NETWORK SCANNING NMAP Gordon “Fyodor” Lyon islet me elfe) Nmap.OrgNmap Network Scanning Official Nmap Project Guide to Network Discovery and Security Scanning Gordon “Fyodor” Lyon From port scanning basics for novices to the type of packet crafting used by advanced hackers, this book by Nmap's author and maintainer suits all levels of security and networking professionals. Rather than simply document what every Nmap option does, Nmap Network Scanning demonstrates how these features can be applied to solve real world tasks such as penetration testing, taking network inventory, detecting rogue wireless access points or open proxies, quashing network worm and virus outbreaks, and much more. Examples and diagrams show actual communication on the wire. This book is essential for anyone who needs to get the most out of Nmap, particularly security auditors and systems or network administrators.Nmap Network Scanning: Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon “Fyodor” Lyon 2 978-0-979958 7-1-7 ISBN-10: 0-9799587-1-7 Library of Congress Control Number (LCN): 2008940582 Library Of Congress Subject Headings: 1. Computer networks--Security measures 2. Computer security Published by Insecure.Com LLC. For information on bulk purchases, special sales, rights, book distributors, or translations, please contact us directly Insecure.Com LLC 370 Altair Way #113 Sunnyvale, CA 94086-6161 United States Email: sales @insecure.com; Phone: +1-650-989-4206; Fax: +1-650-989-4206 December 2008 -Release: August 2008 ‘Zero-Day Release: May 2008 Copyright © 2008 by Insecure.Com LLC. All rights reserved. Except where noted otherwise in this work, no part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner. Nmap is a registered trademark of Insecure.Com LLC. Other product and company names mentioned herein may be the trademarks of their respective owners. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out ofthe use of the information or programs contained hereinTable of Contents Preface ...... ai z xxi 1. Introduction .. xxi 2. Intended Audience and Organization - eeenee XXL 3. Conventions xxii 4, Other Resources ....... xxiii 5. Request for Comments... : ea see XIV 6. Acknowledgements r sevseeee XXIV 6.1. Technology Used to Create This Book * J a ey 7. TCPIP Reference .... : x aes eee, KYL 1, Getting Started with Nmap 1.1. Introduction 1.2, Nmap Overview and D 1.2.1, Avatar On 1.2.2, Saving the Human Race 1.2.3, MadHat in Wonderland 1.3. The Phases of an Nmap Scan 1.4, Legal Issues 1.4.1 Is Unauthorized Port Scanning a Crime? : 1.4.2. Can Port Scanning Crash the Target Computer/Networks? 1.4.3, Nmap Copyright 1.5. The History and Future of Nmap 2. Obtaining, Compiling, Installing, and Removing Nmap 2.1. Introduction 2.11. Testing Whether Nmap is Already Installed 2.12. Command-line and Graphical Interfaces 2.1.3. Downloading Nmap 2.14, Verifying the Integrity of Nmap Downloads 2.1.5. Obtaining Nmap from the Subversion (SVN) Repository 2.2. Unix Compilation and Installation from Source Code 3 2.1. Configure Directives 222. 1f You Encounter Compilation Problems 2.3. Linux Distributions .. ee yes 2.3.1. RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) 2.3.2. Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum 2.3.3, Debian Linax and Derivatives such as Ubuntu 2.3.4. Other Linux Distributions 2.4. Windows eater 2.4.1. Windows 2000 Dependencies 2.4.2. Windows Self-installer 2.4.3. Command-line Zip Binaries Installing the Nmap zip binaries 2.4.4. Compile from Source Code 2.4.5. Executing Nmap on Windows .. 2.5. Sun Solaris, 2.6. Apple Mac OS X .. 2.6.1. Executable Installer = iii2.6.2. Compile from Source Code .. ‘Compile Nmap from source code Compile Zenmap from source code... 2.6.3. Third-party Packages ... 2.6.4. Executing Nmap on Mac OS X 2.1. FreeBSD / OpenBSD / NetBSD .. 211. OpenBSD Binary Packages and Source Ports Instructions 2.7.2, FreeBSD Binary Package and Source Ports Instructions... Installation of the binary package Installation using the source ports tree 2.7.3. NetBSD Binary Package Instructions .... 2.8. Amiga, HP-UX, IRIX, and Other Platforms 2.9. Removing Nmap 3. Host Discovery (Ping Scanning) . 3.1. Introduction 3.2. Specifying Target Hosts and Networks ... 3.2.1. Input From List (iL) .. 3.2.2. Choose Targets at Random (iR ) 3.2.3. Excluding Targets (~exclude, -excludefile ) 3.2.4, Practical Examples Finding an Organization's IP Addresses 3.1. DNS Tricks ..... 33.2, Whois Queries Against IP Registries... 3.3.3. Internet Routing Information . DNS Resolution ... Host Discovery Controls. 