The -A option seemed the best choice for a first time user. -A enables host operating system and version detection, script scanning and a traceroute. For my local machine, the output looks like this:
[sodo@ogre ~]$ nmap -A localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-18 18:23 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00053s latency).
rDNS record for 127.0.0.1: ogre
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
ssh-hostkey: 1024 a3:bd:bf:bd:bd:6a:64:1a:f8:2d:11:56 (DSA)
_2048 77:8d:ab:86:98:30:05:28:41:53:30:78:db:a2:f7:9c (RSA)
80/tcp open http Apache httpd 2.2.15 ((Fedora))
_html-title: Test Page for the Apache HTTP Server on Fedora
111/tcp open rpcbind
rpcinfo:
100000 2,3,4 111/udp rpcbind
100024 1 34022/udp status
100000 2,3,4 111/tcp rpcbind
_100024 1 58402/tcp status
443/tcp open ssl/http Apache httpd 2.2.15 ((Fedora))
_html-title: Test Page for the Apache HTTP Server on Fedora
631/tcp open ipp CUPS 1.4
888/tcp open ssl/http 3ware 3DM2 Serial RAID http config 2.0
_sslv2: server still supports SSLv2
_html-title: 3ware 3DM2 - ogre - Summary
3306/tcp open mysql MySQL 5.1.47
mysql-info: Protocol: 10
Version: 5.1.47
Thread ID: 16
Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
Status: Autocommit
_Salt: i:$CfYg}]azzsSZ1(;1#
Service Info: Device: storage-misc
Not that I didn't know this information, but it is interesting that you can find out quite a bit about a machine just by doing a portscan with nmap. In the example above, I can see that I have the following ports open and available (at least to the localhost):
-port 22 (SSH)
-port 80 (HTTP or the apache daemon)
-port 111 (RPC)
-port 443 (HTTPS via apache again)
-port 631 (CUPS, the linux printing system)
-port 888 (3Ware RAID web configuration tool)
-port 3306 (mysql web-based configuration utility)
Cool. Now if I change nmap to use the IP of my workstation instead of the loopback (localhost) address, you'll see that some of the information that was available at the localhost is not available at the proper IP of the box:
[sodo@ogre ~]$ nmap -A 192.168.1.8
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-18 18:49 EST
Nmap scan report for ogre (192.168.1.8)
Host is up (0.00055s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
ssh-hostkey: 1024 a3:d6bf:bd:bd:6a:64:1a:f8:2d:11:56 (DSA)
2048 77:8d:ab:86:98:30:05:28:41:53:30:78:db:a2:f7:9c (RSA)
80/tcp open http Apache httpd 2.2.15 ((Fedora))
_html-title: Test Page for the Apache HTTP Server on Fedora
111/tcp open rpcbind
rpcinfo:
100000 2,3,4 111/udp rpcbind
100024 1 34022/udp status
100000 2,3,4 111/tcp rpcbind
_100024 1 58402/tcp status
443/tcp open ssl/http Apache httpd 2.2.15 ((Fedora))
_html-title: Test Page for the Apache HTTP Server on Fedora
888/tcp open ssl/http 3ware 3DM2 Serial RAID http config 2.0
_html-title: 3ware 3DM2 - ogre - Summary
_sslv2: server still supports SSLv2
3306/tcp open mysql MySQL (Host blocked because of too many connections)
Service Info: Device: storage-misc
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.12 seconds
Here is another device on my network, a Motorola NIM 100 ethernet over cable bridge that actually has telnet and a web service up and available:
[sodo@ogre ~]$ nmap -A 192.168.1.3
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-18 18:00 EST
Nmap scan report for 192.168.1.3
Host is up (0.00070s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
80/tcp open http Boa httpd
robots.txt: has 1 disallowed entry
_/
_html-title: Ethernet Coax Bridge - Login
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds
Note that only two ports are open and available on the real IP of the box. Also, it is interesting that nmap shows "Service Info: OS: Linux" on the real IP address. You can use the -p switch to scan for a particular port on a device:
[sodo@ogre ~]$ nmap -p 80 -A 192.168.1.3
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-18 19:12 EST
Nmap scan report for 192.168.1.3
Host is up (0.0015s latency).
PORT STATE SERVICE VERSION
80/tcp open http Boa httpd
robots.txt: has 1 disallowed entry
_/
_html-title: Ethernet Coax Bridge - Login
The verbose (-v) switch to that last command will display exactly what nmap is doing..ping, DNS lookup, port connections, service scanning, script scanning, latency, count of closed ports and a summary of how many hosts nmap scanned and how long the scan took:
[sodo@ogre ~]$ nmap -v -A 192.168.1.3
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-18 18:00 EST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 18:00
Scanning 192.168.1.3 [2 ports]
Completed Ping Scan at 18:00, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:00
Completed Parallel DNS resolution of 1 host. at 18:00, 0.03s elapsed
Initiating Connect Scan at 18:00
Scanning 192.168.1.3 [1000 ports]
Discovered open port 80/tcp on 192.168.1.3
Discovered open port 23/tcp on 192.168.1.3
Completed Connect Scan at 18:00, 1.11s elapsed (1000 total ports)
Initiating Service scan at 18:00
Scanning 2 services on 192.168.1.3
Completed Service scan at 18:00, 6.06s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.3.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.04s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.1.3
Host is up (0.00098s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
80/tcp open http Boa httpd
robots.txt: has 1 disallowed entry
_/
_html-title: Ethernet Coax Bridge - Login
Service Info: OS: Linux
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds
With this basic information about a single host, I graduated to scanning the network using the CIDR notation for network subnetting. I left out the above machines in the output below. Also, before I did the nmap, I started a Mac and an old XP box that I had in the environment, just to see what a really insecure Windows machine looks like.
