Advanced Uses For Nmap

Following on from the first part in this series, it is time to look at some of the more advanced features of nmap. Starting with the basic port scan, it is possible to get more information about the scan by adding the -vv flag:

nmap -vv 192.168.1.101

The output will look something like this:

nmap-vv

In the first part, we looked at how to scan a range of addresses. There is one more way to perform the scan but this time by specifying the number of bits from the subnet mask:

nmap 192.168.1.1/24

The above command will scan all the hosts from 192.168.1.0 to 192.168.1.255 on a network that has a subnet mask of 255.255.255.0. Although larger subnet masks are possible (e.g. 255.255.0.0 is /16) this would cause nmap to scan a large number of hosts and should most likely be avoided.

To get nmap to produce a list of the hosts it will scan, use the -sL flag:

nmap -sL 192.168.1.1/24

In this case, the output will be a list of addresses (one per line) starting at 192.168.1.0 and ending at 192.168.1.255.

If there are hosts on your network that object to being scanned (say servers with intrusion detection systems installed or certain types of firewall appliances), you can tell nmap to skip a certain address by using the -exclude flag. The following example will scan all the hosts from .0 to .255 but not 192.168.1.4:

nmap 192.168.1.1/24 -exclude 192.168.1.4

When looking for open ports, nmap can use several different types of scanning method. Network connections are established using the TCP protocol. It defines what packets of data to send and what should be the reply. To establish a connection, a SYN packet is first sent to the host. If the port is open and the host is willing to accept connections then it replies by sending back a SYN-ACK packet. Then the client will send an ACK packet to complete the connection. This connection is then used higher up by software like web browsers and email programs. When invoked from a normal user account, this is exactly what nmap does for every port being scanned. If a connection is established, the port is reported as being open.

But if nmap is invoked from a root account or using sudo, it defaults to a different type of scan known as half-open scanning. In this scenario, nmap creates the low level TCP packets itself (rather than using the underlying operating system to do it on its behalf) and when it receives the SYN-ACK, it doesn’t reply with an ACK and so a full connection is not established. But because the host replied with a SYN-ACK, it means that the port is open and available for a full connection. The advantage of half-open scanning is that it is faster and it doesn’t cause the server software listening on the port to log a connection.

You can ensure that half-open scanning is being used by using the -sS flag. When combined with -vv, you can see nmap reporting its use of a “SYN Stealth Scan” to probe the host. Here is the full command:

sudo nmap -sS -vv 192.168.1.101

nmap-sS

Also notice that nmap now gives a report of the number of raw packets it generated so it could perform the half-open scan.

There is one more type of scan worth mentioning and that is the NULL scan and its friends – the FIN scan and the Xmas scan. In the TCP standard, there is a small section which tells a TCP implementation what to do if it receives a packet with the wrong flags. The practical result of this “loop hole” is that any packets not containing the SYN, RST, or ACK bits will result in a returned RST packet if the port is closed and no response at all if the port is open. nmap can use this to its advantage by sending malformed packets and waiting to see if there is a response.

The NULL scan, which is invoked using -sN doesn’t set any bits in the packet header. The FIN scan, -sF, sets the TCP FIN bit and the Xmas scan, -sX, sets the FIN, PSH, and URG flags. It is called the Xmas scan as the packet is now all lit up like a Christmas tree!

If the host replies with a RST packet then the port is closed, nothing and the port is open.

As we can see, nmap is a powerful tool and has been designed equally for stealth or overt scanning. As a last experiment, try the following command as a way to discover which hosts are alive on your local network without actually scanning the hosts but rather by just asking for their MAC addresses:

sudo nmap -PR -vv 192.168.1.1/24

The -PR flag will cause nmap to ask for the MAC address of the host (using ARP) and will mark the host as alive if it gets a response.