Skip to main content

What Is Nmap

                   What Is Nmap And How To Use It 


Nmap is a powerful network security tool written by Gordon Lyon. It was released almost 20 years ago (in 1997) and has since become the de facto standard for network mapping and port scanning, allowing network administrators to discover hosts and services on a computer network, and create a map of the network.
Widely used by network admins and penetration testers (but also by malicious hackers!), Nmap is free to use and is released under the GPL license. This license gives you the right to run, study, share, and modify the software. You can find the Nmap source code here

Although usually used for port scanning, Nmap offers many additional features:
  • host discovery.
  • operating system detection.
  • service version detection.
  • network information about targets, such as DNS names, device types, and MAC addresses.
  • ability to scan for well-known vulnerabilities.
Nmap was originally written for Linux, but it has been ported to major operating systems, such as Windows, Solaris, HP-UX, etc. There is even a free and open source GUI called Zenmap, available at.

Scanning for network vulnerabilities using nmap


This article is a bit of a divergence for me, I recently had the need to scan an entire network for a particularly nasty Microsoft security vulnerability MS15-034.
Obviously there are a few ways to check for this, the first is obvious, check what servers have IIS installed. However, this bug isn’t limited to IIS, rather anything using HTTP.sys and, of course, a HTTP server can be spun up on any port you want so we need to check for servers that have HTTP exposed on any port from 1-65535.
Nobody wants to manually log on to every server and check if the specific KB patch is installed though, that takes a lot of effort and time.
So is there a way we can scan for vulnerabilities in a “start and forget” sort of way?
Sure, we can use Zenmap – Zenmap is a GUI built on top of nmap, a network scanner that can gather info on open ports, OS detection, etc. It has tons of really cool features, but one thing it allows for that is of particular benefit is scripting of particular scan parameters, this makes it ideal for vulnerability scanning.
The reason I use Zenmap is that it provides a nice summarised output of nmap commands and supports all of the features nmap does. If we open up Zenmap and run the below against our subnet (obviously replace this with your subnet and mask, or indeed, single host)
Nmap -V3 10.0.0.0/23
nmap’s default “host is active” detection behaviour (on IPv4) is; send an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request.
Sometimes, however, hosts don’t respond to these requests/packets; If you think there may be hosts on your subnet that act in this manner, we can get around it by disabling host detections by passing the trigger -Pn
Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified
So for the below it will fully scan all top 1000 ports (default for nmap) on every IP in the 10.0.0.1 subnet. N.B. This takes a LONG time:



What is an Nmap Maimon scan and how does the tool interpret responses from it?
Your question actually led me down an intriguing path. I first checked the Nmap documentation, which referred to issue No. 49 of Phrack magazine, where, on Nov. 8, 1996, a gentleman named Uriel Maimon wrote an article entitled "Port Scanning without the SYN flag". The documentation added that the Maimon scan uses packets with both the FIN and ACK flags set.
That seemed like a simple, reasonable explanation, until I turned to the source and read Uriel's article for fact-checking purposes. It turns out that his article described sending an initial FIN packet followed by an ACK packet and then looking for discrepancies between their TTL values.
After hearing these conflicting facts, I used Nmap to run a Maimon scan, monitoring the session with the Ethereal packet sniffer. It turns out that the Nmap documentation correctly describes Nmap's behavior: it sends packets with both the FIN and ACK flags set. This mimics the second stage (FIN/ACK) of the three-way handshake used to tear down a TCP/IP connection. The setting also provides an alternative to FIN probes, which mimic the first step of the TCP breakdown handshake, and SYN probes, which mimic the first step of the connection setup handshake.
Why would you use Maimon's FIN/ACK probe? It's simply another way of eliciting responses from systems that are configured to cloak their presence on the network. Consider it one more weapon in your probe arsenal.









Comments

Post a Comment

Popular posts from this blog

What Is Brute Force

  What is a Brute-force attack? A  brute force  attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. This is an old attack method, but it's still effective and popular with hackers. Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, it will take more time, but there is better probability of success. The most common and easiest to understand example of the brute-force attack is the dictionary attack to crack the password. In this, attacker uses a password dictionary that contains millions of words that can be used as a password. Then the attacker tries these passwords one by one for authentication. If this dictionary contains the correct password, attacker will succeed. ...
Post a Comment
Read more

penetration Testing

                                      W What Is Penetration Testin g Penetration Testing                                 Penetration testing can help you improve both the security and quality of your product. It’s a complex yet creative process where you must understand what you’re doing and why you’re doing it. It's like in the movie. where hacker-consultants break into your corporate networks to find weaknesses before attackers do. It’s a simulated cyber attack where the pentester or ethical hacker uses the tools and techniques available to malicious hackers. Back in ye olde days of yore, hacking was hard and required a lot of manual bit fiddling. Today, though, a full suite of automated testing tools turn hackers into cyborgs, computer-enhanced humans who can test far more than ever before. ...
Post a Comment
Read more

Types Of Ethical Hackers

Types Of Hackers And Its Information Hi Today Video Is About What Is Ethical Hacking Most If Us Where Thing That’s Hacking Is A  Crime And Hacking Is Illegal… But In The Modern Technology Hacking IS Leads To EveryThing But why Hacking has many types  And there are many types of Hackers in the world but here about it we should know what are the types of hackers in the world And we are going to learn here  First Of All Who Is A Hacker A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain access. Hackers are usually skilled computer programmers with knowledge of computer security. ... Script kiddies: A non-skilled person who gains access to computer systems using already made tools A Hacker is a person who is intensely interested in the mysterious workings of any computer operating system. Hackers are most often programmers. They gather advanced knowledge of operating systems and programmin...
Post a Comment
Read more