Nse scripts. Nmap Reference Manual (Man Page). Finding Active Computers on the Network

Nmap is a cult scanner that almost no hacker can do without, so the topic of expanding its capabilities, I think, is of interest to many. Using other tools in conjunction with Nmap is a common practice. This article will talk about how to easily automate Nmap with your favorite tools. It is more convenient to “press one button” and get the result than to constantly do the same sequence of actions. Using scripts in Nmap can help hackers hack systems more automatically, and sysadmins can check systems for default holes and fix them in a timely manner.

A few words about Nmap

I am sure that most readers of Hacker magazine know what Nmap is and have probably used it more than once to explore the network and collect information. For those who have forgotten or do not know, just in case, let me remind you:

• Nmap is a cross-platform tool for scanning the network, checking its security, determining OS versions and various services, and much more. This is a very flexible and easily extensible utility, and the NSE scripting engine makes it so;
• NSE (Nmap Scripting Engine) is a powerful Nmap component that allows users to write scripts to automate a wide range of network tasks: more flexible interaction with existing Nmap capabilities, detection and exploitation of vulnerabilities, and more. NSE is based on the Lua language interpreter;
• Lua is a scripting language similar to JavaScript.

Formulation of the problem

As already mentioned, today we will be expanding the functionality of Nmap by writing our own scripts. Any hack/pentest usually starts with reconnaissance and data collection. One of the first checks is the presence of open ports on the host under study and the identification of running services. The best tool to collect such information than Nmap, perhaps not. The next step after scanning is usually either searching for a sploit for the found vulnerable service, or selecting a login:password pair using the brute force method.

Let's say you actively use the THC-Hydra brute-forcer to guess the passwords of several services (for example, HTTP-Basic, SSH, MySQL). In this case, you have to set the hydra on each service separately, you need to remember the features of the services and the flags necessary to launch the hydra. And if it becomes necessary to brute much more than five services? .. Why not automate it?

Therefore, let's write a simple script that will automate the process of starting Hydra to select logins / passwords for one service (for example, PostgreSQL). For this we need the following tools:

• nmap;
• THC-Hydra;
• any text editor.

If you don't already have Nmap and/or Hydra installed, fix it immediately:

$ sudo apt-get install nmap hydra

Okay, let's start. The scripts for Nmap are the usual text files with *.nse extension. So open up your favorite text editor and create new file. I will use Vim:

$ vim hydra.nse

NSE script structure

Before moving on to writing, it must be said that all scripts have a certain structure. In addition to the code itself, which automates certain actions, it contains a description of the script (what it is intended for and how to use it), information about the author, licenses, dependence on other scripts, categories to which the script belongs, and so on. Let's take a closer look at each of these parts.

Description of the script (description)

This section contains a description of the script, comments by the author, an example of displaying the result of the script execution on the screen, and additional features.

For our script that selects logins / passwords for PostgeSQL, the description will look like this:

Description = [[ Brute force all services running on a target host. The results are returned in a table with each path, detected method, login and/or password. ]] --- -- @usage -- nmap --script hydra [--script-args "lpath= , ppath= "] -- -- @output -- PORT STATE SERVICE -- 80/tcp open http -- | hydra: -- | path method login password -- | 127.0.0.1/private/index.html Digest log pass -- |_ 127.0.0.1/simple/index.txt Basic user qwerty -- -- @args hydra.lpath: the path to the file with logins. For example, -- nmap --script hydra --script-args="lpath=/home/my_logins.txt" -- @args hydra.ppath: the path to the file with passwords. For example, -- nmap --script hydra --script-args="ppath=/home/my_pass.txt"

Comment; -- - multi-line comment; @usage, @output, @args - an example of calling a script, displaying the result on the screen, the necessary arguments when calling.

Above in @usage we see the script launch format. In this case, only the name of the script (hydra) is specified. This becomes possible if the script is placed in the directory / /nmap/scripts/ , otherwise you will have to specify an absolute or relative path to it. In the future, we will make it possible to set arguments when starting the script. Arguments are set using the --script-args flag " " . In our case, we will set the path to the login file (lpath) and to the password file (ppath). The arguments are optional: by default, we will look for files named login.txt and password.txt in the current directory.

