Wednesday, May 22, 2013

nMap: For Newbies

By Andrew Jones, VMTraining
GSEC, GCIH, CVE5, VMTraining Certified Trainer

Published in Hakin9 IT Security Magazine

As a former Network Warfare Instructor for the US Air Force, I get asked a lot of questions: among the most common is what did you teach, or can you not talk about it? The simple answer is I taught a subset of Air Force Doctrine known as Network Defense, or NetD for short. The premise of NetD is simple enough: the protection of information residing in, or transmitting through, network information systems (NIS). The big distinction here is that no differentiation is made between the standard TPC/IP computer networks, telephony (SS7 and cellular), radio, or even industrial control and utilities systems (ICS and SCADA). All networks are afforded equal protection, and for good reason: in today’s increasingly interconnected world, these systems are converging as well. The big problem is many systems, I’ll use SCADA as an example, were developed decades ago and there was no thought given to security, not because they didn’t care about security, but why worry about device signing, certificate checking, and data encryption on a closed network? What does that have to do with nmap? You ask. To be blunt, everything: Nmap was one of the basic tools we would start students on. It’s open source, so free, and reasonably easy to get using right away for basic network scans.

I say nmap is relatively easy to get using, but take that with a grain a salt. As you can see in the screen capture below, by running nmap –help, we are presented with a wealth of option flags for our use.

 Fig. 1: nmap has a wealth of option flags.

For the very new, here’s the run-down on how I’m currently set-up. It’s a little bit more complicated than I describe here, but these are the basics (for a complete run-down of everything, see the notes section at the end of the article). I’m running a Linux distribution called Backtrack 5 R3; Backtrack is a highly-customized Ubuntu Linux load with hundreds of tools preinstalled. These tools are designed for the professional network penetration tester (pentester) and the network security admin. However, as with all test and administration tools, they can be used for nefarious purposes. My target will be my other computer, running on the same internal-only network, and its running Windows 7 Home Edition.

Alrighty then, lets get down to the nitty-gritty, right? Not so fast. We have to start off with the question of what is nmap? Nmap is a powerful, command-line based, open-source packet sniffer and network-mapping tool. It can determine, among a great many other things, what services and their versions are running on particular ports at a particular IP address or range of IPs, as well as what operating system and version is running. Using this tool, you can begin mapping your network and possibly identifying rogue systems and/or services. Nmap, when determining running services doesn’t simply reply on the port number, it can actually run what’s called banner-grabbing to get the actual service and version number of the service.

So now what do we need? Go ahead and think about it, yell out the answer when you’ve got it, I’ll wait… Did you answer we need an IP address to scan? Is so, pat yourself on the back and go grab yourself a cookie. We need an IP to scan, and from looking at the top of the results from the –help option earlier, we know the nmap syntax. Let’s say the IP we’ve chosen is, this happens to be the current IP of my Windows laptop, we type it in: nmap and we get our results:

Fig. 2: Using nmap without any flags still provides some interesting results.

We see now, without using any option flags, the results are pretty basic. So let’s add some option flags. From the –help option, we know –s gives us the services running and –V gives the versions. We therefore run nmap –sV and we get more detailed results:

Fig. 3: Using this option, we can see a table of port numbers, services, and versions.

Some of the interesting things we see in these results are five open ports, all TCP ports: 135 is for Microsoft Remote Procedure Call1, 139 and 445 and being used by NetBIOS2, 2869 is running an HTTP services called Microsoft HTTPAPI3, and 50003 is TCPWrapped4.
  1. Used in programming to call sub-routines without the programmer needing to explicitly code the details of interaction.
  2. Network Basic Input/Output System. Used to allow applications on separate computers to share information and data over a computer’s local area network.
  3. Used to allow applications to communicate over HTTP without using Microsoft’s old IIS (Internet Information Server).
  4. TCP Wrapper is a client side software solution to provide firewall features. It monitors all incoming packets to the machine and if an external node attempts to connect, the software checks to see if the node is authorized based on various specified criteria.

All this information is a gold mine for security analysts and hackers alike. SAs use it to find the holes and unsecured systems on their networks quickly and easily. Hackers will use the information to match their exploits with potentially flawed service versions they find. Hacking, at it’s most basic, can be defined as using administrative tools in ways for which they were not originally designed.

While we’re on the topic, there are three types of hackers and they’re divided into different colored hats: black hats are out to steal information or extort you or your business, white hats are the pentesters, these are people hired by individuals or organizations to find and exploit weaknesses in networks before the black hats get there, the third hats are the grey hats, these often blur the line by balancing a day job on the legal side with a hobby on the nefarious side.

Now let’s get back to nmap. Now that I’ve identified the services and versions, and found there’s a published exploit for the service version, I need to know if the operating system is vulnerable to the exploit. Some exploits will only work on certain services and versions running on certain operating systems and versions. From the –help I ran earlier, I discovered the –O option to get the operating system information. By running nmap –O I get the following results:

Fig. 4: Using this information, we can determine if our system is vulnerable to an attack.

Something I will recommend doing though is running these scans on a regular basis, both from inside and outside your network (boundary firewall). If vulnerable services are found, I strongly recommend upgrading them to newer versions. If upgrading is not an option, say for legacy systems, a recommend a combination of internal firewalls and security VPNs. These will help prevent the vulnerable systems from being used as pivot points for hackers to attack the rest of your network. I’ve seen too many networks with very nice hard outer shells, but once inside, everything is open. I liken them to a watermelon: thick hard rind protecting the squishy innards, but get inside and it’s just that, soft and squishy. For this reason I endorse the layered security, or defense-in-depth, method of network security.

Fig. 5: Hard rind, squishy innards (Photo credit:

Fig. 6: In JRR Tolkien’s “Lord of the Rings,” he describes the city of Minas Tirith as having multiple concentric rings of defensive walls. This is layered security. As we discover in the screenplay adaption from New Line Productions though, the layers mean little when the attackers have an air force. (Photo credit: © 2003 New Line Productions, Inc. All Rights Reserved To Copyright Owner(s).)

This will conclude the beginner’s guide to nmap. Look for upcoming articles on using these results to perform some white hat hacking of your own using other tools built into Backtrack: Metasploit, TFTP, John the Ripper, and others.

Andrew Jones ( is a former US Air Force Network Warfare Defense instructor. He is now a trainer for VMTraining, specializing in cloud and virtualization technologies, as well as all types of network security.

My set-up is actually running Backtrack 5 R3 and Windows 7 in VMware Fusion VMs on an Apple MacBook Pro 13” with 16GB of RAM. They are running on a closed virtual network with connection to the MacBook host but without connection to an outside network.

Fig. 7: VM and network setup.

Nmap is capable of MUCH more than is described in this article. Keep playing with different options, listed in the MindMap below, to discover what else it can do.

Fig. 8 nmap’s veritable plethora of options (Map credit: