Never Ending Security

It starts all here

NMAP Tutorial Guide

NMAP – Network Mapper

Nmap is the most popular (and most featureful) port scanning tool out there. And although it appears like a small port scanning utility, it has a lot of hidden potential to serve as a powerful hacking tool. This is precisely what we shall try to work out in this particular article.

In a previous article we saw how to use nmap for basic port scanning and network scanning tasks. You need to have those basics

1. Faster network sweep

A common use of nmap is to find online hosts within an ip range. By default nmap takes some time to scan the range depending on the number of hosts it needs to check for. However hackers would optimise the scanning process to scan the range very fast. Lets take a few examples

$ nmap -vv -sP 117.194.238.1-100

Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-13 10:24 IST
Initiating Ping Scan at 10:24
Scanning 100 hosts [2 ports/host]
Completed Ping Scan at 10:24, 2.38s elapsed (100 total hosts)
Initiating Parallel DNS resolution of 100 hosts. at 10:24
Completed Parallel DNS resolution of 100 hosts. at 10:24, 4.28s elapsed
Nmap scan report for 117.194.238.1 [host down]
Nmap scan report for 117.194.238.5 [host down]
Nmap scan report for 117.194.238.6
Host is up (0.025s latency).
Nmap scan report for 117.194.238.7 [host down]
Nmap scan report for 117.194.238.18
Host is up (0.079s latency).
Nmap scan report for 117.194.238.19
Host is up (0.034s latency).
Nmap scan report for 117.194.238.20 [host down]
.............
Read data files from: /usr/bin/../share/nmap
Nmap done: 100 IP addresses (26 hosts up) scanned in 6.67 seconds
$

The output has been truncated to keep it easy to read.

In the above example nmap takes around 6.67 seconds to scan 100 hosts. Now this is a bare example. The time range can vary on many factors. So if a whole ip range like 117.194.238.1/16 (256×256 hosts) is to be scanned, it would take a lot more time. This needs to be fast. We are going to use the following 3 options to make the scan faster

1. No dns resolution ‘n’ – This will tell nmap not to perform dns resolution of the ip addresses, making the process faster.

2. Use the ‘T’ switch – The T option tells nmap what speed to operate at. T1 is slowest and T5 is fastest

3. max-rtt-timeout – This option specifies the maximum time to wait for the response.

Here is an example

$ nmap -v -n -sP --max-rtt-timeout 500ms 117.194.238.1-100 -T4

Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-13 10:34 IST
Initiating Ping Scan at 10:34
Scanning 100 hosts [2 ports/host]
Completed Ping Scan at 10:34, 1.97s elapsed (100 total hosts)
Nmap scan report for 117.194.238.1 [host down]
Nmap scan report for 117.194.238.6
Host is up (0.023s latency).
Nmap scan report for 117.194.238.7 [host down]
Nmap scan report for 117.194.238.17 [host down]
Nmap scan report for 117.194.238.18
Host is up (0.056s latency).
Nmap scan report for 117.194.238.19
Host is up (0.026s latency).
...............
Read data files from: /usr/bin/../share/nmap
Nmap done: 100 IP addresses (26 hosts up) scanned in 1.97 seconds
$

This time nmap scanner 100 ips in 1.97 seconds. Thats good speed. The value of max-rtt-timout can be adjusted to further increase the speed of the scan. Lower its value, faster nmap would end the scan.

2. Cleaner output with grep

Nmap shows the report like this

Nmap scan report for 117.194.238.17 [host down] Nmap scan report for 117.194.238.18 Host is up (0.056s latency).

And the report contains the list of all hosts whether they are up or down. However in most cases the hosts of interest are the online/up ones. So its a better idea to list out only the up hosts and that too in a cleaner format. This is done using 2 things. The first is outputtin in greppable format using the option ‘oG’ and then grepping the output and filtering out the Up hosts. Here is a quick example.

$ nmap -vv -n -sP --max-rtt-timeout 500ms 117.194.238.1-100 -T4 -oG - | grep 'Up'
Host: 117.194.238.6 ()  Status: Up
Host: 117.194.238.18 () Status: Up
Host: 117.194.238.19 () Status: Up
Host: 117.194.238.23 () Status: Up
Host: 117.194.238.24 () Status: Up
.....

The above format is much neater. It only lists the ‘Up’ or online hosts and thats what we need. On windows the find/findstr command can be used in place of grep. Its syntax is very similar.