3.5.1. List Scan (-sL) 3.5.2. Ping Scan (-sP) 3.5.3. Disable Ping (-PN) . Host Discovery Techniques 3.6.1. TCP SYN Ping (-PS) .. 3.6.2. TCP ACK Ping (-PA) 3.6.3. UDP Ping (-PU) .. 3.6.4. ICMP Ping Types (-PE, -PP, and -PM) .. 3.6.5. IP Protocol Ping (-PO ‘Based on download frequency, number of Google hits, and Fres neat.Net software “popularity” ranking. 2 huptumap.org/movies himl fe 1. Introduction xxiStarting with the basies, this book gives an overview of Nmap by example in Chapter |. Then Chapter 2 covers obtaining, compiling and installing Nmap. Chapters 3 through 5 cover features in the order you might tuse them when conducting a penetration test. First comes host discovery (“ping scanning”), which determines the available hosts on a network. Next, port scanning is covered in depth. In Chapter 5, all the Nmap scanning techniques are detailed, with advice and examples. Scanning a large network can take a long time, so Chapter 6 is full of performance optimization advice. Chapter 7 details service and application version detection, in which Nmap queries ports to determine exactly what is running rather than simply guessing based on the Port number, Chapter 8 covers one of Nmap's most loved features: remote OS detection. Chapter 9 details ‘one of Nmap's newest features: the Nmap Scripting Engine. NSE allows users and developers to easily extend Nmap with new features by writing simple scripts to be efficiently executed against target machines, My favorite chapter is number 10: Detecting and Subverting Firewalls and Intrusion Detection Systems. For balance, that is followed by a chapter on defending against Nmap scans. Chapter 12 then fully documents the Zenmap multi-platform Nmap GUI and results viewer. The next two chapters cover output formats and data files. The final and longest chapter is the Nmap Reference Guide, a quick resource for looking up specific Nimap options. Scattered throughout the book are detailed instructions for performing common tasks such as scanning a network for a certain single open TCP port or detecting wireless access points by scanning from the wired side, First each problem is described, then an effective solution is provided. A final discussion section describes the solution in more depth and may provide alternative solutions and insights into similar problems. 3. Conventions Nmap output is used throughout this book to demonstrate principles and features. The output is often edited {0 cut out lines which are irrelevant to the point being made. The dates/times and version numbers printed by Nmap are generally removed as well, since some readers find them distracting. Sensitive information such as hostnames, IP addresses, and MAC addresses may be changed or removed. Other information may be cut or lines wrapped so that they fit on a printed page. i editing is done for the output of other applications. Example 1 gives a glimpse at Nmap's capabilities while also demonstrating output formatting xxii 3. Conventions =Example 1. A typical Nmap scan # nmap -A -T4 scanme.nmap.org Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org (64.13.134.52): Not shown: 994 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh 25/tcp closed smtp OpenSSH 4.3 (protocol 2.0) 53/tcp open domain ISC BIND 9.3.4 70/tcp closed gopher 80/tep open http Apache httpd 2.2.2 ((Fedora)) |_ HTML title: Go ahead and ScanMe! /tcp closed auth Device type: general p pose Running: Linux 2.6.X 0S details: Linux 2. 6-20-1 (Fedora Core 5) TRACEROUTE (using port 80/tcp) HOP RIT ADDRESS [Cut first seven hops for brev 1 8 10.59 so-4-2-0.mpr3.paol.us.above.net (64.125.28.142) 9 11.00 metrod.sv.. svcolo.com (208.185.168.173) 10 9.93 scanme.nmap.org (64.13.134.52) Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds Special formatting is provided for certain tokens, such as filenames and application commands. Table 1 demonstrates the most common formattin Table 1. Formatting “onventions. style conventions ‘Token type Example literal sti T get much more excited by ports in the open state than those reported as closed or filtered. [Command-l ine options [One of the coolest, yet least understood Nmap options is --packet—trace Filenames Follow the option with the input filename such as IC: \net \dhep-Leases.txt or /home/h4x/hosts-to-pwn.1st. [Emphasis [Using Nmap from your work or school computer to attack banks and military targets is a bad idea ‘Application commands [Trinity scanned the Matrix with the command nmap -v -sS -O 10,2.2.2. Replaceable variables Let be the machine running Nmap and be microsoft .com. 4. Other