Nmap

Nmap Security Scanner

results of an Nmap scan
Original author(s) Gordon Lyon (Fyodor)
Initial release September, 1997
Stable release 5.51 / February 12, 2011; 11 months ago (2011-02-12)
Development status Active
Written in C, C++, Python, Lua
Operating system Cross-platform
Available in English
Type computer security, network management
License GNU General Public License
Website nmap.org/

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) [1] used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. Unlike many simple port scanners that just send packets at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations, network congestion, the target interference with the scan) during the run. Also, owing to the large and active user community providing feedback and contributing to its features, Nmap has been able to extend its discovery capabilities beyond simply figuring out whether a host is up or down and which ports are open and closed; it can determine the operating system of the target, names and versions of the listening services, estimated uptime, type of device, and presence of a firewall.

Nmap runs on Linux, Microsoft Windows, Solaris, HP-UX and BSD variants (including Mac OS X), and also on AmigaOS and SGI IRIX.[2] Linux is the most popular Nmap platform with Windows following it closely.[3]

Contents

Features

Nmap features include:

In addition to these, Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.[5]

Typical uses of Nmap:

Basic commands working in Nmap

   nmap <targets' URL's or IP's with spaces between them (can also use CIDR notation)> 
   e.g. : scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0–255.1–254 (The command is nmap scanme.nmap.org and similar)

   nmap -O <target-host's URL or IP>

   nmap -sV <target-host's URL or IP>

  nmap -T0 -sV -O <target-host's URL or IP>

Graphical interfaces

NmapFE, originally written by Zach Smith, was Nmap's official GUI for Nmap versions 2.2 to 4.22.[8] For Nmap 4.50 (originally in the 4.22SOC development series) NmapFE was replaced with Zenmap, a new official graphical user interface based on UMIT, developed by Adriano Monteiro Marques.

Various web-based interfaces have also been available for controlling Nmap remotely from a web browser. These include LOCALSCAN,[9] nmap-web,[10] and Nmap-CGI.[11]

Also some Microsoft Windows specific GUIs exist. These include NMapWin,[12] which has not been updated since v1.4.0 was released in June 2003, and NMapW[13] by Syhunt.

Reporting results

Nmap provides four possible output formats for the scan results. All but the interactive output is saved to a file. All of the output formats in Nmap can be easily manipulated by text processing software, enabling the user to create customized reports.[14]

Interactive 
presented and updated real time when a user runs the Nmap from the command line. Various options can be entered during the scan to facilitate monitoring.
XML 
a format that can be further processed by XML capable tools. It can be converted into a HTML report using XSLT.
Grepable 
output that is tailored to line-oriented processing tools such as grep, sed or awk.
Normal 
the output as seen while running Nmap from the command line, but saved to a file.
Script kiddie 
meant to be the funny way to format the interactive output replacing letters with their visually alike number representations. For example, Interesting ports becomes Int3rest|ng p0rtz.

History

Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included.[15] With the help and contributions of the computer security community, development continued at an ever increasing pace. Changes to the program included operating system fingerprinting, service fingerprinting,[4] code rewrites (C to C++), additional scan types, protocol support (e.g. IPv6, SCTP[16]) and new programs that complement Nmap's core features. Some of the larger changes include:

December 12, 1998
Nmap 2.00 is released, including Operating System fingerprinting [17]
April 11, 1999
NmapFE, a GTK+ front end, is bundled with Nmap[17]
December 7, 2000
Nmap ported to Windows[8]
August 28, 2002
Rewrite from C to C++[8]
September 16, 2003
Nmap 3.45 the first public release to include service version detection[8]
August 31, 2004
Core scan engine rewritten for version 3.70. New engine is called ultra_scan[18]
Summer 2005
Nmap selected for participation in Google Summer of Code.[19] These and future students contributed major features like Zenmap, NSE, Ncat, and 2nd-generation OS detection.
December 13, 2007
Nmap 4.50, the 10th Anniversary Edition, is released. Includes the new Zenmap frontend, 2nd-generation OS detection, and the Nmap Scripting Engine[20]
March 30, 2009
Emergency release of Nmap 4.85BETA5, which leverages NSE to detect Conficker infections[21]
July 16, 2009
Nmap 5.00 includes netcat-replacement Ncat and Ndiff scan comparison tool[22]
January 28, 2011
Nmap 5.50 released, including the new Nping packet generation tool[23]

A full list of the changes in each release is recorded in the Nmap Changelog.[8]

Purpose

Nmap is used to discover computers and services on a computer network, thus creating a “map” of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network, despite the fact that such services aren’t advertising themselves with a service discovery protocol. In addition, Nmap may be able to determine various details about the remote computers.

Ethical issues and legality

Like most tools used in computer security, Nmap can be used for black hat hacking,[24] or attempting to gain unauthorized access to computer systems. It would typically be used to discover open ports which are likely to be running vulnerable services, in preparation for attacking those services with another program.[25]

System administrators often use Nmap to search for unauthorized servers on their network, or for computers which don't meet the organization's minimum level of security.[26]

Nmap is often confused with host vulnerability assessment tools such as Nessus, which go further in their exploration of a target by testing for common vulnerabilities in the open ports found.

In some jurisdictions, unauthorized port scanning may be illegal.[27]

Nmap in popular culture

In The Matrix Reloaded, Trinity is seen using Nmap to access a power plant's computer system,[28] allowing Neo to "physically" break in to a building. The appearance of Nmap in the film was widely discussed on internet forums and hailed as an unusually realistic example of hacking compared to other movies.[29]

Nmap and NmapFE were used in the film The Listening, a 2006 movie about a former NSA officer who defects and mounts a clandestine counter-listening station high in the Italian alps.