3. Faster port scanning

Just like we increased the speed of network sweep, similary portscans also need to be fast. Portscanning also uses the same options as shown above in the network sweep section, along with few more. Portscanning should always be done using the sS option to ensure syn scanning. The PN option can be used along with it to avoid ping detection.

$ sudo nmap -sS -vv -n -p80 -PN --max-rtt-timeout 500ms 117.194.238.1-100 -T4 -oG - | grep 'open'
Host: 117.194.238.67 () Ports: 80/open/tcp//http///
Host: 117.194.238.95 () Ports: 80/open/tcp//http///

The above command scanned for open port 80 on 100 hosts in about 2 seconds. And it lists out only those hosts which have the port open. This is quick and useful.

4. Discover services

The key idea behind port scanning is to discover services that are online or on the network (and those which can be hacked! ). So lets try discovering some online services on random ip ranges.

Find FTP servers

$ sudo nmap -sS -vv -n -PN -p21 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'

The above call to nmap shall list out all the ip addresses that have port 21 open. Hackers would find out such servers then see which of them are vulnerable. For example you could try such a scan on the ip range of some website. It will scan all possible servers in that range.

Find mysql servers

Why only ftp, there are plenty of other services to look for by matching the port numbers on which they run. Mysql for instance runs on port 3306. So find out mysql servers with a similar call to nmap with just a different value for port ‘p’ parameter.

$ sudo nmap -sS -vv -n -PN -p3306 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'

More services

There are plenty of other services to find out like telnet, http, vnc. Lots of servers out there in the public have these services open that can allow hackers to compromise their systems. So you have to find out such ones and give them a try.

5. Grab daemon banner/welcome message

Nmap has another option ‘sV’ that shall fetch the daemon banner or welcome message presented by the service upon connecting.

$ sudo nmap -sS -sV -n -PN -p3306 --max-rtt-timeout 500ms 192.168.1.1/24 -T4 -oG - | grep 'open'
Host: 192.168.1.10 () Ports: 3306/open/tcp//mysql//MySQL (unauthorized)/
Host: 192.168.1.89 () Ports: 3306/open/tcp//mysql//MySQL (unauthorized)/

The ‘MySQL (unauthorized)’ string in the output is the message given by mysql on connection. The most information piece of information in the welcome message is the version number of the service and anything additional. However here it seems like the welcome message has been modified to not reveal any version information.

6. Find windows machines

Just like we discovered services on remote ip addresses, its possible to find windows xp machines that are directly connected to the internet. You can for example run a nmap scan over the ip addresses allocated by your isp to its users and find out which ips are windows machines that are online. For this we just need to scan for open samba (445) ports.

$ sudo nmap -n -PN -p445 --max-rtt-timeout 500ms 117.194.237.1/24 -T4 -oG - | grep 'open'
Host: 117.194.237.7 ()  Ports: 445/open/tcp//microsoft-ds///
Host: 117.194.237.33 () Ports: 445/open/tcp//microsoft-ds///
Host: 117.194.237.39 () Ports: 445/open/tcp//microsoft-ds///
Host: 117.194.237.44 () Ports: 445/open/tcp//microsoft-ds///
........

You might be surprised to see the number of users online.

Conclusion

The above shown examples are the basics of how to use port scanning and nmap as a powerful tool to study the network around you. Nmap now also has scripting features which allows to write custom scripts that can be used with nmap to automate and extend the scanning capabilities of nmap to a higher level.

Nmap tutorial – port scanning remote hosts

Nmap

Nmap (Network Mapper) is the most popular port scanner and network discovery tool used. It is available for all major platforms. In this article we are going to learn the basics about nmap and see how it can be used to scan the network and ports.

Project website
http://nmap.org/

Install on Ubuntu

$ sudo apt-get install nmap

The nmap manual is available at
http://nmap.org/book/man.html

Some nmap commands need to create raw sockets. This needs root privileges on a linux system, for example ubuntu. On windows nmap uses the winpcap packet driver to send raw packets.

Scan network for live hosts – Ping Probe/Ping Sweep

This is the first and most basic form of network scan that can be done with nmap, to detect hosts that are alive and responding on the network.

