Ceci est une ancienne révision du document !
Blurb: “Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).“
Nmap is a tool I find very handy - unmissable, but people often say it is difficult to use. For those people, there is Zenmap. The command-line nmap has a bit of a learning curve, but once you understand it, it is really great.
I sometimes have to get my bearings on a network before working. The more you know, the better your diagnostics will be. However, some clients have shifted to this global IT nonsense, where you cannot do anything on the network without first creating a ticket, waiting three days and supplying blood and stool samples for each thing you want to do. If you do not, the IDS and firewall will shut you down. On top of that the global IT gets it wrong anyway, as they have phone monkeys on the other end and not real IT people. This is where nmap shines. We can look at how to use nmap, how to sneak past IDS and defeat firewalls.
Let me scare some of you – type nmap in your terminal and just press enter. Look at all the options and read what it says. The rest of you say: “Challenge Accepted!” with me. It goes without saying, that you will be scanning your own home network and not fbi.gov.
Before we talk about nmap’s options, I want you to head over to this website and read what a three-way handshake is: https://www.geeksforgeeks.org/tcp-3-way-andshake-process/ - The better that you know the underlying process, the easier you will pick up nmap. Feel free to read all the sections down the side of that page.
Now, nmap is known as a port scanner, but it is more than that. Most of the time, I simply use it to scan for live hosts and pipe the output to a text file. Security researchers and penetration testers will use it in another way. The most common “port scan” I use is port 53 -DNS. Here is a list of common ports:
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
or:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Why am I telling you to look at port numbers? Well, with nmap, you may just want to scan for a specific port, say SSH on port 22, or the lazy admin obfuscation port 2222. Also ‘port’ is easy to remember as it is -p. Thus nmap -p 22 192.168.0.0/24 will scan for that port only on my network. By contrast, scan your same network without that “-p 22” and see how much longer it takes. You can also scan a range of ports, simply by specifying the start and end port. Like so: “-p 22-53”. By default nmap only scans the 1000 most common ports, so if you would need to scan them all, you would use the “-p-” switch before the host IP. It is a good idea to do this against your IOT devices, to see what is open (that should not be). This is a long scan, so it is best to do it against one IP at a time. Speaking of time, there is a time option in nmap too. You use the “-T” switch to set the time to wait for a response. However, the range is from 0-5, zero to five, five waits the least time (5ms) for an answer. In other words, 0 waits almost indefinitely, just kidding, but it feels that way. Most of the time I use T4 (recommended by nmap themselves) and usually skip the others. Feel free to try them too. To pipe your output to a file, simply add the redirector and the name of your file to the end of your query. (Example: nmap -p 22 192.168.1.1 > router.txt).
This article is pretty much hands on, you need to open a terminal and scan your network, router, or another live PC on your network.
By now you have tried:
nmap
nmap -p 22 <your IP range here>
nmap -p 22-53 <your IP range here>
nmap -T5 <your single IP address here>
nmap -T4 <your single IP address here>
nmap -p- <your single IP address here>
There is another “time” you need to know about and that is the Round Trip Time (RTT). This is the time it takes your packets to make a round trip. To know what this is, simply ping any website. The first value is TTL (Time To Live); if you are unsure what that is, it is the time in seconds, given to the data, to live, so it doesn’t bounce around the network forever and ever. The next value you get is a time in milliseconds; that is what you are after. You are able to set this time too, extending the time you wait for your packet to return. You use the rtt-timeout switch, but you need a prefix. For now I will cover only the “initial” timeout. Therefore, the switch is: –initial-rtt-timeout (two dashes at the beginning), and you need to give the value in milliseconds. Example: nmap –initial-rtt-timeout 200ms canonical.com You can also set the maximum timeout, but we will cover that later.
Let's use the five whys:
• Why would we use nmap in the first place? • You need to reconnoitre the network.
• Why would we need to reconnoitre the network? • We need to make informed problem determinations.
• Why do we need to make informed problem determinations? • We can guess as to what the problem is, but it is always better to be sure. Sometimes one error can be very similar to another and some equipment can behave erratically and flood your network.
• Why do we make sure? • Problems with networks can do many things; if a client cannot access their website, it could be anything from DNS to a network loop. Time is money and the sooner it is taken care of, the sooner business can resume.
• Why are there so many vectors? • That’s why we have nmap!
Well I hope you enjoyed our toe-wetting session in nmap. Should you have any queries or comments, e-mail: misc@fullcirclemagazine.org