Run a Security Scan on Your Network with Nmap

Posted onAuthorHeelpBook


To totally unlock this section you need to Log-in


Login

The Network Mapper or Nmap (the actual command) is an extremely useful tool for determining what is on your network, what ports UDP or TCP are open, what operating systems are running, what IP addresses are available, etc. It can be used for network inventory, security audits, etc. If nothing else, it can be fun to run and see what is up and running on which machines and addresses on your network.

When a machine or host is scanned with nmap, a list of ports will likely be in your report. You will see that the state of the port is one of the following:

  • Open – an application or program is up and running on that target machine listening for packets on that port.
  • Filtered – A firewall, or other network filtering tool is blocking that port and nmap cannot tell if it is open or closed.
  • Closed – Nothing is listening on the port.
  • Unfiltered – A scan could not determine if the port was open or closed

Use Nmap to Scan Your Machine for Open Ports

# yum install nmap
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: ftpmirror.your.org
 * epel: mirror.chpc.utah.edu
 * extras: mirror.hmc.edu
 * updates: mirrors.bluehost.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:5.51-3.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package        Arch             Version                   Repository      Size
================================================================================
Installing:
 nmap           x86_64           2:5.51-3.el6              base           2.7 M
Transaction Summary
================================================================================
Install       1 Package(s)
Total download size: 2.7 M
Installed size: 9.7 M
Is this ok [y/N]: y
Downloading Packages:
nmap-5.51-3.el6.x86_64.rpm      | 2.7 MB     00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 2:nmap-5.51-3.el6.x86_64                                     1/1
  Verifying  : 2:nmap-5.51-3.el6.x86_64                                     1/1
Installed:
  nmap.x86_64 2:5.51-3.el6
Complete!

Run A simple nmap with typical verbosity

# nmap www.uptimemadeeasy.com
Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:23 MST
Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.25)
Host is up (0.020s latency).
rDNS record for 10.1.1.25: bigmachine.uptimemadeeasy.com
Not shown: 993 filtered ports
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
25/tcp   open   smtp
80/tcp   open   http
783/tcp  closed spamassassin
993/tcp  open   imaps
8000/tcp closed http-alt
Nmap done: 1 IP address (1 host up) scanned in 4.83 seconds

Or use nmap to scan a complete network:

# nmap 10.1.1.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:25 MST
Nmap scan report for 10.1.1.1
Host is up (0.00028s latency).
Not shown: 996 closed ports


PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
80/tcp  open  http
443/tcp open  https
MAC Address: D0:D0:FD:C2:B1:02 (Cisco Systems)
Nmap scan report for 10.1.1.2
Host is up (0.00024s latency).
Not shown: 989 closed ports


PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
199/tcp   open  smux
443/tcp   open  https
445/tcp   open  microsoft-ds
548/tcp   open  afp
873/tcp   open  rsync
2049/tcp  open  nfs
50000/tcp open  ibm-db2
MAC Address: 00:24:FD:C2:2F:E2 (Netgear)
Nmap scan report for 10.1.1.6
Host is up (0.0030s latency).
Not shown: 998 closed ports


PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http
MAC Address: 00:25:24:0A:B0:98 (Dell)
Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.20)
Host is up (0.00020s latency).
Not shown: 995 closed ports


PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5900/tcp open  vnc
5901/tcp open  vnc-1
MAC Address: 00:19:24:FE:C9:29 (Dell)

Run Nmap in Verbose Mode

# nmap -v bigmachine.uptimemadeeasy.com


Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:33 MST
Initiating Ping Scan at 20:33
Scanning bigmachine.uptimemadeeasy.com (10.1.1.25) [4 ports]
Completed Ping Scan at 20:33, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:33
Completed Parallel DNS resolution of 1 host. at 20:33, 0.00s elapsed
Initiating SYN Stealth Scan at 20:33
Scanning www.uptimemadeeasy.com (10.1.1.25) [1000 ports]
Discovered open port 80/tcp on 10.1.1.25
Discovered open port 22/tcp on 10.1.1.25
Discovered open port 25/tcp on 10.1.1.25
Discovered open port 993/tcp on 10.1.1.25
Completed SYN Stealth Scan at 20:33, 4.59s elapsed (1000 total ports)
Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.25)
Host is up (0.021s latency).
rDNS record for 10.1.1.25: bigmachine.uptimemadeeasy.com
Not shown: 993 filtered ports


PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
25/tcp   open   smtp
80/tcp   open   http
783/tcp  closed spamassassin
993/tcp  open   imaps
8000/tcp closed http-alt


Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.70 seconds
           Raw packets sent: 1998 (87.884KB) | Rcvd: 31 (2.000KB)

Other Nmap Examples

# List Scan - just list the targets that will be scanned
nmap -sL 10.1.1.0/24 


# Ping Scan - get a list of hosts that are up and running  
nmap -sP 10.1.1.0/24


# Scan a Port Range on a specific machine
nmap -p1024-65535 10.1.1.25


# Detect the Operating System for a Host
nmap -O 10.1.1.25


# Put output into a "greppable" file format
nmap -O -oG myfile 10.1.1.0/24

Source
Go to source!
Language
English