$ nmap -sP 192.168.1.1-254

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-15 18:45 IST
Nmap scan report for 192.168.1.1
Host is up (0.0069s latency).
Nmap scan report for 192.168.1.2
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.101
Host is up (0.000065s latency).
Nmap done: 254 IP addresses (3 hosts up) scanned in 6.64 seconds

In the above command we scan all ip addresses from 192.168.1.1 to 192.168.1.254
Thats the range and can be specified by the short syntax of 192.168.1.1-254

The CIDR notation can also be used, for example like this 192.168.1.1/24
Note : In CIDR notation the number after the forward slash indicates the bits of the ip address that stay constant from left site. So 24 means that “192.168.1” stays constant (8 bits x 3)

Avoid DNS resolution

When doing ping sweeps, nmap tries reverse dns resolution of the target ip addresses. This is generally not needed and can be disabled with the -n option.

$ nmap -sP -n 192.168.1.1-255

Ok so lets move on and do more scanning with the tool.

Port scan a host

To port scan a particular host, the command would be

$ nmap 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-15 19:01 IST
Nmap scan report for 192.168.1.1
Host is up (0.058s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

Thats the simplest command to issue with nmap. Nmap performs a scan to discover open ports on the target host. It can be an ip address or a host/domain name as well. Nmap provides the port number, state and the service that port number if associated with. For example port 80 is for http. If http port is open then the target system is serving web pages most probably.

If you wish to dig deeper and analyse what nmap is doing behind the scene, you can use a packet sniffer like wireshark to analyse the packets that nmap is generating and sending.

Getting the daemon/service banner or version information

Nmap can try to get the version number of the banner of each of the services that are running on the host. The -sV flag can be used for this

$ nmap -sV localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-15 19:15 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00041s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE   VERSION
21/tcp   open  ftp       vsftpd 2.3.5
22/tcp   open  ssh       OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
25/tcp   open  smtp      Postfix smtpd
53/tcp   open  domain    dnsmasq 2.59
80/tcp   open  http      Apache httpd 2.2.22 ((Ubuntu))
631/tcp  open  ipp       CUPS 1.5
3000/tcp open  ntop-http Ntop web interface 4.1.0
3306/tcp open  mysql     MySQL 5.5.24-0ubuntu0.12.04.1
9050/tcp open  tor-socks Tor SOCKS Proxy
Service Info: Host:  enlightened-desktop; OSs: Unix, Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.91 seconds

Thats lots of information!! Port number, service name, version/banner information etc.

Types of port scan

Nmap does port scanning in a number of ways like tcp connect, syn scan, fin scan etc. The most popular ones are tcp connect and syn scan. In tcp connect scan a full TCP connection is established and in syn scan only half connection is established. When running as non-root on linux, nmap does tcp connect by default

$ nmap 192.168.1.1

Syn scanning requires root privileges on linux systems. On ubuntu you have to do a sudo. To do a syn scan use the -sS option like this

$ sudo nmap -sS 192.168.1.1

Syn scanning is faster since it does not establish a full TCP handshake. It is to some extent stealthier as well since old style firewalls may not be able to detect syn scans since full connection is not established. However modern firewalls can very well catch syn packets and detect port scanning attempts and stop the hacker right away.
However note that when nmap is run as root the default scanning technique used is syn scan. So the following are equivalent since in both cases nmap is running as root

sudo nmap host sudo nmap -sS host

There are other types of port scanning techniques as well but we wont cover them in this article. So for more information check out the nmap manual at http://nmap.org/book/man.html
Check out the -sF, -sX , -sA , -sN flags for more information on them

Scanning specific ports only

Nmap can be instructed to scan on specific ports or a range of port numbers by using the -p switch as follows :

nmap -p1-1000 192.168.1.1/24

The above command would scan port numbers 1 to 1000 on all machines from 192.168.1.1 – 192.168.1.255

More examples :

$ nmap -p22,23,100-150 192.168.10.0/24

The above will scan port numbers 22 , 23 and 100 to 150

$ nmap -sU -pT:21,22,23,U:53,137 192.168.10.0/24

The above will scan TCP ports 21 22 and 23 and udp ports 53 and 137

Skip online check

Nmap by default first check if a host is online or not by doing a ping. If the host is not online then nmap would not port scan it. Many hosts now a days have firewalls installed that block ping requests. In such cases nmap can be instructed to not check if the host is online and that it should start port scan rightaway. This is done using the -PN option

$ nmap 192.168.1.1 -PN

Operating System detection

Nmap can try to find out the operating system on target system by doing some fingerprinting. This can be done by just using the -O switch. It also needs root privileges, since it uses raw sockets. Also note that if you are running some sort of firewall like firestart on linux or zonealarm on windows, then the firewalls may block raw sockets and as a result nmap would fail to show proper results.

