NMAP - The Network Scanner

3,581 views

Published on

NMAP by Rohit Parab @ null Mumbai Meet, May, 2011

Published in: Technology
  • Be the first to comment

NMAP - The Network Scanner

  1. 1. NmapThe Network Scanner<br />http://null.co.in/<br />http://nullcon.net/<br />
  2. 2. Module 1: Getting Started<br />http://null.co.in/<br />http://nullcon.net/<br />
  3. 3. What is Nmap?<br /><ul><li>Nmap = Network Mapper
  4. 4. Written By Fyodor
  5. 5. http://insecure.org
  6. 6. Free!
  7. 7. Open source, Constant development</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  8. 8. Know your protocols<br /><ul><li>IP – Internet protocol
  9. 9. TCP – Transmission Control Protocol
  10. 10. UDP – User datagram protocol
  11. 11. ICMP – Internet control message protocol</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  12. 12. Anatomy of a scan<br /><ul><li>Step 1: DNS Lookup
  13. 13. (Unless you u an IP address)
  14. 14. Step 2 :Nmap “Pings” the remote device
  15. 15. (This is not an ICMP echo Request)
  16. 16. Step 3: Reverse DNS lookup
  17. 17. Step 4: Do the scan!
  18. 18. Step 5: Analyze the scan results</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  19. 19. Module 2: Basic Scans<br />http://null.co.in/<br />http://nullcon.net/<br />
  20. 20. <ul><li>TCP SYN scan (-sS)
  21. 21. TCP connect() scan (-sT)
  22. 22. Ping scan (-sP)
  23. 23. UDP scan (-sU)</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  24. 24. Module 3: Useful scanning options<br /><ul><li>Excluding and Including targets
  25. 25. Excluding from command line or a file
  26. 26. Using a file to list your targets
  27. 27. Port Number options
  28. 28. Limit your scans
  29. 29. Focus your efforts</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  30. 30. Excluding Targets<br /><ul><li>--exclude <host1,host2………>
  31. 31. Command line only
  32. 32. Must specify each time
  33. 33. --excludefile <exclude_filename>
  34. 34. One option excludes many hosts
  35. 35. Keep your list handy!</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  36. 36. Including Targets<br /><ul><li>-iL <inputfilename>
  37. 37. Address can be separated by tabs,spaces, or lines</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  38. 38. Specifying port numbers<br /><ul><li>Specifying port numbers
  39. 39. -p<port range>
  40. 40. -p 23,34,43,123-144</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  41. 41. Module 4: Ping options<br /><ul><li>What’s “ping”?
  42. 42. Default pings
  43. 43. ARP ping
  44. 44. ICMP and TCP ACK ping
  45. 45. TCP SYN ping
  46. 46. UDP ping
  47. 47. Don’t ping before scanning</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  48. 48. What’s “ping”?<br /><ul><li>An Nmap ping confirms the existence of the target system
  49. 49. An Nmap ping does not(necessarily) refers to an ICMP echo request
  50. 50. We can disbale this ping requirement with </li></ul>-P0(zero)<br />http://null.co.in/<br />http://nullcon.net/<br />
  51. 51. <ul><li>Nmap uses ARP for the local subnet for ping process
  52. 52. For the remote ip subnet nmap uses
  53. 53. ICMP echo request &
  54. 54. A TCP ACK on port 80</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  55. 55. Module 5: Network Recon<br /><ul><li>Operating system fingerprinting (-O)
  56. 56. Systems with Firewalls & Filter
  57. 57. One port open ,one port closed.
  58. 58. Version detection(-sV)</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  59. 59. Module 6: Ninja Scanning<br /><ul><li>FIN scan(-sF),Xmas tree scan(-sX),Null scan(-sN)
  60. 60. Often called “stealth” scans
  61. 61. One frame transmitted, one frame received
  62. 62. Thesestealth scans never appears in application logs.
  63. 63. Microsoft Windows doesn’t responds to these stealth scans.</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  64. 64. <ul><li>ACK scan(-sA)
  65. 65. Filtered or unfiltered(not open!)</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  66. 66. Nmap Timing Options<br /><ul><li>-T0/Paranoid
  67. 67. -T1/sneaky
  68. 68. -T2/Polite
  69. 69. -T3/Normal
  70. 70. -T4/Aggressive
  71. 71. -T5/Insane</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  72. 72. Random Hosts and Targets<br /><ul><li>Randomize hosts(-rH)
  73. 73. Rearrange the Nmap hosts in an Nmap scan
  74. 74. Makes it difficult to see a pattern
  75. 75. Completely random target addresses
  76. 76. (-iR <num _host>)
  77. 77. Useful for finding specific services
  78. 78. Nmap –sS –PS80 –iR 0 –p 80</li></ul>http://null.co.in/<br />http://nullcon.net/<br />
  79. 79. Thank you<br />http://null.co.in/<br />http://nullcon.net/<br />

×