Friday, February 25, 2011

Nmap

Nmap is a really useful utility that will help you scan your local network. Beyond just finding hosts, nmap can tell you what ports are open, the type of device, and even the operating system of whatever you scan. This versatile network utility has several uses which I'll go over.




Scanning For Hosts


First and foremost, nmap is used as a scanner for hosts on a network.

1: Network Addresses


The first step to scanning the network is getting an idea of what type of IPs you're going to be looking for. Open up a terminal, and use ifconfig to find your address on the network (IPv4 address)

ifconfig

Upon running ifconfig, you'll get back a lot of information about your network device. You're going to need to look for the device you use to connect to the network, and then look for its "inet addr" The "inet addr" value is the IPv4 version of your IP, while the "inet6 addr" is the IPv6 version of your IP. As an example, this is my output:


wlan0     Link encap:Ethernet  HWaddr 00:19:d2:87:60:ac  
          inet addr:10.0.1.15  Bcast:10.0.1.255 Mask:255.255.255.0
          inet6 addr: fe80::219:d2ff:fe87:60ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10623 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10143 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11126583 (11.1 MB)  TX bytes:1873950 (1.8 MB)


 You can see the device name (wlan0) and the inet addr, which I highlighted.

2: Using Nmap


Now that you have your network address, you can begin scanning for other hosts.

1. Take the IP address you found in step 1, and set the last octet of the IP to 1. So, for my example IP, I would change "10.0.1.15" to "10.0.1.1"

2. Open up another shell. Now we're actually going to use nmap to get an idea of what out network is like. In this example, I'm scanning the entire subnet for host, so I will use "10.0.1.1/24" as my target. By placing the "/24", I'm telling nmap to scan for hosts on the subnet by allocated 24 bits (the /24) for host IPs. The more significant bits (10.0.1) is telling nmap where to look for these hosts. For this command, I'm going to include the -O option for OS fingerprinting.

nmap -sS -O 10.0.1.1/24


If you did everything right (and ran this using root privileges) then you should be given results for all the hosts detected on the network. These results include open ports, MAC addresses, device type, and OS. 


3. But what if you want to search the network for computers with a certain port open? Well, that can be done easily with nmap. Just use the same target as the previous command, and replace -O and -sS with the -p option. The syntax is -p [port], where [port] is the port that you are searching for. In this example, we'll search for port 22, which is used for SSH (Secure SHell).


nmap -p 22 10.0.1.1/24


And then you get back a nice list of the hosts and whether or not they have port 22 open. There's a lot more nmap can do. Just check the man pages (man nmap) to see more options.


QDF9FEHX76R2

9 comments:

  1. shit... makes me wanna install linux

    ReplyDelete
  2. A Windows version was released in 2000. It's here if interested: http://nmap.org/dist/nmap-5.51-setup.exe

    ReplyDelete
  3. That's pretty sick. I could see this coming in handy.

    ReplyDelete
  4. Very nice! I believe it will be useful =)

    ReplyDelete
  5. im planing on getting into networking as a job later in life.

    ReplyDelete
  6. Damn, informative and cool. Im going to try this out right now!

    ReplyDelete
  7. Thanks for the positive feedback! I plan on doing more of these type tutorials on other powerful command line programs, so check back often!

    ReplyDelete

Please leave a comment