A Quick Port Scanning Tutorial
One of my goals in developing Nmap is to keep the most common usage simple, while retaining the flexibility for custom and advanced scans. This is accomplished with the command-line interface by offering dozens of options, but choosing sane defaults when they are not specified. A newbie can start out with a command as simple as nmap <target>. Meanwhile, advanced users sometimes specify so many options that their terminal line wraps around.
A similar balance must be struck with command output. The most important results should stick out even to the occasional user who hasn't even read the man page. Yet the output should be comprehensive and concise enough to suit professional penetration testers who run Nmap against thousands of machines daily. Users smart enough to read this book or the Nmap source code benefit from greater control of the scanner and insights into what Nmap output really means.
This tutorial demonstrates some common Nmap port scanning scenarios and explains the output. Rather than attempt to be comprehensive, the goal is simply to acquaint new users well enough to understand the rest of this chapter.
The simplest Nmap command is just nmap by itself. This prints a cheat sheet of common Nmap options and syntax. A more interesting command is nmap <target>, which does the following:
- Converts <target> from a hostname into an IPv4 address using DNS. If an IP address is specified instead of a hostname this lookup is skipped.
- Pings the host, by default with an ICMP echo request packet and a TCP ACK packet to port 80, to determine whether it is up and running. If not, Nmap reports that fact and exits. I could have specified -Pn to skip this test. See Chapter 3, Host Discovery (“Ping Scanning”).
- Converts the target IP address back to the name using a reverse-DNS query. Because of the way DNS works, the reverse name may not be the same as the <target> specified on the command-line. This query can be skipped with the -n option to improve speed and stealthiness.
- Launches a TCP port scan of the most popular 1,000 ports listed in nmap-services. A SYN stealth scan is usually used, but connect scan is substituted instead for non-root Unix users who lack the privileges necessary to send raw packets.
- Prints the results to standard output in normal human-readable format, and exits. Other output formats and locations (files) can be specified, as described in Chapter 13, Nmap Output Formats. Example 4.2 displays the results when scanme.nmap.org is used as <target>.
# nmap scanme.nmap.org Starting Nmap ( http://nmap.org ) Nmap scan report for scanme.nmap.org (18.104.22.168) Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 70/tcp closed gopher 80/tcp open http 113/tcp closed auth Nmap done: 1 IP address (1 host up) scanned in 4.99 seconds
Example 4.2. Simple scan: nmap scanme.nmap.org