[sodo@ogre ~]$ nmap -A 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-18 18:46 EST
Nmap scan report for mac (192.168.1.12)
Host is up (0.0085s latency).
Not shown: 500 closed ports, 494 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.2 (protocol 1.99)
_sshv1: Server supports SSHv1
ssh-hostkey: 2048 c:c4:b6:69:6c:4e:27:5c:5a:fe:fe:09 (RSA1)
2048 f1:ce:c0:3c:a0:83:db:24:0c:7d:8a:ca:48:41:ea:44 (DSA)
_2048 db:20:90:c5:5a:bc:3d:ea:cd:12:7b:17:03:79:6b:ad (RSA)
88/tcp open kerberos-sec Mac OS X kerberos-sec
548/tcp open afp Apple AFP (name: MACLTSODO; protocol 3.3; Mac OS X 10.5)
2170/tcp open tcpwrapped
49152/tcp open tcpwrapped
Service Info: OS: Mac OS X
Nmap scan report for xp (192.168.1.89)
Host is up (0.050s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.2600.2180
80/tcp open http Microsoft IIS webserver 5.1
_html-title: Site doesn't have a title (text/html).
_http-favicon:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
3389/tcp open microsoft-rdp Microsoft Terminal Service
Service Info: Host: computer; OS: Windows
Host script results:
smb-os-discovery:
OS: Windows XP (Windows 2000 LAN Manager)
Name: WORKGROUP\COMPUTER
_ System time: 2011-01-18 18:43:07 UTC-5
_nbstat: NetBIOS name: COMPUTER, NetBIOS user:
_smbv2-enabled: Server doesn't support SMBv2 protocol
You can see that the XP box has its pants down, so to speak. Lots of insecure services running..even the MAC address..eesh. (The names have been changed to protect the innocent.) Better turn that puppy off. So, you can see that we can gather quite a bit of information just by doing a portscan using nmap. Beware, people!
Rounding out the post, I was able to discover my new server at work using the -O switch. Not surprisingly, my Linux box at work was the most secure among all the Windows boxes nmap found with only one port open. Though, nmap did a good job at guessing the OS.
[sodo@computer ~]$ nmap -A 192.168.113.0/24
Interesting ports on 192.168.113.25:
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: D8:CA:2F:8E:FB:26 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purposefirewallWAProuter
Running (JUST GUESSING) : Linux 2.6.X (94%), Check Point Linux 2.4.X (87%), D-Link embedded (87%), Linksys embedded (87%), Peplink embedded (87%), Linksys Linux 2.4.X (86%)
Aggressive OS guesses: Linux 2.6.9 - 2.6.18 (94%), Linux 2.6.9 - 2.6.26 (94%), Linux 2.6.22 (Fedora Core 6) (92%), Linux 2.6.18 (CentOS 5, x86_64, SMP) (90%), Linux 2.6.17 - 2.6.28 (89%), Linux 2.6.18 (CentOS 5) (89%), Linux 2.6.18 (Centos 5.3) (89%), Linux 2.6.23 (89%), Linux 2.6.24 - 2.6.28 (89%), Linux 2.6.9 - 2.6.27 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Compare those results to the very revealing XP box:
[sodo@computer ~]$ nmap -A 192.168.113.2
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-19 10:12 EST
Nmap scan report for SODOWORK (192.168.113.2)
Host is up (0.0016s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
_ftp-anon: Anonymous FTP login allowed
22/tcp open ssh SCS sshd 5.3.2.10 (protocol 2.0)
_ssh-hostkey: 1536 cc:f7:a1:be:d8:c8:ed:f0:08:c0:3d:fc:bc (RSA)
25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
80/tcp open http Microsoft IIS webserver 5.1
_html-title: Under Construction
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1074/tcp open msrpc Microsoft Windows RPC
2030/tcp open oracle-mts Oracle MTS Recovery Service
3389/tcp open microsoft-rdp Microsoft Terminal Service
5000/tcp open tcpwrapped
5631/tcp open pcanywheredata?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8222/tcp open http VMware Server 2 http config
_html-title: VMware Server 2
8333/tcp open ssl/http VMware Server 2 http config
_html-title: VMware Server 2
Service Info: OS: Windows
Host script results:
_nbstat: NetBIOS name: SODOWORK, NetBIOS user:
smb-os-discovery:
OS: Windows XP (Windows 2000 LAN Manager)
Name: CORP\SODOWORK
_ System time: 2011-01-19 10:12:35 UTC-5
_smbv2-enabled: Server doesn't support SMBv2 protocol
Hope you enjoyed this exploration of nmap basics. It certainly was revealing for me!
TAG
Reference
http://nmap.org/
No comments:
Post a Comment