Categories where the script is located (categories)

When writing an NSE script, you can specify its category (or several categories). This is useful when the Nmap user wants to use not a specific script, but a set of scripts that are in the same category. Examples of some categories:

• auth - a category in which scripts define the authentication data of the target host;
• brute - a category whose scripts help determine logins and passwords for various services;
• default - a category that contains the main scripts. There are some criteria that determine whether a script belongs to this category: scanning speed, usefulness, reliability, confidentiality, visual output;
• malware - a category that helps identify malware.

For example, if you need to run all scripts from the auth category, then the command will look like this:

$ nmap --script=auth example.com

In this case, the scripts of this category will be run in turn for the specified host. Our script belongs to the brute category. Let's add the following line to the file:

Categories = ("brute")

Information about the author (author)

Each script contains information about its author. In my case:

Author = "Olga Barinova"

Information about the license in use (license)

Nmap welcomes all user developments and encourages sharing, including NSE scripts. When specifying a license, you confirm the right to share the script with the community. The standard Nmap license looks like this:

License = "Same as Nmap--See http://nmap.org/book/man-legal.html"

Let's add this line to our script as well.

Dependencies on other scripts (dependencies)

This area contains the names of NSE scripts that must be executed before this script can be run in order to obtain the necessary information. For example,

Dependencies = ("smb-brute").

In our case, this feature will not be needed, so we will not add dependencies.

Host and port (host & port)

Nmap needs to know for which services and on which ports to run the script. There are special rules for this:

• prerule() - script is executed once before scanning any host, used for some network operations;
• hostrule(host) - the script is executed for each host from the table, which it takes as an argument;
• portrule(host, port) - the script is executed for each host and for each port from the tables that it takes as arguments;
• postrule() - the script is executed once after scanning any host. It is mainly used for processing the results, summarizing statistics and the like.

There are libraries for the formation of such rules. Our script only needs to specify the port number (5432) and the service name (postgresql), and then it will only work for this port and service. There is a fairly popular shortport library built into the NSE that includes various methods. We will use the method

Port_or_service (ports, services, protos, states)

where ports are port numbers, services are service names, protos are protocol names (for example, udp), states are states.

This method returns true if the service currently being parsed is on one of the ports in the ports list or matches any service in the services list, and the protocol and status are checked for a match, otherwise false is returned.
To make our script work with PostgreSQL, we need to add the port number and service name:

Portrule = shortport.port_or_service((5432), ("postgresql"))

Connecting Libraries

Let's digress for a second from the structure of the script and consider how external libraries are connected, the functionality of which we need to access.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

Nmap is a very popular open source network scanner that can be used on both Windows and Linux. Nmap or Network Mapper was developed by Gordon Luon and is currently used by security professionals and system administrators around the world.

This program helps system administrators very quickly understand which computers are connected to the network, find out their names, and also see what software is installed on them, what operating system and what types of filters are applied. The functionality of the program can be extended with its own scripting language, which allows administrators to automate many actions.

For example, scripts can automatically detect new security vulnerabilities in your network. Namp can be used with good or bad intentions, be careful not to use nmap against the law. In this tutorial, we will look at how to use namp to scan ports in operating system linux. But first you need to try to understand how this utility works.

AT computer networks All connected devices have their own IP address. Each computer supports the ping protocol, which can be used to determine whether it is connected to the network. We simply send a ping request to the computer, and if it responds, we assume that it is connected. Nmap takes a slightly different approach. Computers also react in a certain way to certain network packets, the utility simply sends the necessary packets and looks at which hosts sent the answer.

But you probably already know about this. More interesting is how Nmap knows which services are running on the machine. The essence of the work of all network programs is based on ports. To receive a message from the network, the program must open a port on your computer and wait for incoming connections. And to send a message over the network, you need to connect to another program (destination) port. The program will then need to open a port on which it will wait for a response.

The nmap utility iterates through the available range of ports during a network scan and tries to connect to each of them. If the connection is successful, in most cases, by transferring several packages, the program can even find out the version software, which is waiting for connections on this port. Now that we've covered the basics, let's look at how to use nmap for port and network scanning.