Resources While this book is an important reference for Nmap, it isn't the only one. The Nmap web page at Iutp://nmap.org is not just for downloads. It also provides substantial documentation from Nmap developers 4. Other Resources xxiiiand third parties. For example, you can find the Nmap Reference Guide translated into a dozen languages there. Other books, videos, and articles covering Nmap are also available. ‘The official web site for this book is at hutp://nmap.org/bool/. Go there for errata, updates, and many sample chapters. Any serious Nmap user should subscribe to the nmap-hackers mailing list for announcements about Nmap and Insecure.Org. Traffic is very light (about six posts per year) because it is reserved for only the most important announcements. Developers and particularly devoted users can also subscribe to the nmap-dev mailing list. Traffic is much higher (hundreds of posts per month), but itis a great place to learn about and try new features before they are released and to pick up tips from advanced users. Subscription information and archives for both lists are available at http://seclists.org While Nmap can be useful, it won't solve all of your security problems. Every few years I do a survey of thousands of Nmap users to determine what other tools they like. The list is posted at http://sectools.org, which has become one of my most popular web sites. Read through the list and you are sure to find many ‘gems you had never even heard of. Most of the tools are free and open source. 5. Request for Comments While I tried my best to make this book comprehensive, accurate, and up-to-date, we all make mistakes. If you find any problems or just have suggestions for making this book better, please let me know by email at . The open source principle of many readers and contributors is just as viable for documentation as for software. As the next section attests, dozens of people have already generously contributed their time and skills to make this book a success. If you have a question or comment about Nmap (rather than this book itself), itis best sent to the Nmap development list as described at Section 15.17, “Bugs” [411]. 6. Acknowledgements When first floated the idea of writing an Nmap book to the nmap-hackers mailing list, I was inundated with Suggestions and offers to help. This outpouring of enthusiasm convinced me to proceed. My complete naivety about how much work was involved also contributed to my decision. It has been quite an undertaking, but what kept me going chapter by chapter was a private review group called the nmap-writers. They provided invaluable feedback, advice, and detailed review notes throughout the process. In particular, I would like to thank the following people: + David Fifield is listed first (everyone else is alphabetical) because he was a tremendous help during the book writing process. He solved a number of technical DocBook problems, created many of the final ustrations from my terrible drafts, dramatically improved the index, helped with proofreading, and even wrote Chapter 12, Zenmap GUI Users' Guide [307]. * Matt Baxter allowed the use of his beautiful TCP/IP header diagrams (in Section 7, “TCP/IP Reference” [xxvi]). Several other diagrams in this book were done in that style to match, * Saurabh Bhasin contributed detailed feedback on a regular basis. xxiv 5. Request for Comments es*+ Mark Brewis could always be counted on for good advice. *+ Ellen Colombo was a big help from the beginning. *+ Patrick Donnelly helped improve Chapter 9, Nmap Scripting Engine {205}. *+ Brandon Enright printed out the whole book and reviewed it chapter by chapter. * Brian Hatch has always been a big help, *+ Loren Heal was a continual source of ideas. + Dan Henage provided advice and proofread numerous chapters. * Tor Houghton reviewed every chapter, probably giving me more feedback than anyone else. * Doug Hoyte documented the many Nmap features he added, and also handled most of the book indexing. + Marius Huse Jacobsen reviewed many chapters, providing detailed feedback. * Kris Katterjohn performed thorough reviews of several chapters. * Eric Krosnes sent useful technical review feedback and also regularly nagged me about book progress. This was helpful since I didn’t have a traditional editor to do so. * Viad Alexa Mancini created the Nmap eye logo for the cover (and the Nmap web site), + Michael Naef kindly reviewed many chapters. * Bill Pollock of No Starch Press was always happy to provide advice and answer book publishing questions based on his decades of experience. * David Pybus was one of the most frequent contributors of ideas and proofreading, + Tyler Reguly helped by reviewing multiple chapters just when it was most needed. *+ Chuck Sterling provided both high level advice and detailed proofreading of several chapters. * Anders Thulin provided detailed reviews of many chapters. + Bennett Todd sent dozens of suggestions. + Diman Todorov wrote an initial draft of Chapter 9, Nmap Scripting Engine (205), * Catherine Tornabene read many chapters and sent extremely detailed feedback. 