1. To perform active OS fingerprinting, use Nmap's "-O" flag followed by the target IP address. This sends probe packets to the target and analyzes the responses to determine the operating system.
2. For passive fingerprinting, sniff the network traffic without making contact with targets. Analyze characteristics like TCP/IP stack implementation to fingerprint operating systems.
3. Nmap is a useful tool for active fingerprinting as it has a large database of OS fingerprints. Passive fingerprinting can be done using a network sniffer without alerting targets. Both methods provide ways to remotely determine operating systems without access to
1. M. S. RAMAIAH INSTITUTE OF TECHNOLOGY
(AUTONOMOUS INSTITUTE, AFFILIATED TO VTU)
A Presentation Report on
“NMAP”
Submitted in Partial fulfillment of
5th
Semester B.E
In
Information Science and Engineering
For the subject
Data communication[IS511]
Submitted by
Deekshapoornashri (1MS13IS141)
Greeshma R J (1MS13IS142)
Shakunthala B V (1MS14IS412)
Shanta (1MS14IS413)
2. M. S. RAMAIAH INSTITUTE OF TECHNOLOGY
DEPARTMENT OF INFORMATION SCIENCE AND
ENGINEERING
BANGALORE – 560 054
C E R T I F I C A T E
This is to certify that the “Presentation on NMAP” has been
successfully completed by:
Deekshapoornashri 1MS13IS141
Greeshma R J 1MS13IS142
Shakunthala B V 1MS14IS412
Shanta 1MS14IS413
In partial fulfillment of 5th Semester B.E (Information Science
&Engg) for the subject “DATA COMMUNICATION(IS511)”
during the period 2015 - 2016, as prescribed by Department of
Information Science & Engineering, MSRIT.
Signature of Staff Incharge
Mr. Suresh kumar
Asst. Professor,
Dept. of ISE, MSRIT
3. ACKNOWLEDGEMENTS
Any achievement, be it scholastic or otherwise does not depend solely on the individual efforts but
on the
guidance, encouragement and cooperation of intellectuals, elders and friends. A number of
personalities, in their own capacities have helped us in carrying out this project work. We would like
to take this
opportunity to thank them all.
We deeply express our sincere gratitude to our guide Prof. Mr.Sureshkumar
Assistant Professor, Department of ISE, M.S.R.I.T, Bengaluru, for his able guidance, regular
source of encouragement and assistance throughout this project.
We would like to thank Dr. VIJAYKUMAR B P, Head of Department, Information Science &
Engineering, M.S.R.I.T, Bengaluru, for his valuable suggestions and expert advice.
Most importantly, we would like to thank Dr. N.V.R NAIDU Principal, M.S.R.I.T, Bengaluru, for
his
moral support towards completing our project work.
We thank our Parents, and all the Faculty members of Department of Information Science &
Engineering
For their constant support and encouragement.
Last, but not the least, we would like to thank our peers and friends who provided us with valuable
suggestions to improve our project.
4. CONTENTS:
Nmap
Features
Performan experiment for portscanning with nmap
How to use nmap
Output screen shots
5. NMAP
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known
by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer
network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially
crafted packets to the target host and then analyzes the responses.
The software provides a number of features for probing computer networks, including host
discovery and service and operating system detection. These features are extensible by scripts
that provide more advanced service detection, vulnerability detection, and other features. Nmap
is also capable of adapting to network conditions including latency and congestion during a scan.
Nmap is under development and refinement by its user community.
Nmap was originally a Linux-only utility, but it was ported to Windows, Solaris, HP-UX, BSD
variants (including OS X), AmigaOS, and IRIX. Linux is the most popular platform, followed
closely by Windows.
6. FEATURES
Nmap features include:
Host discovery – Identifying hosts on a network. For example, listing the hosts that
respond to TCP and/or ICMP requests or have a particular port open.
Port scanning – Enumerating the open ports on target hosts.
Version detection – Interrogating network services on remote devices to determine
application name and version number.
OS detection – Determining the operating system and hardware characteristics of
network devices.
Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua
programming language.
Nmap can provide further information on targets, including reverse DNS names, device
types, and MAC addresses.
Typical uses of Nmap:
Auditing the security of a device or firewall by identifying the network connections
which can be made to, or through it.
Identifying open ports on a target host in preparation for auditing.
Network inventory, network mapping, maintenance and asset management.
Auditing the security of a network by identifying new servers.
Generating traffic to hosts on a network.
Find and exploit vulnerabilities in a network.
7. PERFORM AN EXPERIMENT FOR PORT SCANNING WITH
NMAP
Port Scanning:
Port Scanning is one of the most popular techniques attackers use to discover services they can
break into. All machines connected to a LAN or connected to Internet via a modem run many
services that listen at well-known and not so well-known ports. By port scanning the attacker
finds which ports are available (i.e., being listened to by a service). Essentially, a port scan
consists of sending a message to each port, one at a time. The kind of response received indicates
whether the port is used and can therefore be probed further for weakness.
Port Numbers
The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned
numbers. The port numbers are divided into three ranges: the Well Known Ports (0..1023), the
Registered Ports (1024..49151), and the Dynamic and/or Private Ports (49152..65535).