$ sudo nmap -O 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-16 12:17 IST
Nmap scan report for 192.168.1.1
Host is up (0.0067s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
5431/tcp open  park-agent
MAC Address: 00:21:2C:82:08:87 (SemIndia System Private Limited)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.28
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

So nmap is able to detect that the operating system is Linux. It is important to note that OS fingerprint report by nmap may not be very accurate. It tries to discover the operating system by using some TCP header fields, but this technique cannot tell the exact linux distro for example. It can however in most cases give a correct indication as to whether the target is a linux or windows system.

Here is the scan result of a windows machine for example

$ sudo nmap -O ############

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-16 14:20 IST
Nmap scan report for ############ (###.###.###.###)
Host is up (0.39s latency).
Not shown: 987 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
1433/tcp  open  ms-sql-s
2006/tcp  open  invokator
3306/tcp  open  mysql
3389/tcp  open  ms-term-serv
8443/tcp  open  https-alt
49158/tcp open  unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2008
OS details: Microsoft Windows Server 2008 Beta 3

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.22 seconds

Aggressive scanning

The -A option can be used to perform an aggressive scan which is equal to – “enable OS detection and Version detection, Script scanning and Traceroute”. Here is a quick example

$ sudo nmap -A -T4 ##########
[sudo] password for enlightened: 

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-16 15:02 IST
Nmap scan report for ########## (###.###.###.###)
Host is up (0.38s latency).
Not shown: 989 filtered ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
25/tcp    open  smtp          MailEnable smptd 4.26--
53/tcp    open  domain        ISC BIND hostmaster
80/tcp    open  http          Microsoft IIS webserver 7.0
|_html-title: Welcome to Homepage
110/tcp   open  pop3          MailEnable POP3 Server
|_pop3-capabilities: OK(K Capability list follows) USER TOP UIDL
143/tcp   open  imap          MailEnable imapd
|_imap-capabilities: IMAP4rev1 IMAP4 CHILDREN IDLE AUTH=LOGIN AUTH=CRAM-MD5
2006/tcp  open  http          Microsoft IIS httpd 7.0
| html-title: Document Moved
|_Requested resource was http://##########/ABC
3306/tcp  open  mysql         MySQL (unauthorized)
3389/tcp  open  microsoft-rdp Microsoft Terminal Service
8443/tcp  open  ssl/http      Microsoft IIS webserver 7.0
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/html).
49158/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2008
OS details: Microsoft Windows Server 2008 Beta 3
Network Distance: 16 hops
Service Info: Host: CL-T192-200CN.home; OS: Windows

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   8.13 ms   192.168.1.1
2   44.42 ms  117.194.224.1
3   40.74 ms  218.248.162.230
4   70.79 ms  218.248.255.82
5   124.74 ms 115.114.130.33.STATIC-Chennai.vsnl.net.in (115.114.130.33)
6   148.41 ms 172.31.19.146
7   145.28 ms ix-0-100.tcore1.MLV-Mumbai.as6453.net (180.87.38.5)
8   366.30 ms if-2-2.tcore2.MLV-Mumbai.as6453.net (180.87.38.2)
9   375.30 ms if-6-2.tcore1.L78-London.as6453.net (80.231.130.5)
10  372.00 ms if-2-2.tcore2.L78-London.as6453.net (80.231.131.1)
11  428.80 ms if-20-2.tcore2.NYY-NewYork.as6453.net (216.6.99.13)
12  442.52 ms if-1-0-0.mcore3.MTT-Montreal.as6453.net (216.6.99.10)
13  382.34 ms if-0-3-1-0.tcore1.MTT-Montreal.as6453.net (64.86.31.53)
14  364.63 ms 64.86.31.42
15  ...
16  369.24 ms ###.###.###.###

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.29 seconds

For privacy the actual host name its ip address have been hidden.
A new parameter -T has been used in the above example. The T parameter can be used to adjust the speed of the scan. It takes values from 0-5. 0 being the slowest and 5 being the fastest. Over here we used 4.

Apart from open ports, and operating system details, we also have the traceroute output.

Saving output to file

Nmap can save the scan results to various kinds of file formats like normal text, xml etc. The options to use are -oN -oX -oS -oG and -oA. The oA option = oN + oX + oG.