6.1. Technology Used to Create This Book Asan author of open source tools myself, I'm a big believer in their power and capability. So I made an effort to use them wherever possible in creating this book. I wasn't about to write it in Microsoft Word and then handle layout with Adobe FrameMaker! f 6. Acknowledgements xxvNmap Network Scanning was written with the GNU Emacs text editor in the DocBook XML format, The free online chapters are created from the XML using Norman Walsh's XSL Stylesheets and the xsltproc XSL processor. The print version also uses Norman's stylesheets and xsliproc, but the output is to the XSL-FO format’. An XSL-FO processor is then used to build a PDF. I would like to use Apache FOP* for this, but a footnote-related bug® prevents this, so I switched to the RenderX XEP Engine. XEP is proprietary, but at least it runs on Linux. I hope to switch back to FOP after the footnote bug is fixed. Cover layout was done with Scribus and (due to printing company format requirements) Adobe InDesign. Raster graphics for the cover and internal illustrations were created with The Gimp, while Inkscape was used for vector graphics. Subversion was used for revision control and the free web chapters are serviced by Apache httpd. 7. TCP/IP Reference with TCP/IP and networking concepts. You won't find a primer on the OSI seven-layer model or a rundown of the Berkeley Socket API within these pages. For a comprehensive guide to TCP/P, [recommend “The TCP/IP Guide” by Charles Kozierok or the old classic “TCP/IP Illustrated, Volume I” by W. Richard Stevens. While TCP/IP familiarity is expected, even the best of us occasionally forget byte offsets for packet header fields and flags. This section provides quick reference diagrams and field descriptions for the IPv4, TCP, UDP, and ICMP protocols. These beautiful diagrams from hutp:/vww:fatpipe.org/~mjb/Drawings are used by permission of author Matt Baxter. * hunp:/en.wikipediaorghviki/XSL_Formatiing Objects * haptanlgraphics.apacke. orton hps:fssnes. apache orgfougiillalshow_bug.cgiPid=37579 xxvi 7. TCP/IP Reference =Figure 1. [Pv4 header pe Nt eM 8 OF version | FCP Type of Series (TOS) Total Length eee ~ TIP Flags Aeuecet LT oe | Source Adcross IP Option (variable length, optional, not common) IL (ntemet Header Length) Bt 56718991234506789,123456789 51 fein sf oe ofend OT ASR ST OEY Version rt Protocol Fragment Ofset ( P rags Targrrcon tse FhonsD hoon Hapererentereatt Suovald Tedagan”* rotintes) tecmagrem: Masoued 8 focertsvonon cies ace bye Ewes tb) x on reaved(ov bn rears ony He Ue Stew Rivne TPaasyans 5 oan cenerrigmen HBG REET fommiod temortsce Moco now Pate (Header Longin) (Total Length) must be a follow mutiple of 8 bytes. Number of 82 Di words my ag ener econ —) a Terrase eared) (eas Casa) Serer ‘count ‘orIP fragment it fragmented. Checksum of enti IP rotocol IP) Spec aie igen ea Protea) Speciation & 7. TCP/IP ReferenceFigure 2. TCP header tear JO 2p 7 Destination Port a 4 1 a iL Ee) O12 S456 BGO 1234 NTE 2 aS 678 4 ‘Neto >F— yo —PF— worg —— Sv" "0 Noiiication ECN (Explicit Congestion Notification). See RFC ‘8168 for ful doa, vals TOP Options ‘0nd of Options List 1 No Operation (NOP, Pad) 2 Maximum segment size ‘Ofeet ‘Number of 32-bit words "TCP header, minimum value Of 5. Multiply by 4 to got Congestion 080 Reduced (WR) ‘Slates below. 3 Window Scale byte count E 0x40 ECN Echo (ECE) asain coo coum 4 Selective ACK ok U 0320 Urgent on oe tr 8 Timestamp ‘A Oxi0 Ack orig G8 3h P 0x08 Push Checksum Please refer lo AFC 793 for 0x04 Reset ecromion 01 00 the completo Transmission S 0x02 Syn een ns stat" ‘Checksum of entre TOP Control Protocol (TCP) F x01 Fin Crem 31 90 ‘segment and pseudo Specification. ome nepeme 14 98 header (parts of IP header) Figure 3. UDP header Byte ofise @piiaiii ts Source Port Destination Port 0123456789 fem +} pk Checksum FO 768, ‘Checksum of entire UDP segment and pseudo Please reter to RFC 768 for the complete User header (parts of IP header) Datagram Protocol (UDP) Specification xxviii 7. TCP/IP Reference s.