Basic Port Scanning With Nmap

edited July 2011 in Tech & Games
What is Nmap all about?

Taken from the Nmap website... (I bolded the best bits)
Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

What will this guide show me?

I aim to give you a basic insight into how you can use Nmap through it's command line interface to scan networks and individual hosts. I will also show you some different scan techniques, and provide a list of some ports and the services which run on them.

Installing Nmap
  1. Visit the Nmap website - http://nmap.org/download.html
  2. Choose your OS, and follow the instructions.
  3. Keep in mind that I am writing this guide using Linux and a command line to run Nmap. If you're on Windows, you'll probably have the GUI version. While this looks different, you can use the same commands and it does the same thing.

Obtaining a list of hosts through a ping scan

If you're on your own network, you should already know which devices are connected. To find the IP addresses of these, I usually run the following scan...

nmap -sP 192.168.0.0-255

This will pingscan the network between hosts 192.168.0.0 all the way up to 192.168.0.255. Once the scan is complete, you should see a result like this...

0a.png

Port Scanning a Host

Once you have found the host you wish to scan, you can go ahead and scan it. Before scanning, you may wish to take a look at the list of scanning techniques on the Nmap website. These can be used to add extra functionality to your scans giving them more detailed results.

The simplest port scan you could run would be as follows...
  • nmap 192.168.0.1 (replace IP address with your host of choice).

In my case, this would be my router being scanned although I could have scanned any device on the network. It displays this output once I have scanned it...

tv.png

From this screen, we can tell which ports are open or closed. In this case, my HTTP port (80) is open because I am running a webserver. However, this open port could be seen as a vulnerable hole in the firewall - something which could be used as a way into a system and a way of gaining a shell/complete access to a computer system.

List of common TCP ports

When port scanning (either from an attacking or defensive point of view), you're looking for open ports and services which could be exploited in some way. Below is a list of the most commonly found TCP ports, and the services which run on them.

20 FTP data (File Transfer Protocol)
21 FTP (File Transfer Protocol)
22 SSH (Secure Shell)
23 Telnet
25 SMTP (Send Mail Transfer Protocol)
43 whois
53 DNS (Domain Name Service)
68 DHCP (Dynamic Host Control Protocol)
79 Finger
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
115 SFTP (Secure File Transfer Protocol)
119 NNTP (Network New Transfer Protocol)
123 NTP (Network Time Protocol)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3)
389 LDAP (Lightweight Directory Access Protocol)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
666 Doom
993 SIMAP (Secure Internet Message Access Protocol)
995 SPOP (Secure Post Office Protocol)


Summary

This guide hasn't been particularly in depth - I realize that. I have however, given you a slight nudge in the right direction with port scanning, and how you can do it. To understand it more, you should take the time to read some tutorials and guides on the subject. Here are some useful links.

Nmap
Backtrack Forums
List of Nmap Commands
Irongeek

Comments

Sign In or Register to comment.