Nmap Syntax

The Nmap launch command is very simple, just pass it the target IP address or network in the parameters, and specify the options if necessary:

$ nmap address options

Now let's look at the main options that we will need in this article.

• -sl- just create a list of running hosts, but don't scan nmap ports;
• -sP- only check if the host is reachable using ping;
• -PN- consider all hosts available, even if they do not respond to ping;
• -sS/sT/sA/sW/sM- TCP scanning;
• -sU- UDP scanning nmap;
• -sN/sF/sX- TCP NULL and FIN scan;
• -sC- run the default script;
• -sI- lazy indle scanning;
• -p- specify the range of ports to check;
• -sV- a detailed study of ports to determine the versions of services;
• -O- determine the operating system;
• -T- scanning speed, the more, the faster;
• -D- mask scanning using fictitious IPs;
• -S- change your IP address to the specified one;
• -e- use a specific interface;
• --spoof-mac- set your MAC address;
• -A- detection of the operating system using scripts.

Now that we've covered all the basic options, let's talk about how nmap port scans work.

How to Use Nmap to Scan Ports in Linux

Let's look at nmap examples next. First, let's look at how to find all devices connected to the network, for this it is enough to use the -sL option and specify our network mask. in my case it is 192.168.1.1/24. your mask local network you can find by running the command:

From the output for the interface used, take the number after the slash, and before the slash, specify the ip of your router. The nmap network scan command will look like this:

nmap -sL 192.168.1.1/24

Sometimes this scan may not return any results because some operating systems have port scan protection. But this can be bypassed by simply using ping to scan all ip addresses on the network, for this there is the -sn option:

nmap -sn 192.168.1.1/24

As you can see, now the program has detected active devices on the network. Next, we can scan nmap ports for the desired host by running the utility without options:

sudo nmap 192.168.1.1

Now we can see that we have several ports open, all of them being used by some service on the target machine. Each of them can be potentially vulnerable, so it is not safe to have many open ports on a machine. But this is not all that you can do, further you will learn how to use nmap.

To know more detailed information about the machine and the services running on it, you can use the -sV option. The utility will connect to each port and determine all available information:

sudo nmap -sV 192.168.1.1

We have ftp running on our machine, so we can try to explore this service in more detail using standard nmap scripts. Scripts allow you to check the port in more detail, find possible vulnerabilities. To do this, use the -sC option and -p to set the port:

sudo nmap -sC 192.168.56.102 -p 21

We ran the default script, but there are other scripts, for example, you can find all scripts for ftp with the command:

sudo find /usr/share/nmap/scripts/ -name "*.nse" | grep ftp

Then we will try to use one of them, for this it is enough to specify it using the --script option. But first, you can look at the information about the script:

sudo nmap --script-help ftp-brute.nse

This script will try to determine the FTP login and password on the remote host. Then run the script:

sudo nmap --script ftp-brute.nse 192.168.1.1 -p 21

As a result, the script picked up the login and password, admin/admin. That's why you don't need to use the default login options.

You can also run the utility with the -A option, which activates a more aggressive mode of the utility, with which you will get most of the information with one command:

sudo nmap -A 192.168.1.1

Note that almost all of the information we've seen before is included here. It can be used to increase the defense of this machine.

conclusions

In this article, we looked at how nmap port scanning is performed, as well as some simple examples of using this utility. These nmap commands can be useful to many system administrators to improve the security of their systems. But this is not all the possibilities of the utility. Keep experimenting with the utility to find out more just not on other people's networks!

about the author

Founder and site administrator site, fond of open source software and operating Linux system. I currently use Ubuntu as my main OS. In addition to Linux, I am interested in everything related to information technology and modern science.

Information on Nmap scripts (in English):

Hidden from guests

The latest version of the Nmap documentation (in English):

Hidden from guests

The official book on Nmap from the creators of Nmap (in English):

Hidden from guests

nmap - Network exploration utility and port scanner

Nmap (“Network Mapper”) is an open source network exploration and security utility. It was designed to quickly scan large networks, although it also works well for single targets. Nmap uses raw IP packets in original ways to determine what hosts are available on the network, what services (application name and version) they offer, what operating systems (and OS versions) they use, what types of packet filters/firewalls are used, and dozens of other characteristics. . While Nmap is commonly used for security checks, many network and system administrators find it useful for common tasks such as monitoring the structure of a network, managing service startup schedules, and keeping track of host or service uptime.

