbose mode (the -v switch or the -vv switch for even more detail). For example, the Nmap command

C:\>nmap -sS 192.168.0.1-255 -p 20,21,53-110, 30000- -v

performs a TCP SYN scan, in verbose mode, on the 192.168.0 subnet to determine whether any services are listening on ports 20, 21, 53 through 110, and 30000 and higher.

Similarly, the command

C:\>nmap -sS 192.168.0.1/24 -p 80

scans the 192.168.0 subnet for any servers (e.g., Web servers) listening on port 80.

Nmap's -host_timeout <milliseconds> switch is useful for an initial reconnaissance of a network. You can use this switch with other command-line switches, as this example shows:

nmap sS host_timeout 10000 192.168.0.1

Different network devices, such as routers, might block or filter ports and prevent access to or across that device. A filtered port on a network device (e.g., a network printer, a network router with port filtering enabled) sometimes takes much longer to map, and setting this parameter might reduce your network scan times considerably. Nmap notes which network devices time out, so you can pay individual attention to those devices without slowing down your broad scan. Depending on the number of filtered ports on your networked systems, this approach could save you a lot of time.

Figure 3, page 10, shows sample output from a scan configured with a 5-second timeout. Of the 12 hosts scanned, I would investigate or rescan the three hosts that timed out. The same scan with a 10-second timeout took 45 seconds to complete and resulted in only one skipped host. The same scan without the -host_timeout switch took close to 5 minutes to complete.

Prev. page 1 [2] 3 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard: Fast, easy real-time performance monitoring.

FEATURED LINKS

Coming in December –SQL Live Event Series: Join independent experts to discover about if or when you should make the critical upgrade decision about SQL Server 2008

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard

FEATURED LINKS

Coming in December –SQL Live Event Series