Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: December 12th, 2014
Linux Security Week: December 9th, 2014
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Scanning and Defending Networks with Nmap Print E-mail
User Rating:      How can I rate this item?
Source: - Posted by Rich Jankowski   
Features This week's article by Rich Jankowski discusses nmap, a very popular tool used to probe hosts to determine what services are available. This process may sometimes be used as a precursor to an attack on your systems.

Copyright license terms available from

Originally written for


Recently the media has been covering many Internet break-ins, their reporters spinning tales of clever bandits who magically gain access to machines with a simple keystroke. In real life, however, it is rarely that simple. Cracking into a computer system requires planning. A cracker has to find a target machine, and then find out what ports the machine is listening on before a system can be compromised.

This is usually done through scanning, the art of finding machines on a network and testing them to see what ports are listening. Scanning networks and hosts is the first strategy a cracker will use before launching an attack. By using scanners such as Nmap, the "bad guys" are able to sweep networks and look for vulnerable targets. Once these targets are identified, an intruder is able to scan for listening ports. Nmap will also use TCP stack fingerprinting to accurately determine the type of machine being scanned.

This article will cover the use of Nmap to allow a security administrator to probe his/her site to get a "cracker's view" of his/her network. By employing the same tools used by an intruder, an administrator will see what his/her site looks like to the bad guys, and hopefully will be able to initiate steps to help secure his/her systems.

Nmap is covered under the GNU General Public License (GPL) and can be downloaded free of charge from It comes as tarred source as well as RPM format. As of this writing, the current stable version, is v.2.12. There are a few graphical front ends; however, this article will focus on using Nmap from the command-line.

The usage syntax of Nmap is fairly simple. Options to `nmap` on the command-line are different types of scans that are specified with the -s flag. A ping scan, for example, is "-sP". Options are then specified, followed by the hosts or networks to be targeted. Nmap's functionality is greatly increased when run as root, because nonsuper-users don't have the ability to create the custom packets that Nmap utilizes.

Nmap is very flexible in specifying targets. Simply scan one host or scan entire networks by pointing Nmap to the network address with a "/mask" appended to it. Targeting "victim/24" will target the Class C network, whereas "victim/16" will target the Class B, and so on.

In addition, Nmap will allow you to specify networks with wild cards, as in 192.168.7.*, which is the same as, or,4,8-12 to scan the selected hosts on that subnet.

Ping Sweeping

Intruders are able to sweep entire networks looking for targets with Nmap. This is usually done with a ping scan by using the "-sP" flag. By default, Nmap will send an ICMP echo and a TCP ACK to each host it scans. Hosts that respond to either will be considered by Nmap to be up. In this example, scan all hosts on the network:

# nmap -sP 

Starting nmap V. 2.12 by Fyodor (,
Host  ( appears to be up.
Host  ( appears to be up.
Host  ( appears to be up.
Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 1 second

Sometimes you may merely want to check the availability of a system without sending ICMP echo requests, which may be blocked by some sites. In this case, a TCP "ping" sweep can be used to scan a target's network.

A TCP "ping" will send an ACK to each machine on a target network. Machines that are up should respond with a TCP RST. To use the TCP "ping" option with a ping scan, include the "-PT" flag to target a specific port on the network you're probing. In our example, we'll use port 80 (http), which is the default, and it will probably be allowed through the target's border routers and possibly even its firewall. Note that the targeted port does not need to be open on the hosts that are being probed to determine if the machine is up or not. Launch this type of scan as follows:

# nmap -sP -PT80
TCP probe port is 80

Starting nmap V. 2.12 by Fyodor (,
Host  ( appears to be up.
Host  ( appears to be up.
Host  ( appears to be up.
Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 1 second

When a potential intruder knows which machines on the target's network are alive, typically the next step is port scanning.

Different types of port scans are provided by Nmap: TCP connect, TCP SYN, Stealth FIN, Xmas Tree, and Null, as well as UDP scans.

Port Scanning

An attacker who is using TCP connect scans to probe is easily detected, because Nmap will use the connect() system call to open connections to interesting ports on the target host and complete the 3-way TCP handshake. Logs on the host machine will show these ports being opened by the attacker. A TCP connect scan is used with the "-sT" flag as:

# nmap -sT

Starting nmap V. 2.12 by Fyodor (,
Interesting ports on (
Port    State       Protocol  Service
7       open        tcp        echo            
9       open        tcp        discard         
13      open        tcp        daytime         
19      open        tcp        chargen         
21      open        tcp        ftp             

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
Stealth Scanning

What if an attacker wants to scan a host without leaving his calling card in the system logs on the target machine? TCP SYN scans are less prone to logging on the target's machine, because a full handshake never completes. A SYN scan starts by sending a SYN packet, which is the first packet in TCP negotiation. Any open ports will respond with a SYN|ACK, as they should. However, the attacker sends a RST instead of an ACK, which terminates the connection. The advantage is that the 3-way handshake never completes, and fewer sites will log this type of probe. Ports that are closed will respond to the initial SYN with a RST, allowing Nmap to determine that the host isn't listening on that port. The "-sS" flag will launch a SYN scan against a host or network as:

# nmap -sS

Starting nmap V. 2.12 by Fyodor (,
Interesting ports on (
Port    State       Protocol  Service
21      open        tcp        ftp             
25      open        tcp        smtp            
53      open        tcp        domain          
80      open        tcp        http            

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

Although SYN scans are more likely to be unnoticed, they can still be detected by some intrusion detection countermeasures. The Stealth FIN, Xmas Tree, and Null scans are used to evade packet filters and firewalls that may be watching for SYN packets directed toward restricted ports. These three scans should return a RST for closed ports, whereas open ports should drop the packet. A FIN "-sF" scan will send a FIN packet to each port, whereas the Xmas Tree scan "-sX" turns on the FIN, URG, and PUSH flags, and a Null Scan "-sN" turns off all flags. Because of Microsoft's incompliance with TCP standards, the FIN, Xmas Tree, and Null scans are only effective on non-Microsoft operating systems.

