Information is power, right? How about using a program that allows you to stick to the shadows and monitor your victim? Nmap is the answer. NMAP stands for network mapper. With nmap can scan a network for vulnerable ports, conduct security audits and monitor your network for unwanted guests. Once you have the information you need, you can begin the process of exploitation or securing the network, based on the information you gather.
We’ll use the SYN scan as an example. A syn scan never fully establishes a TCP connection. This will allow the user, admin, hacker or whoever, to view the status of ports. Not to mention it will also list a number of connected devices on a network. So, what would the command look like? Well first you have to be root and then you then you need to run the following command in a terminal session.
# nmap -sS x.x.x.x
This command will allow you to run a stealth scan on a specific IP address. On top of that, the default -sS is a TCP syn scan. If you need to fully scan a network using a tcp connection you can supplement the -sS with a -sT option. Be aware that this will create a connection and set off any IDS the target may have.
# nmap -sS x.x.x.x/xx
# nmap -sS x.x.x.x-xxx
Will allow you to scan a number of IP addresses based on the subnet size or scan a specific range of IP addresses. I use this when conducting audits. It allows me to create a list of potential targets. In my experience, the biggest drawback of a tcp syn scan is that it requires root or privileged access.
UDP scans on the other hand are time consuming. Its actually a connectionless protocol because it does not require any confirmation. However, when the program does find a port, the traffic will get quieter. Further more, it doesn’t provide much information on the port.
Now, there are a lot of malicious programs out there that use UDP ports. When a security auditor is running these scans, they can provide him or her with important information. See, malicious programs are more likely to infest UDP ports.. for various reasons. Regularly inspecting these ports allows the admin to identify and possibly contain any malicious infestations.
In order to view the version of a port, a -V option must be added to the syntax. Which brings me to my last bit, options. options, as you have seen above allow you to alter or provide better details when using commands/programs… Like the -V option. Another option someone could use is -O, which allows a user to identify the operating system by fingerprinting it.
# nmap -sU x.x.x.x
# nmap -sU -V -O x.x.x.x
Those commands will allow you to one initiate a UDP scan and two initiate a scan that provide information on the targets Operating system and understand the ports current version.
Happy Scanning and remember be careful with NMAP.