Some Nmap source code can be seen in the movie Battle Royale, as well as brief views of the command line version of Nmap executing in Live Free or Die Hard and Bourne Ultimatum.[28]

Nmap in academia

Nmap has long since become an integral part of academic activities. It has been used for research involving TCP/IP protocol suite and networking in general, with the security domain being the main beneficiary.[30] Beyond being the helping tool in researching various topics, Nmap has become the topic of research itself [31]

Output from Nmap

pre

Command :- nmap -sV -T4 -O -A -v <target_host>


Starting Nmap 5.35DC1 <http://nmap.org> at 2010-10-21 01:57 IST
NSE: Loaded 6 scripts for scanning.
Nmap scan report for <target_host> (<target_IP>)
Host is up (0.10s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
113/tcp closed auth

Running: Linux 2.6.X (96%), Cisco Linux 2.6.X (90%), HP embedded (89%), Riverbed embedded (87%) Aggressive OS guesses: Linux 2.6.9 (96%), Linux 2.6.9 – 2.6.27 (96%), Linux 2.6.9 (CentOS 4.4) (95%), Linux 2.6.15 – 2.6.26 (92%), Blue Coat Director (Linux 2.6.10) (92%), Linux 2.6.26 (PCLinuxOS) (91%), Linux 2.6.11 (90%), HP Brocade 4Gb SAN switch (89%), Linux 2.6.22.1–32.fc6 (x86, SMP) (89%), Linux 2.6.28 (88%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 35.708 days (since Wed Sep 15 08:58:56 2010)


Nmap done: 1 IP address (1 host up) scanned in 19.94 seconds
Raw packets sent: 2080 (95.732KB)| Rcvd: 24 (1.476KB)


TRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 2.27 ms 192.168.254.4
Nmap done: 1 IP address (1 host up) scanned in 19.94 seconds


Raw packets sent: 2080 (95.732KB)| Rcvd: 24 (1.476KB)

See also

References

  1. ^ "Matrix mixes life and hacking". BBC News. 2003-05-19. http://news.bbc.co.uk/1/hi/technology/3039329.stm. Retrieved 2009-01-14. 
  2. ^ Download the Free Nmap Security Scanner for Linux/Mac/UNIX or Windows. Nmap.org (2011-03-25). Retrieved on 2011-09-17.
  3. ^ "Nmap Installation for Windows" (in en). nmap.org. http://nmap.org/install/inst-windows.html. Retrieved 2008-05-14. 
  4. ^ a b Service and Application Version Detection
  5. ^ Chapter 15. Nmap Reference Guide. Nmap.org (2011-03-25). Retrieved on 2011-04-23.
  6. ^ When Good Scanners Go Bad, From [1], ComputerWorld 22 March 1999
  7. ^ nmap-audit – Network auditing with Nmap. heavyk.org
  8. ^ a b c d e Nmap Change Log. Nmap.org. Retrieved on 2011-09-17.
  9. ^ [2]
  10. ^ nmap-web: quick-n-dirty web interface to Nmap. Komar.org. Retrieved on 2011-09-17.
  11. ^ nmap-cgi homepage. Nmap-cgi.tuxfamily.org. Retrieved on 2011-09-17.
  12. ^ NMapWin v1.2.3. Nmapwin.sourceforge.net. Retrieved on 2011-09-17.
  13. ^ Syhunt Technology: Web Application Security and Testing Tools. Syhunt.com (2010-10-23). Retrieved on 2011-09-17.
  14. ^ Output. Nmap.org. Retrieved on 2011-12-10.
  15. ^ Nmap Introduction – Phrack 51, Article 11. Phrack.org. Retrieved on 2011-09-17.
  16. ^ SCTP Support for Nmap. Roe.ch (2007-01-26). Retrieved on 2011-09-17.
  17. ^ a b The History and Future of Nmap
  18. ^ Nmap Hackers: Nmap 3.70 Released: Core Scan Engine Rewrite!. Seclists.org. Retrieved on 2011-09-17.
  19. ^ Google sponsors Nmap summer student developers. Seclists.org. Retrieved on 2011-09-17.
  20. ^ Nmap 4.50 Press Release. Insecure.org. Retrieved on 2011-09-17.
  21. ^ Nmap Development: Nmap 4.85BETA5: Now with Conficker detection!. Seclists.org. Retrieved on 2011-09-17.
  22. ^ Nmap 5.00 Release Notes. Nmap.org. Retrieved on 2011-09-17.
  23. ^ Nmap 5.50: Now with Gopher protocol support!. Seclists.org. Retrieved on 2011-09-17.
  24. ^ Hacking tool reportedly draws FBI subpoenas. Securityfocus.com (2004-11-24). Retrieved on 2011-09-17.
  25. ^ SANS Institute – Intrusion Detection FAQ: What is AMap and how does it fingerprint applications?. Sans.org. Retrieved on 2011-09-17.
  26. ^ 120 - How to conduct a security audit. (PDF) . Retrieved on 2011-09-17.
  27. ^ "First ruling by the Supreme Court of Finland on attempted break-in". Osborne Clarke. 2003. http://insecure.org/stf/fin.html. Retrieved 2010-02-21. 
  28. ^ a b "nmap in the movies". http://nmap.org/movies.html. 
  29. ^ Kevin Poulsen (2003-05-16). "Matrix Sequel Has Hacker Cred". The Register. http://www.theregister.co.uk/2003/05/16/matrix_sequel_has_hacker_cred/. 
  30. ^ "Validation of Sensor Alert Correlators". http://www.cs.utk.edu/~ltinnel/papers/200301IEEESecurityPrivacy_Validation.pdf. 
  31. ^ "A Data Mining Based Analysis of Nmap Operating System Fingerprint Database". http://www.springerlink.com/content/g37623k636656tu7. 

Bibliography

External links