Network Exploration Using NmapFE
16 November 2006Introduction
nmap is a free utility which is used to scan large as well as small networks to determine the services running, operating systems used, application versions etc. It proves to be a very effective tool that can be used by anyone to explore their network.
nmapfe is a GTK+ graphical front end to nmap. We look at some common uses of nmap through nmapfe.
nmap scans the network by sending carefully crafted IP packets to hosts in the network and analyzing the responses to gather information.
Start NmapFE from Applications->Internet->NmapFE
In the widget there is a textbox Target(s). Here you can enter the IP Address of the host which you want to scan.
Let’s look at some scans commonly in use.
TCP connect() Scan
This type of scan identifies the servers which are using TCP.
To execute this scan, enter the IP Address of the target, select Connect Scan from Scan Type and press the Scan button.
Let us execute this scan on host with IP Address 10.61.111.20.
The bottom part of the widget shows the open ports and also the names of the services which are listening on that ports. Also shown is the number of closed ports.
It also displays the time it took to complete the scan.
Ping Scan
This type of scan identifies whether the host is active. It occupies less network bandwidth.
To execute this select Ping Sweep as the Scan Type and press the Scan button.
As you can see it just displays whether the host is up or not.
Version Detection
This type of scan is useful to determine the versions of the applications(servers) on the hosts.
This scan is to be used along with other scans such as connect scan.
Select Scan Type as Connect Scan and from Scan Extensions select the Version Probe checkbox to perform Version Detection.
As you can see it precisely outputs the version numbers of the servers. In this figure OpenSSH 3.8.1p1 etc. This can be very helpful to determine when to upgrade applications on remote servers.
The above scans didn’t require root privileges. There are few other scans that require superuser access which I discuss them below.
Hence close the nmapfe and restart it as root.
Enter your password when prompted.
TCP SYN Scan
This is also commonly referred to as half-open scan, as it doesn’t create a complete TCP connection. This also identifies TCP servers like connect scan, but it is a quieter scan. The servers won’t log this as complete TCP connection isn’t created.
To perform this scan, select SYN Stealth Scan as the Scan Type.
Also you can see for all scans at the bottom there is a Command textbox which displays the nmap command line used to perform the scan.
Stealth Scanning
The following scans utilize the Flags in the TCP header and perform the scan. nmap analyzes the response from the host to gather information. Different hosts can behave differently. Some hosts( windows based) reply with RST which indicates the service isn’t running. Also as firewalls may drop these packets we don’t know whether the service is running or the packet is dropped by the firewall. So the status is displayed as open|filtered.
FIN Scan
This sends a packet with FIN flag set. Select FIN Stealth Scan from Scan Type.
As you can see ssh service is shown as open|filtered.
Xmas Tree Scan
This sends a packet with URG, PUSH, and FIN flags set. Select XMas Tree Stealth Scan from Scan Type.
You can see the telnet service as open|filtered.
Null Scan
This turns off all the flags and sends the packet. This kind of packet never occurs in live environment.
Select NULL Stealth Scan from the Scan Type.
UDP Scan
This type of scan identifies servers which are using UDP. Select UDP Port Scan as the Scan Type.
IP Protocol Scan
This lists the services which are using IP which includes ARP,TCP,UDP etc. To perform this type of scan, select IP Protocol Scan as the Scan Type.
nmap also has an option to detect the OS running on the remote host.
This functionality is very helpful in learning about the services across the network.
Make sure that you have the authority to scan the remote systems. It should either be your own system or you must obtain permission to do so. Don’t try it on random networks as these packets get logged.
No comments yet