Quick example

$ nmap -sP -n 192.168.1.1-255 -oA lan_scan.txt

The above will create lan_scan.txt.gnmap ,lan_scan.txt.nmap and lan_scan.txt.xml files

lan_scan.txt.nmap file looks like this

# Nmap 5.21 scan initiated Thu Aug 16 15:33:45 2012 as: nmap -sP -n -oA lan_scan.txt 192.168.1.1-255  Nmap scan report for 192.168.1.1 Host is up (0.0073s latency). Nmap scan report for 192.168.1.2 Host is up (0.0010s latency). Nmap scan report for 192.168.1.101 Host is up (0.00021s latency). # Nmap done at Thu Aug 16 15:33:48 2012 -- 255 IP addresses (3 hosts up) scanned in 2.51 seconds

Information gathering with Nmap scripts

Nmap scripting engine

Nmap now has an scripting engine, that allows users to write their own custom scripts that can perform various scanning tasks in an automated fashion. This provides a powerful way to code a multi-step complex scanner using the inbuilt features of nmap. There are already many scripts available along with nmap that have been developed and submitted by the community. Details about the existing nmap scripts can be found here.

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

The scripts basically use nmap’s own scanning features, but in an automated and programmatic manner like calling an external library.

In this post we shall take a look at some of the scripts that can be used to perform “information gathering” on domain names and ip addresses.

1. Find geo location of an ip address or domain

Nmap has multiple scripts to get the geo location of an ip address. To use them issue a command like this

$ nmap -Pn -p80 --script ip-geolocation-* 8.8.8.8

Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:11 IST
Nmap scan report for 8.8.8.8
Host is up.
PORT   STATE    SERVICE
80/tcp filtered http

Host script results:
| ip-geolocation-geobytes: 
| 8.8.8.8
|   coordinates (lat,lon): 40.7488,-73.9846
|_  city: New York, New York, United States

Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds

As can be seen in the output, the latitude, longitude,city and country have been detected from the ip address. It uses web services like geoplugin, ipinfodb and geobytes to find the location.

2. Dns bruteforcing

This tool attempts to enumerate DNS hostnames by brute force guessing of common subdomains. Here is a sample usage.

$ nmap -p80 --script dns-brute insecure.org

Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:41 IST
Nmap scan report for insecure.org (74.207.254.18)
Host is up (0.33s latency).
rDNS record for 74.207.254.18: web.insecure.org
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames
|     www.insecure.org - 74.207.254.18
|     mx0.insecure.org - 74.207.254.18
|     lab.insecure.org - 74.207.254.18
|     corp.insecure.org - 74.207.254.18
|     whois.insecure.org - 74.207.254.18
|     www.insecure.org - 2600:3c01:0:0:f03c:91ff:fe96:967c
|     mail.insecure.org - 64.13.134.2
|     intranet.insecure.org - 74.207.254.18
|     mx1.insecure.org - 74.207.254.18
|     ssl.insecure.org - 74.207.254.18
|     ldap.insecure.org - 74.207.254.18
|     mysql.insecure.org - 74.207.254.18
|     crs.insecure.org - 74.207.254.18
|     linux.insecure.org - 74.207.254.18
|     secure.insecure.org - 74.207.254.18
|     sql.insecure.org - 74.207.254.18

.............

But since this tool uses a predefined list of subdomains to query for, it is limited. However can be useful sometimes.

3. Find other domains hosted on the same ip address or on same server of a host

During information gathering it is often needed to know what other domains are hosted on a certain server. The easiest way to do this is to use the bing search engine. To find domains hosted on a certain ip address we have to search for the following on bing.com

ip:aaa.bbb.ccc.ddd

The same thing can be automated with nmap to produce results in a neat format. There is a nse script that does the same thing and can be downloaded here.

Download the script and save it in the scripts directory of nmap. On linux the directory is generally

/usr/share/nmap/scripts/

otherwise use any of the following commands to find the exact location

find / -name '*.nse'
locate *.nse

Once the http-reverse-ip.nse script is saved in the nmap scripts directory, use it like this

$ nmap -Pn -p80 --script http-reverse-ip nmap.org

Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:30 IST
Nmap scan report for nmap.org (74.207.254.18)
Host is up (0.30s latency).
rDNS record for 74.207.254.18: web.insecure.org
PORT   STATE SERVICE
80/tcp open  http
| http-reverse-ip: 
| nmap.org
| sectools.org
| insecure.org
| seclists.org
|_cgi.insecure.org

Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds

So it lists out all domains that are on the same ip address as that of nmap.org.

