Content

Nmap 4.00 – A Brief Tutorial

Started to mess around with some of Nmap 4.00’s new features. Here’s what I found so far.
The live interaction is way cool:


# nmap -sP 192.168.0.0/16
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 12:56 EST
Interactive keyboard commands:
? Display this information
v/V Increase/decrease verbosity
d/D Increase/decrease debugging
p/P Enable/disable packet tracing
anything else Print status
More help: http://www.insecure.org/nmap/man/man-runtime-interaction.html

The v/V and d/D work like a slider. So if you push “v” it increases the verbosity by 1 (by default they are set to 0). Pressing “V” decreases the verbosity. like so:


# nmap -O 192.168.23.0/24
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:01 EST
Verbosity Increased to 1.
DNS resolution of 9 IPs took 0.00s. Mode: Async [#: 2, OK: 8, NX: 1, DR: 0, SF: 0, TR: 9, CN: 0]
Initiating SYN Stealth Scan against 5 hosts [1672 ports/host] at 13:01
Discovered open port 443/tcp on 192.168.23.5
Discovered open port 443/tcp on 192.168.23.20
Discovered open port 25/tcp on 192.168.23.5
Discovered open port 25/tcp on 192.168.23.6
Discovered open port 80/tcp on 192.168.23.20
Discovered open port 21/tcp on 192.168.23.20
Discovered open port 22/tcp on 192.168.23.5
Discovered open port 22/tcp on 192.168.23.6
Discovered open port 22/tcp on 192.168.23.20
Discovered open port 139/tcp on 192.168.23.20
Discovered open port 548/tcp on 192.168.23.20
Discovered open port 445/tcp on 192.168.23.20
Discovered open port 37/tcp on 192.168.23.5
Completed SYN Stealth Scan against 192.168.23.5 in 1.45s (4 hosts left)
Completed SYN Stealth Scan against 192.168.23.20 in 2.47s (3 hosts left)
Completed SYN Stealth Scan against 192.168.23.6 in 2.50s (2 hosts left)
Verbosity Decreased to 0.

You can do the same with debug information by using “d/D”:


# nmap -O 192.168.23.0/24
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:03 EST
Debugging Increased to 1.
Finished block: srtt: 232070 rttvar: 303203 timeout: 1444882 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 23
Finished block: srtt: 232070 rttvar: 303203 timeout: 1444882 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 27
We got a ping packet back from 192.168.23.100: id = 62034 seq = 23724 checksum = 45312
Hostupdate called for machine 192.168.23.100 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 4186)
We got a TCP ping packet back from 192.168.23.100 port 80 (hostnum = 100 trynum = 0
Hostupdate called for machine 192.168.23.100 state HOST_UP -> HOST_UP (trynum 0, dotimeadj: yes time: 4306)
Finished block: srtt: 178662 rttvar: 263119 timeout: 1231138 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 31
Finished block: srtt: 178662 rttvar: 263119 timeout: 1231138 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 13
massping done: num_hosts: 128 num_responses: 7
mass_rdns: Using DNS server 192.168.128.9
mass_rdns: Using DNS server 192.168.128.11
mass_rdns: 0.00s 0/9 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 9]
caught SIGINT signal, cleaning up

You can also do packet tracing (which is nice, because I used to open another window and use tcpdump):


Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:06 EST
Packet Tracing enabled
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.83 Echo request (type=8/code=0) ttl=50 id=52529 iplen=28
SENT (3.0590s) TCP 192.168.23.140:53596 > 192.168.23.83:80 A ttl=55 id=5015 iplen=40 seq=1118672030 win=4096 ack=1118672030
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.82 Echo request (type=8/code=0) ttl=46 id=2197 iplen=28
SENT (3.0590s) TCP 192.168.23.140:53596 > 192.168.23.82:80 A ttl=41 id=62936 iplen=40 seq=2888667998 win=2048 ack=3933049694
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.81 Echo request (type=8/code=0) ttl=37 id=23214 iplen=28

Another cool feature is nmap now comes with an xsl stylesheet. What do you do with this? Well, you can generate a nice HTML report:


# nmap -oX report.xml -O 192.168.23.1-254

# xsltproc /usr/local/share/nmap/nmap.xsl report.xml > samplereport.html

The command “xsltproc” is available from the libxslt project (Did you know this tool is built right into OS X?). This applies a stylesheet to the xml data so you can then view the report in HTML. I have posted a sample here. Its pretty nice, and heck if you don’t like it you can change it, its a stylesheet. (Thanks to my cow-worker John for info on that tip).
The other cool thing is that if you are scanning hosts on the same subnet it will use arp to find hosts (bypassing firewalls). This does not seem to be displayed in the interactive mode packet tracing, but it still a cool feature, especially for those pesky Windows XP firewalls.
That’s all for now, happy nmap’ing!
.com

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Researcher for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds