CyEdu.Technology

Cyber Security Education Knowledgebase

Nmap

Nmap (Network Mapper)

According to Wikipedia, is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).[3] Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.[4]

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection,[5] vulnerability detection,[5] and other features. Nmap can adapt to network conditions including latency and congestion during a scan.

Nmap started as a Linux utility[6] and was ported to other systems including WindowsmacOS, and BSD.[7] It is most popular on Linux, followed by Windows.[8]

Nmap is …

  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detectionversion detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Features

Nmap features include:

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning[9] â€“ Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.[10]
  • TCP/IP stack fingerprinting â€“ Determining the operating system and hardware characteristics of network devices based on observations of network activity of said devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine[11] (NSE) and Lua programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.[12]

Typical uses of Nmap:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.[13]
  • Identifying open ports on a target host in preparation for auditing.[14]
  • Network inventory, network mapping, maintenance and asset management.
  • Auditing the security of a network by identifying new servers.[15]
  • Generating traffic to hosts on a network, response analysis and response time measurement.[16]
  • Finding and exploiting vulnerabilities in a network.[17]
  • DNS queries and subdomain search

User interfaces

NmapFE, originally written by Kanchan, was Nmap’s official GUI for Nmap versions 2.2 to 4.22.[18] For Nmap 4.50 (originally in the 4.22SOC development series) NmapFE was replaced with Zenmap, a new official graphical user interface based on UMIT, developed by Adriano Monteiro Marques.

Web-based interfaces exists that allow either controlling Nmap or analysing Nmap results from a web browser, such as IVRE.[19]

  • Zenmap, showing results for a port scan against Wikipedia
  • NmapFE, showing results for a port scan against Wikipedia
  • XNmap, a Mac OS X GUI

Output

Nmap provides four possible output formats. All but the interactive output is saved to a file. Nmap output can be manipulated by text processing software, enabling the user to create customized reports.[20]Interactivepresented and updated real time when a user runs Nmap from the command line. Various options can be entered during the scan to facilitate monitoring.XMLa format that can be further processed by XML tools. It can be converted into a HTML report using XSLT.Grepableoutput that is tailored to line-oriented processing tools such as grepsed, or awk.Normalthe output as seen while running Nmap from the command line, but saved to a file.Script kiddiemeant to be an amusing way to format the interactive output replacing letters with their visually alike number representations. For example, Interesting ports becomes Int3rest1ng p0rtz. This is known as Leet.

History

Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included.[21] With help and contributions of the computer security community, development continued. Enhancements included operating system fingerprinting, service fingerprinting,[10] code rewrites (C to C++), additional scan types, protocol support (e.g. IPv6SCTP[22]), and new programs that complement Nmap’s core features.

Major releases include:[18]

DateVersionSignificance
December 12, 1998; 22 years agoNmap 2.00Nmap 2.00 is released, including Operating System fingerprinting[23]
April 11, 1999; 22 years agoNmapFEGTK+ front end, is bundled with Nmap[23]
December 7, 2000; 20 years agoWindows port[18]
August 28, 2002; 19 years agoRewrite from C to C++[18]
September 16, 2003; 18 years agoThe first public release to include service version detection[18]
August 31, 2004; 17 years agoNmap 3.70Core scan engine rewritten for version 3.70. New engine is called ultra_scan[24]
Summer 2005Nmap selected for participation in Google Summer of Code.[25] Added features included Zenmap, Nmap Scripting Engine (NSE), Ncat, and 2nd-generation OS detection.
December 13, 2007; 13 years agoNmap 4.50Nmap 4.50, the 10th Anniversary Edition, was released. Included Zenmap, 2nd-generation OS detection, and the Nmap Scripting Engine[26]
March 30, 2009; 12 years agoNmap 4.85BETA5Emergency release of Nmap 4.85BETA5, leveraging NSE to detect Conficker infections[27]
July 16, 2009; 12 years agoNmap 5.00Included netcat-replacement Ncat and Ndiff scan comparison tool[28]
January 28, 2011; 10 years agoNmap 5.50Included Nping packet generation response analysis and response time measurement, including TCP, UDP and ICMP probe modes.[29][30]
May 21, 2012; 9 years agoNmap 6.00Released with full IPv6 support.[citation needed]
November 9, 2015; 5 years agoNmap 7.00 [31]
December 20, 2016; 4 years agoNmap 7.40
March 20, 2018; 3 years agoNmap 7.70 [32]
August 10, 2019; 2 years agoNmap 7.80 [33]
October 3, 2020; 12 months agoNmap 7.90 [34]The new fingerprints allow better operating system and service/version detection. 3 new NSE scripts, new protocol library and payloads for host discovery, port scanning and version detection. Npcap 1.0.0, the first fully stable version of the Windows raw packet capturing/sending driver.