Ping sweep the network with nmap

Ping Sweep

Ping sweep is the process of pinging an entire range of network ip addresses to find out which ones are online or alive. Nmap is an excellent tool to do this quickly and effectively. Here is the command

$ nmap -sP 192.168.1.1-255

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-16 18:16 IST
Nmap scan report for 192.168.1.1
Host is up (0.0079s latency).
Nmap scan report for 192.168.1.92
Host is up (0.010s latency).
Nmap scan report for 192.168.1.101
Host is up (0.000086s latency).
Nmap scan report for 192.168.1.201
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.237
Host is up (0.0019s latency).
Nmap done: 255 IP addresses (5 hosts up) scanned in 25.86 seconds

The above command scanned all ip addresses from 192.168.1.1 to 192.168.1.255 and found out 5 ips online. The command was run on linux without root privileges. Note that nmap on linux will take more time if it does not have root privileges, since it is unable to create raw sockets without it. On windows however there are no such restrictions and nmap would be fast enough.

So if you are on ubuntu for example then use sudo to run nmap always. It will be much faster and show more information

$ sudo nmap -sP 192.168.1.1-255

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-16 18:21 IST
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
MAC Address: 6C:FD:B9:53:6A:21 (Proware Technologies Co)
Nmap scan report for 192.168.1.92
Host is up (0.0033s latency).
MAC Address: 00:1E:58:B8:D4:69 (D-Link)
Nmap scan report for 192.168.1.101
Host is up.
Nmap scan report for 192.168.1.201
Host is up (0.0010s latency).
MAC Address: 00:1C:C0:AE:B4:19 (Intel Corporate)
Nmap scan report for 192.168.1.237
Host is up (0.0040s latency).
MAC Address: 6C:F0:49:69:C1:25 (Giga-byte Technology Co.)
Nmap done: 255 IP addresses (5 hosts up) scanned in 7.13 seconds

Saw the difference ? Earlier it took around half a minute and now less than 10 seconds. Want to speed up the ping sweep further ? Keep reading…

The “-n” option will tell nmap to disable dns resolution, and this would speed up the scan further.

$ sudo nmap -sP 192.168.1.1-255 -n

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-16 18:22 IST
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
MAC Address: 6C:FD:B9:53:6A:21 (Proware Technologies Co)
Nmap scan report for 192.168.1.92
Host is up (0.0031s latency).
MAC Address: 00:1E:58:B8:D4:69 (D-Link)
Nmap scan report for 192.168.1.101
Host is up.
Nmap scan report for 192.168.1.201
Host is up (0.00090s latency).
MAC Address: 00:1C:C0:AE:B4:19 (Intel Corporate)
Nmap scan report for 192.168.1.237
Host is up (0.0019s latency).
MAC Address: 6C:F0:49:69:C1:25 (Giga-byte Technology Co.)
Nmap done: 255 IP addresses (5 hosts up) scanned in 5.86 seconds

Check the time, its 2 seconds lesser than previous time. Improved, but can be made better. Use the max-rtt-timeout to speed up the scan further. Lets use a roundtrip timeout of 50ms.

$ sudo nmap -sP 192.168.1.1-255 -n --max-rtt-timeout 50ms

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-16 18:28 IST
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
MAC Address: 6C:FD:B9:53:6A:21 (Proware Technologies Co)
Nmap scan report for 192.168.1.92
Host is up (0.0029s latency).
MAC Address: 00:1E:58:B8:D4:69 (D-Link)
Nmap scan report for 192.168.1.101
Host is up.
Nmap scan report for 192.168.1.201
Host is up (0.00058s latency).
MAC Address: 00:1C:C0:AE:B4:19 (Intel Corporate)
Nmap scan report for 192.168.1.237
Host is up (0.0022s latency).
MAC Address: 6C:F0:49:69:C1:25 (Giga-byte Technology Co.)
Nmap done: 255 IP addresses (5 hosts up) scanned in 1.72 seconds

Now the scan completed in less than 2 seconds and is quite good. When using lower roundtrip times, the accuracy may reduce, since some hosts may reply after the timeout and nmap won’t be able to catch their replies. However when pinging/scanning the local area network, hosts generally reply very fast and using a very small roundtrip timeout will give accurate results. Try using a timeout of 5-10ms and nmap should show the results in less than a second.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s