The output of Nmap is a list of scanned targets, with additional information on each depending on the options given. Key information is the “important ports table”. This table contains the port number, protocol, service name, and status. The status can be open (open), filtered (filtered), closed (closed), or unfiltered (not filtered). Open means that the application on the target machine is ready to connect/receive packets on this port. Filtered means that a firewall, network filter, or some other network obstruction is blocking the port, and Nmap cannot determine whether the port is open or closed. Closed ports are not associated with any application, so they can be opened at any time. Ports are considered unfiltered when they respond to Nmap requests, but Nmap cannot determine whether they are open or closed. Nmap issues open|filtered and closed|filtered combinations when it cannot determine which of the two states the port describes. This table may also provide details of the software version if requested. When scanning over IP protocol (-sO), Nmap provides information about supported IP protocols, not about open ports.

In addition to a table of important ports, Nmap can provide further target information: resolved DNS names, operating system guess, device types, and MAC addresses.

A typical scan using Nmap is shown in Example 1. The only arguments used in this example are -A, for OS version, script scan, and tracing; -T4 for faster execution; then two target hosts.

Example 1. A typical example of scanning with Nmap:

# nmap -A -T4 scanme.nmap.org playground Starting Nmap (https://nmap.org/) Interesting ports on scanme.nmap.org (64.13.134.52): (The 1663 ports scanned but not shown below are in state : filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground.nmap.org (192.168.0.40 ): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows , Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

Usage:
nmap [Scan Type(s)] [Options] (specified_targets)

SCAN PURPOSE DETERMINATION:

Can work with hostnames, IP addresses, networks, etc.
For example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-il<ввести_имя_файла>: Import from host/network list
-iR<количество хостов>: Random target selection
--exclude : Exclude hosts/networks
--excludefile<файл_с_исключениями>: Exclude list from file

SL: Scan to list - just make a list of targets to scan
-sn: Ping scan - easy to determine if the host is up
-Pn: Treat all hosts as up - skip host discovery
-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP ping given hosts
-PE/PP/PM: Ping using ICMP echo requests, timestamp and netmask requests
-PO[list of protocols]: Ping using IP protocol
-n/-R: Never resolve DNS/Always resolve [default: sometimes]
–dns-servers<сервер1[,сервер2],…>: Set your own DNS servers
--system-dns: Use system DNS resolver
--traceroute: Trace (path) to each host

SS/sT/sA/sW/sM: TCP SYN/using the Connect()/ACK/Window/Maimon system call scan
-sU: UDP scan
-sN/sF/sX: TCP Null, FIN and Xmas scans
--scanflags<флаги>: Set custom TCP flags
-sI<зомби_хост[:порт]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scan
-sO: IP protocol scan
-b : FTP bounce scan

P<диапазон_портов>: Scan only specific ports
Example: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast Scan - Scan a limited number of ports
-r: Scan ports sequentially - do not randomize ports
--top-ports<количество_портов>: Scan<количество_портов>most common ports
--port-ratio<рейтинг>: Scan ports with a rating greater than<рейтинг>

SW: Explore open ports to define service/version information
--version-intensity<уровень>: Set from 0 (easy) to 9 (try all queries)
--version-light: Limit to lightest queries (weight 2)
--version-all: Use every single request (rate 9)
--version-trace: Print detailed information about the scan process (for debugging)

SC: equivalent to --script=default option
--script= : is a comma-separated list of directories, script files, or script categories
--script-args=<имя1=значение1,[имя2=значение2,…]>: Passing Arguments to Scripts
--script-args-file=filename: Pass NSE file arguments to scripts
--script-trace: Print all received and sent data
--script-updatedb: Update script database
--script-help= : Show help about scripts. a comma-separated list of scripts, or a list of script categories.