Well-Known Ports
All the operating systems now honor the tradition of permitting only the super-user open the
ports numbered 0 to 1023. These well-known ports (also called standard ports) are assigned to
services by the IANA (Internet Assigned Numbers AuthorityPERFORM AN EXPERIMENT
FOR PORT SCANNING WITH NMAP
). On Unix, the text file named /etc/ services (on Windows 2000 the file named %windier%
system32 drivers etc services) lists these service names and the ports they use. Here are a few
lines extracted from this file:
echo 7/tcp Echo
ftp-data 20/udp File Transfer [Default Data]
ftp 21/tcp File Transfer [Control]
ssh 22/tcp SSH Remote Login Protocol
telnet 23/tcp Telnet
domain 53/udp Domain Name Server
www-http 80/tcp World Wide Web HTTP
Nmap:
Nmap ("Network Mapped") is a free and open source utility for network exploration or security
auditing.
The six port states recognizedby Nmap
Open-An application is actively accepting TCP connections, UDP datagram or SCTP
8. associations on this port. Finding these is often the primary goal of port scanning. Security
minded people know that each open port is an avenue for attack. Attackers and pen-testers want
to exploit the open ports, while administrators try to close or protect hem with firewalls without
thwarting legitimate users. Open ports are also interesting for non-security scans because
theyshow services available for use on the network.
Closed-A closed port is accessible (it receives and responds to Nmap probe packets), but there
is no application listening on it. They can be helpful in showing that a host is up on an IP address
(host discovery, or ping scanning), and as part of OS detection. Because closed ports are
reachable, it may be worth scanning later in case some open up. Administrators may want to
consider blocking such ports with a firewall. Then they would appear in the filtered state,
discussed next.
Filtered-Nmap cannot determine whether the port is open because packet filtering prevents its
probes from reaching the port. The filtering could be from a dedicated firewall device, router
rules, or host-based firewall software. These ports frustrate attackers because they provide so
little information. Sometimes they respond with ICMP error messages such as type 3 code 13
(destination unreachable: communication administratively prohibited), but filters that simply
drop probes without responding are far more common. This forces Nmap to retry several times
just in case the probe was dropped due to network congestion rather than filtering. This slows
down the scan dramatically.
Unfiltered-The unfiltered state means that a port is accessible, but Nmap is unable to
determine whether it is open or closed. Only the ACK scan, which is used to map firewall rule
sets, classifies ports into this state. Scanning unfiltered ports with other scan types such as
Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
openfiltered-Nmap places ports in this state when it is unable to determine whether a port is
open or filtered. This occurs for scan types in which open ports give no response. The lack of
response could also mean that a packet filter dropped the probe or any response it elicited. So
Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol,
FIN, NULL, and Xmas scans classify ports this way.
Closedfiltered-This state is used when Nmap is unable to determine whether a port is closed
or filtered. It is only used for the IP ID idle scan.
9. Nmap Scan
-sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be
performed quickly, scanning thousands of ports per second on a fast network not
hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it
never completes TCP connections. SYN scan works against any compliant TCP stack
rather than depending on idiosyncrasies of specific platforms as Nmap's
FIN/NULL/Xmas, Maim on and idle scans do. It also allows clear, reliable differentiation
between the open, closed, and filtered states.
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option
-sU (UDP scans)
While most popular services on the Internet run over the TCP protocol, UDPservices are widely
deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the
most common. Because UDP scanning is generally slower and more difficult than TCP, some
security auditors ignore these ports
-sY (SCTP INIT scan)
SCTPis a relatively new alternative to the TCP and UDP protocols, combining most
characteristics of TCP and UDP, and also adding new features like multi-homing and
multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the
potential to be used for other applications as well.
-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even
open| filtered) ports. It is used to map out firewall rule sets, determining whether they are stateful
or not and which ports are filtered.
10. USING NMAP 1)FIND OPEN PORTS ON A SYSTEM 2) FIND
THE MACHINES WHICH ARE ACTIVE 3)FIND THE VERSION
OF REMOTE OS ON OTHER SYSTEMS 4)FIND THE VERSION
OF S/W INSTALLED ON OTHER SYSTEM
1. Download Nmap from www.nmap.org and install the Nmap Software with Win cap Driver
utility.
2. Execute the Nmap-Zen map GUI tool from Program Menu or Desktop Icon.
3. Type the Target Machine IP Address(ie, Guest OS or any website Address)
4. Perform the profiles shown in the utility.
11.
12.
13. PERFORM AN EXPERIMENT ON ACTIVE AND PASSIVE
FINGER PRINTING USING NMAP.
Fingerprinting OS:
Fingerprinting is a process in scanning phase in which an attacker tries to identify Operating
System(OS) of target system. Fingerprintingcan be classified into two types
Active Stack Fingerprinting
Passive Stack Fingerprinting
Active Stack Fingerprinting
It involves sending data to the target system and then see how it responds. Based on the fact that
each system will respond differently, the response is compared with database and the OS is
identified. It is commonly used method though there are high chances of getting detected. It can
be performed by following ways.
Using Nmap :Nmap is a port scanning tool that can be used for active stack OS
fingerprinting.
Syntax: nmap –O ip address
Example: nmap –O 192.168.1.88
Passive StackFingerprinting
It involves examining traffic on network to determine the operating system. There is no
guarantee that the fingerprint will be accurate but usually they are accurate. It generally means
sniffing traffic rather than making actual contact and thus this method is stealthier and usually
goes undetected. Passive stack fingerprinting can be performed in following ways.