Legal issues

Nmap is a tool that can be used to discover services running on Internet connected systems. Like any tool, it could potentially be used for black hat hacking,[35] as a precursor to attempts to gain unauthorized access to computer systems; however, Nmap is also used by security and systems administrators to assess their own networks for vulnerabilities (i.e. white hat hacking).

System administrators can use Nmap to search for unauthorized servers, or for computers that do not conform to security standards.[36]

In some jurisdictions, unauthorized port scanning is illegal.[37]

License

Nmap was originally distributed under the GNU Public License (GPL).[21] In later releases, Nmap’s authors added clarifications and specific interpretations to the license where they felt the GPL was unclear or lacking.[38] For instance, Nmap 3.50 specifically revoked the license of SCO Group to distribute Nmap software because of their views on the SCO-Linux controversies.[39]

In popular culture

In The Matrix ReloadedTrinity is seen using Nmap to access a power plant’s computer system,[40] allowing Neo to “physically” break into a building. The appearance of Nmap in the film was widely discussed on Internet forums and hailed as an unusually realistic example of hacking.[41]

Nmap and NmapFE were used in The Listening, a 2006 movie about a former NSA officer who defects and mounts a clandestine counter-listening station high in the Italian alps.

Nmap source code can be seen in the movie Battle Royale, as well as brief views of the command line version of Nmap executing in Live Free or Die Hard and Bourne Ultimatum.[40] In 2013, Nmap continued to make appearances in movies including popular sci-fi movie Elysium.

The film Dredd, a film adaptation of the famous Judge Dredd comics, was released in 2012 and also contains multiple Nmap scenes.[40] Nmap is used for network reconnaissance and exploitation of the slum tower network. It is even seen briefly in the movie’s trailer.

The command Nmap is widely used in the video game Hacknet, allowing to probe the network ports of a target system to hack it.

In Snowden, Nmap is used in the aptitude test scene about 14 minutes into the movie.

In academia

Nmap is an integral part of academic activities. It has been used for research involving the TCP/IP protocol suite and networking in general.[42] Besides being a research tool, Nmap has also become a research topic.[43]

Examples

$ nmap -A scanme.nmap.org
Starting Nmap 6.47 ( https://nmap.org ) at 2014-12-29 20:02 CET
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_  2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp   open  http       Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
9929/tcp open  nping-echo Nping echo
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|storage-misc|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (94%), Netgear RAIDiator 4.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.38 cpe:/o:linux:linux_kernel:3 cpe:/o:netgear:raidiator:4 cpe:/o:linux:linux_kernel:2.4
Aggressive OS guesses: Linux 2.6.38 (94%), Linux 3.0 (92%), Linux 2.6.32 - 3.0 (91%), Linux 2.6.18 (91%), Linux 2.6.39 (90%), Linux 2.6.32 - 2.6.39 (90%), Linux 2.6.38 - 3.0 (90%), Linux 2.6.38 - 2.6.39 (89%), Linux 2.6.35 (88%), Linux 2.6.37 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   14.21 ms  151.217.192.1
2   5.27 ms   ae10-0.mx240-iphh.shitty.network (94.45.224.129)
3   13.16 ms  hmb-s2-rou-1102.DE.eurorings.net (134.222.120.121)
4   6.83 ms   blnb-s1-rou-1041.DE.eurorings.net (134.222.229.78)
5   8.30 ms   blnb-s3-rou-1041.DE.eurorings.net (134.222.229.82)
6   9.42 ms   as6939.bcix.de (193.178.185.34)
7   24.56 ms  10ge10-6.core1.ams1.he.net (184.105.213.229)
8   30.60 ms  100ge9-1.core1.lon2.he.net (72.52.92.213)
9   93.54 ms  100ge1-1.core1.nyc4.he.net (72.52.92.166)
10  181.14 ms 10ge9-6.core1.sjc2.he.net (184.105.213.173)
11  169.54 ms 10ge3-2.core3.fmt2.he.net (184.105.222.13)
12  164.58 ms router4-fmt.linode.com (64.71.132.138)
13  164.32 ms scanme.nmap.org (74.207.244.221)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.98 seconds