O: Enable OS detection function
--osscan-limit: Only use OS detection for "promising" hosts
--osscan-guess: Guess OS detection results

Options that take an argument<время>, are in milliseconds, until you add "s" (seconds), "m" (minutes), or "h" (hours) to the value (eg 30m).
-T<0-5>: Set time management preset (larger is faster)
--min-hostgroup/max-hostgroup<кол_хостов>: Set size of groups for parallel scanning
--min-parallelism/max-parallelism<кол_хостов>: Controls query parallelism
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout<время>: Adjusts the time to wait for a response to a request
--max-retries<количество_попыток>: Specifies the maximum number of request retries
--host-timeout<время>: Stops scanning slow targets
--scan-delay/-max-scan-delay<время>: Adjusts the delay between requests
–min-rate<число>: Send requests at a rate not less than<число>per second
--max-rate<число>: Send requests at a rate no greater than<число>per second

F; -mtu<значение>: Fragment packets (optional with set MTU value)
-D<фикт_хост1,фикт_хост2[,ME],…>: Masking scans with bogus hosts
-S : Change source address
-e<интерфейс>: Use specific interface
-g/-source-port<номер_порта>: Use the specified port number
–proxies : Relay connections through HTTP/SOCKS4 proxy
--data-length<число>: Add arbitrary data to sent packets
--ip-options<опции>: Send packet with given ip options
-ttl<значение>: Set IP field time-to-live
--spoof-mac : Set your own MAC address
--badsum: Send packets with bogus TCP/UDP/SCTP checksums

ON/-oX/-oS/-oG Output normal, XML, s| -oA<базовове_имя_файла>: Use three main output formats at once
-v: Increase verbosity level (specify twice or more to increase effect)
-d: Increase or set debug level (up to 9)
--reason: Show the reason the port is in a particular state
--open: Show only open (or possibly open) ports
--packet-trace: Trace received and transmitted packets
--iflist: List interfaces and routers (for debugging)
--log-errors: Log errors/warnings to the normal mode output file
--append-output: Append to rather than overwrite output files
-resume<имя_файла>: Resume interrupted scan
--stylesheet<путь/URL>: Sets an XSL stylesheet to convert XML output to HTML
--webxml: Loads the stylesheet from Nmap.Org
--no-stylesheet: Remove XSL stylesheet declaration from XML

6: Enable IPv6 scanning
-A: Enable OS and version detection, scripted scanning and tracing
--datadir<имя_директории>: Specifies the location of Nmap files
--send-eth/ --send-ip: Use raw ethernet/IP layer
--privileged: Assume the user has all privileges
--unprivileged: Assume that the user does not have privileges to use raw sockets
-V: Display version number
-h: Display this help page

HELP: Won't work with "sudo nmap" so use "sudo -i"
During operation, you can query nmap with the following switches:
? Show this information
v/V increase/decrease verbosity
d/D increase/decrease debugging
p/P enable/disable packet tracing
and other keys to be printed in the status

On the Nmap command line, anything that is not an option (or an option argument) is treated as a scan target. In the simplest case, the IP address or network name of the target machine is used for scanning.

Sometimes you need to scan an entire network. To do this, Nmap supports CIDR addressing. You can add /<кол-во бит>to an IP address or network name, and Nmap will scan each IP address for which the first<кол-во бит>the same as the given host. For example, 192.168.10.0/24 will scan 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000 00111) inclusive 192.168.10.40/24 will do exactly the same thing. Knowing that the IP address of scanme.nmap.org is 64.13.134.52, an entry like scanme.nmap.org/16 will scan 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest value allowed is /0, which will scan the entire Internet. The highest value is /32, at which only the specified host or IP address will be scanned. all address bits are disabled.

CIDR notation is short, but not always flexible enough. For example, you want to scan 192.168.0.0/16 but skip all IPs ending in .0 or .255 because usually these are broadcast addresses. Nmap can do this scan by specifying ranges in octets. Instead of specifying a regular IP address, you can specify either a comma-separated list of numbers or a range for each octet. For example, 192.168.0-255.1-254 will skip all addresses in the range ending in .0 and .255. Ranges do not have to be specified only in the last octets: writing 0-255.0-255.13.37 will scan all Internet addresses ending in 13.37. This type of scanning can be useful for browsing the Internet and various studies.

