In the world of vulnerability management you really can’t get away from using the king of all port scanners, Nmap. Nmap is one of the those tools that you need to have and be familiar with. It’s such a powerful utility I don’t know how I could do my job without it. It’s free, community supported and simple. In terms of simple I meant the interface, you can use the command line or a GUI that was built on top of it but that does not mean there isn’t a learning curve. Nmap has capabilities beyond simple pinging and port scanning. Throughout my use of it I have collected several commands I use regularly and am posting them here for reference.
The full guide to nmap can be found here and there are several sites dedicated to nmap and vulnerability scanning as well. The reference guide below is for the command line, even though you can use these commands into the GUI there are other steps to follow. I may add a GUI reference in a later post but I primarily use the command line.
Below I use xx.xx.xx.xx/xx in reference to the CIDR format for IP addresses. You can scan an individual IP address, several or a range. Refer to the reference guide on the format in the command and on the details of the specific switches mentioned below. This is a quick reference guide it is not intended to detail each switch used. Everything is case-sensitive.
nmap -sV -T4 -F -O -oX xx.xx.xx.xx/xx
Find open ports, determine services on the ports, Operating System version and IP range
nmap -sP xx.xx.xx.xx/xx
Simple Ping Scan. This sends icmp echo requests, TCP SYN to 443, TCP ACK to 80 and icmp timestamp request to all hosts in the specified IP range. The return is all the Ips that responded. This command does not require root privileges, however when run with root nmap will also send ARP requests.
Scan for open ports. This is the default scan for nnamp and as the command is written it can take significant time to complete. This will attempt to send a TCP SYN to 1000 of the most common ports on every defined host as well as a icmp echo request to determine if the host is up. It will also attempt a DNS lookup.
nmap -O xx.xx.xx.xx
Determine the Operating System. The -O switch can be added to any nmap scan and it will try to determine the Operating System running on the targeted hosts. This is not 100% accurate as it’s a ‘best guess’ from nmap’s analysis of the return TCP SYN port scan. This does require root privileges.
nmap -sL xx.xx.xx.xx/xx
Identify hostname. A simple DNS query for the specified IP range. This will look for the host names of the hosts without sending packets directly to each one.
nmap -sS -sU -Pn xx.xx.xx.xx/xx
TCP Syn and UDP Scans. This command will take some time to complete but it’s unobtrusive and stealthy. This command will check about 2,000 common tcp and udp ports to see if they respond. The -Pn switch will skip the ping and assume the hosts it up. THis is useful if there are firewalls blocking icmp replies. This command requires root. To scan all the ports add -p 1-65535 to the command.
nmap -T4 -A xx.xx.xx.xx/xx
Aggressive Scan. This command is very obtrusive and aggressive. The -A tells nmap to perform an OS version check and the -T4 is the speed template. 0 is slow and stealthy to 5 which is fast and obvious.
nmap -T4 -F xx.xx.xx.xx/xx
Fast scan. This scan limits the scan to the most common 100 ports. This is used to quick scan a hosts to see if common ports are open that shouldn’t be.
nmap -v xx.xx.xx.xx/xx
Verbose. Adding the -v switch to the command will put it in verbose mode and will provide great detail on what nmap is doing. Some typs of scans the verbose mode will provide more details than what the reports will provide.
nmap -sO xx.xx.xx.xx/xx
IP Protocols. This scan determines what IP protocols (TCP, ICMP, IGMP, etc…) are supported.
The commands listed above will get you well on your way to gathering significant amounts of information about your environment and maybe deliver a few surprises. Nmap is a required security tool in my opinion and there is never a scenario that comes up where I don’t use it to confirm or identify a system configuration or traffic flowing through it. Even though the systems are fully patched you can still have a vulnerability if a system is set up to do things you didn’t intend it to. Such as running a web server on a database server or have FTP open on your LDAP. Things like that will bite you just as hard as an un-patched security vulnerability.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.