UDP Scanning

If an attacker is looking for popular UDP holes to exploit, such as an rpcbind hole or cDc Back Orifice. He/she will want to know what UDP ports are listening and to find these ports will most likely initiate a UDP scan. Using the UDP scan "-sU" an attacker can determine what ports are open to UDP on a host. Nmap will send a 0-byte UDP packet to each port. If the host returns a "port unreachable" message, that port is considered closed. This method can be time consuming because most UNIX hosts limit the rate of ICMP errors. Fortunately, Nmap detects this rate and slows itself down, so not to overflow the target with messages that would have been ignored. Launch a UDP scan as follows:

# nmap -sU

WARNING:  -sU is now UDP scan -- for TCP FIN scan use -sF
Starting nmap V. 2.12 by Fyodor (,
Interesting ports on (
Port    State       Protocol  Service
53      open        udp        domain          
111     open        udp        sunrpc          
123     open        udp        ntp             
137     open        udp        netbios-ns      
138     open        udp        netbios-dgm     
177     open        udp        xdmcp           
1024    open        udp        unknown         

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
OS Fingerprinting

Often an intruder may be more familiar with exploits for a particular operating system, and may be looking for machines he's able to compromise easily. A common option is TCP/IP fingerprinting with the "-O" option to determine the remote operating system. This has to be combined with a port scan and not a ping scan. Nmap accomplishes this by sending different types of probes to the host, which will narrow the target operating system. Fingerprinting the TCP stack includes such techniques as FIN probing to see what kind of response the target has, BOGUS flag probing to see the remote host's reaction to undefined flags sent with a SYN packet, TCP Initial Sequence Number (ISN) sampling to find patterns of ISN numbers, as well as other methods of determining the remote operating system. A definitive article on stack fingerprinting, written by Fyodor, the author of Nmap, can be found at

Nmap's Operating System detection feature is a very accurate and effective tool as demonstrated by fingerprinting the stack of this Solaris 2.7 machine with a SYN scan:

# nmap -sS -O

Starting nmap V. 2.12 by Fyodor (,
Interesting ports on comet (
Port    State       Protocol  Service
7       open        tcp        echo            
9       open        tcp        discard         
13      open        tcp        daytime         
19      open        tcp        chargen         
21      open        tcp        ftp             
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=17818 (Worthy challenge)
Remote operating system guess: Solaris 2.6 - 2.7

Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

Do you notice the TCP Sequence Prediction? Nmap, when given the -O option, also tells us how difficult TCP sequence number prediction is for the remote host. This is valuable to an attacker looking for hosts that can be vulnerable to session hijacking.

Ident Scanning

An attacker often may look for a machine in which he/she has a specific exploit for a process, such as a webserver running as root. If the target is running identd, an attacker using Nmap will be able to find out what user owns the http daemon by including the "-I" option to a TCP connect scan. We'll demonstrate by scanning a Linux webserver:

# nmap -sT -p 80 -I -O

Starting nmap V. 2.12 by Fyodor (,
Interesting ports on (
Port    State       Protocol  Service         Owner
80      open        tcp        http            root

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1140492 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

If your webserver is misconfigured and running as root, as this one is, it will probably be a late night at the data center.

While it is bad security practice to run Apache as root, you can block incoming ident requests by commenting out "auth" in /etc/inetd.conf and restarting inetd. Another method of stopping ident requests is to implement firewall rules at your network border with ipchains or your favorite firewall. This will prevent the curious hooligan from probing your site to determine what user owns what daemons.


In addition to these scans, Nmap offers a myriad of options. One of which, "-PT", we've already covered. This option is used with a ping scan to direct a TCP "ping" sweep at commonly unfiltered ports on a target machine or network.

An option that is useful with scans is "-P0". Since Nmap will ping a target with both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default. The "-P0" option to a scan will allow

One option you should get into the habit of using "-v", a verbose option that can be used with all types of scans. You can use this flag once, even twice, to get more information about the target's machine.

The ability to target specific ports is accomplished with the "-p " option. For instance, if an attacker wanted to probe your webserver for ftp (port 21), telnet (port 23), name service (port 53), and http (port 80), and wanted to know the OS you were using, he/she may try the SYN scan:

# nmap -sS -p 21,23,53,80 -O -v

Factor in a database of popular exploits, and even a novice cracker could be well on his way to getting root access on your machine.


What measures exist to counter an attacker using Nmap? Numerous tools exist, such as Scanlogd, Courtney, and Shadow; however, use of these tools is not a substitute for a knowledgeable administrator on the front line. Because scans are often a precursor to an attack, sites should make it a priority to monitor for them.

Proactively using Nmap to monitor their sites, system and network administrators can discover what a potential intruder sees as he/she probes your machines. Therefore, set up a Linux box with Nmap outside your border routers, pop open a tin of Penguin mints, and start scanning! Nmap to scan a host without initially pinging it.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
University of California, Berkeley Hacked, Data Compromised
London teen pleads guilty to Spamhaus DDoS
New England security group shares threat intelligence, strives to bolster region
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.