IPv6 addresses can only be specified in a form that fully corresponds to the correct notation for IPv6 addresses. CIDR and the use of ranges in octets do not apply to IPv6 addresses, as they are rarely used.

You can pass multiple target definitions on the Nmap command line, not necessarily the same type. Team nmap scanme.nmap.org 192.168.0.0/16 10.0.0,1,3-7.0-255 will do what you expect.

Scan targets are usually set on the command line, and there are various options to control the selection of targets:

IL<имя_файла>(Enter from list)

Reads targets from<имя_файла>. Although it is common to pass a large list of hosts for scanning, this is not convenient. For example, your DHCP server is giving you a list of 10,000 addresses it currently uses, and you want to scan it. Or perhaps you want to scan all IP addresses except those passed to them to detect unauthorized use of static IP addresses. Simply generate a list of hosts to scan and pass the filename to Nmap as an argument to the -iL option. The entries in the file can be in any form acceptable to Nmap (IP addresses, network names, CIDR, IPv6, or octet ranges). Each entry must be separated by a space or multiple spaces, tabs, or newlines. You can pass a hyphen(-) as a filename argument if you want Nmap to read the list of hosts from standard input rather than from a file.

IR<кол-во хостов>(Selects arbitrary targets)

For scanning across the entire Internet or any kind of research, you may need to select targets randomly. Argument<кол-во хостов>determines how many IP addresses to generate. Inappropriate IP addresses such as private, broadcast, or non-localized address ranges are automatically skipped. Argument 0 can be passed for an infinite scan. Be aware that some system administrators may not like unauthorized scans of their networks and may complain. Use this option at your own risk! If you get bored on a rainy day, try nmap -sS -PS80 -iR 0 -p 80 to scan arbitrary web servers.

--exclude<хост1>[,<хост2>[,…]] (Exclude hosts/networks)

Specifies a comma-separated list of targets to be excluded from the scan, even if they are part of the scan range you specify. The passed list uses the standard Nmap syntax, so it can contain network names, CIDR addressing, ranges in octets, and so on. This option can be useful if the network you want to scan contains servers or systems that react negatively to port scans, or subnets that are administered by other people.

--excludefile<имя_файла>(Exclude list from file)

This option does the same as --exclude, except that the targets to exclude are separated by spaces, tabs, or newlines<файле>, not on the command line.

nmap[ <Тип сканирования> ...] [ <Опции> ] { <цель сканирования> }

Description

nmap(" Network Mapper ») is an open source network exploration and security utility. It was designed to quickly scan large networks, although it also works well for single targets. Nmap uses raw IP packets in an original way to determine what hosts are available on the network, what services (application name and version) they offer, what operating systems (and OS versions) they use, what types of packet filters/firewalls are used, and many more. other characteristics. While Nmap is commonly used for security checks, many system administrators find it useful for common tasks such as monitoring network structure, managing service startup schedules, and keeping track of host or service uptime.

The output of Nmap is a list of targets scanned, with additional information on each target depending on the options given. The key information is « important ports table» . This table contains the port number, protocol, service name, and status. The status can be open (open), filtered (filtered), closed (closed), or unfiltered (not filtered). Open means that the application on the target machine is ready to connect/receive packets on this port. Filtered means that a firewall, network filter, or some other network interference is blocking the port, and Nmap cannot determine whether the port is open or closed. Closed ports are not associated with any application, but can be opened at any time. Ports are considered unfiltered when they respond to Nmap requests, but Nmap cannot tell if they are open or closed. Nmap issues open|filtered and closed|filtered combinations when it cannot determine which of the two states the port describes. This table may also provide details of the software version if requested. When scanning over IP protocol (-sO), Nmap provides information about supported protocols, not about open ports.

In addition to a table of important ports, Nmap can provide further target information: resolved DNS names, operating system guess, device types, and MAC addresses.

A typical scan using Nmap is shown in Example 1. The only arguments used in this example are -A , for OS version, scripted scanning, and tracing; -T4 for faster execution; then two target hosts.

Example 1. A typical example of scanning with Nmap

# nmap -A -T4 scanme..org) Interesting ports on scanme.site (64.13.134.52): (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X| 2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground..168.0.40): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows , Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

The latest version of Nmap can be downloaded from