See also

References

  1. ^ “Nmap Change Log”nmap.org. 2021-09-16. Retrieved 2021-09-16.
  2. ^ “Nmap license”. Retrieved 2019-01-21.
  3. ^ “Matrix mixes life and hacking”BBC News. 2003-05-19. Retrieved 2018-10-28.
  4. ^ Joshi, Sagar (2021-02-25). “What is Nmap And Why You Should Use It?”The Hack Report. Retrieved 2021-03-01.
  5. Jump up to:a b “Nmap Scripting Engine: Introduction”Nmap.org. Retrieved 2018-10-28.
  6. ^ “The History and Future of Nmap”Nmap.org. Retrieved 2018-10-28.
  7. ^ “Other Platforms”Nmap.org. Retrieved 2018-10-28.
  8. ^ “Nmap Installation for Windows”Nmap.org. Retrieved 2018-10-28.
  9. ^ “Online nmap port scanner”nmap.online. Retrieved 2019-06-30.
  10. Jump up to:a b “Service and Application Version Detection”Nmap.org. Retrieved 2018-10-28.
  11. ^ “Nmap Scripting Engine”Nmap.org. Retrieved 2018-10-28.
  12. ^ “Nmap Reference Guide”Nmap.org. Retrieved 2018-10-28.
  13. ^ Nmap Overview and Demonstration.
  14. ^ When Good Scanners Go Bad, From [1] Archived 2000-06-14 at the Wayback MachineComputerWorld 22 March 1999
  15. ^ “nmap-audit – Network auditing with Nmap”heavyk.org. Archived from the original on 2009-04-01. Retrieved 2018-10-28.
  16. ^ “Nping – Network packet generation tool / ping utility”Nmap.org. Retrieved 2018-10-28.
  17. ^ Leyden, John (2014-08-15). “Revealed … GCHQ’s incredible hacking tool to sweep net for vulnerabilities: Nmap”TheRegister.co.uk. Retrieved 2018-10-28.
  18. Jump up to:a b c d e “Nmap Changelog”. Nmap.org. Retrieved 2018-10-29.
  19. ^ “IVRE homepage”. Retrieved 2018-10-28.
  20. ^ “Nmap Reference Guide: Output”Nmap.org. Retrieved 2018-10-29.
  21. Jump up to:a b “The Art of Port Scanning”Phrack Magazine. Vol. 7 no. 51. 1997-09-01. Retrieved 2018-10-29.
  22. ^ “SCTP Support for Nmap”Roe.ch. 2011-05-10. Retrieved 2018-10-29.
  23. Jump up to:a b “The History and Future of Nmap”. Nmap.org. Retrieved 2018-10-29.
  24. ^ “Nmap 3.70 Released—Core Scan Engine Rewrite!”. Seclists.org. 2004-08-31. Retrieved 2018-10-29.
  25. ^ “Google sponsors Nmap summer student developers”. Seclists.org. 2005-06-02. Retrieved 2018-10-29.
  26. ^ “Nmap 4.50 Press Release”. Insecure.org. 2007-12-13. Retrieved 2018-10-29.
  27. ^ “Nmap 4.85BETA5: Now with Conficker detection!”. Seclists.org. 2009-03-30. Retrieved 2018-10-29.
  28. ^ “Nmap 5.00 Released”. Nmap.org. 2009-07-16. Retrieved 2018-10-29.
  29. ^ “Nmap/Nping/Docs/Nping.1 at master · nmap/Nmap”.
  30. ^ “Nmap 5.50: Now with Gopher protocol support!”. Seclists.org. 2011-01-28. Retrieved 2018-10-29.
  31. ^ “Nmap 7 Released”. Nmap.org. 2015-11-19. Retrieved 2018-10-29.
  32. ^ “Nmap 7.70”. Nmap.org. 2018-03-20. Retrieved 2018-10-29.
  33. ^ “Nmap 7.80”. Nmap.org. 2019-08-10. Retrieved 2019-08-10.
  34. ^ “Nmap 7.90”. Nmap.org. 2019-10-03. Retrieved 2020-10-03.
  35. ^ Poulsen, Kevin (2004-11-24). “Hacking tool reportedly draws FBI subpoenas”. SecurityFocus.com. Retrieved 2018-10-29.
  36. ^ “How To Conduct A Security Audit” (PDF). PC Network Advisor. No. 120. July 2000. Retrieved 2018-10-29.
  37. ^ “First ruling by the Supreme Court of Finland on attempted break-in”Osborne Clarke. 2003. Archived from the original on 2005-05-05. Retrieved 2018-10-29.
  38. ^ “Important Nmap License Terms”. Nmap.org. Retrieved 2018-10-29.
  39. ^ “Nmap 3.50 Press Release”. 2004-02-20. Retrieved 2018-10-29.
  40. Jump up to:a b c “Nmap In The Movies”. Retrieved 2018-10-29.
  41. ^ Poulsen, Kevin (2003-05-16). “Matrix Sequel Has Hacker Cred”The Register. Retrieved 2018-10-29.
  42. ^ Haines, J.; Ryder, D.K.; Tinnel, L.; Taylor, S. (2003-02-19). “Validation of sensor alert correlators”. IEEE Security & Privacy99(1): 46–56. doi:10.1109/MSECP.2003.1176995.
  43. ^ Medeiros, João Paulo S.; Brito Jr., Agostinho M.; Pires, Paulo S. Motta (2009). Computational Intelligence in Security for Information Systems. Advances in Intelligent and Soft Computing. 63. pp. 1–8. doi:10.1007/978-3-642-04091-7_1ISBN 978-3-642-04090-0.

Bibliography

External links