Nmap

From Rory.wiki

Jump to: navigation, search

Contents

General

Installation

On Ubuntu installations, if you're compiling nmap from source (and the package can be quite far behind) it's important to install libssl-dev otherwise the SSL features of the package won't be available. Likewise libpcap0.8-dev is needed for pcap functionality.

Tuning

Tuning nmap can have a significant effect on the speed of the scan completing (but if you get it wrong can end up in open ports being missed).

One thing to check is the --max-rtt-timeout setting. Even with a timing profile of -T4 (agressive) it sets this to 1250ms, so if you know that the hosts being scanned are likely to respond in under 500ms (for example) setting this lower can reduce the timing of the scan a lot (especially if there's a significant number of filtered UDP ports involved as on an standard external scan).

One way to check the likely latency of the connection is to use ping or hping2 to test latency from a couple of sample hosts in the range to be scanned, then use that as a basis for the parameter setting.

Another timing issue comes on version scanning (again on UDP scans this can be significant). changing the --version-intensity setting reduces the number of probes sent to try and determine version but can again significantly speed up a scan.

One way to significantly improve the speed of a scan is to ensure that each group of hosts that nmap scans has at least one host with an open port. This allows nmap to get accurate information about the correct rtt settings to use. So if you're scanning a large range with mostly dead IPs in chunks, adding a server you know to be live can improve the timing of the scan considerably.

Another setting to look at on scans with a lot of dead hosts is max-scan-delay . On standard -T3 timing profiles this'll likely go up to 1000ms on a slow scan, which really slows things down. If you're confident that the lack of response is down to heavily firewalled hosts and not down to servers throttling packet rates, then adding --max-scan-dealay 100 to the command line can help a lot.

nping

nping is a packet generation utility which comes along with nmap. Using it to check host responses to ICMP traffic types is a relatively useful technique.

you can specify --icmp-type on the command line to choose different traffic types. Useful examples are echo-request and timestamp you can also try mask-request and information also those are somewhat less likely

example syntax 

 sudo nping --icmp --icmp-type <type> -c 3 <range>| tee <some_file>

if you're doing big ranges then some quick code to pull a list of hosts reviewed and responding can come in handy, as npings responses are a bit wordy, and don't seem to break this out for you easily. A basic script to sort this is 

#!/usr/bin/env ruby
 
if ARGV.length < 2
  puts "Syntax is nping_analzer.rb <input_file> <output_file>"
  exit
end
 
input_file = File.open(ARGV[0],'r+').readlines
output_file = File.new(ARGV[1],'w+')
 
#Set up an array to capture all the addresses we've sent to
target_addresses = Array.new
 
#Set up an array to capture addresses that we've had a response from
responsive_addresses = Array.new
 
input_file.each do |line|
  if line =~ /^SENT/
    target_line_section = line.split('>')[1]
	target = target_line_section[/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/]
	target_addresses << target
  end
 
  if line =~ /^RCVD/
    responsive_line_section = line.split('>')[0]
	response_address = responsive_line_section[/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/]
	responsive_addresses << response_address
  end
end
 
output_file.puts "The following addresses were targets of the scan"
output_file.puts target_addresses.uniq.join(',')
output_file.puts ""
output_file.puts "-------------------------------"
output_file.puts ""
output_file.puts "The following addresses responded to the scan"
output_file.puts responsive_addresses.uniq.join(',')


Nmap Scripting Enging (NSE)

One of the main innovations of recent NMAP releases has been the scripting engine which provides a lot of really useful scripts that can be run straight from nmap. In particular the SMB scripts can provide the same information as a lot of other tools all in one place

Nmap Plugin Table
Name Usage Notes Similar Tools
Windows Tools
nbtstat.nse --script nbtstat.nse -p137 Retrieves NetBIOS names from targeted host(s) nbtstat
smb-brute.nse smb brute forcer NAT, smbgrind, enum -D
smb-enum-domains.nse Enumerates domains and also (very handily) the password policies associated with them. Needs credentials of some kind for recent Windows systems (post-windows 2000) enum -P

Links & Resources

Post on NMAP netbios auditing features

Scanning db2 with nmap

Scanning Citrix with nmap

Retrieved from "http://wiki.mccune.org.uk/index.php/Nmap"
Personal tools