<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Nmap: Performing a Basic Scan

Published on
11,660 Points
5,560 Views
1 Endorsement
Last Modified:
Approved
The Nmap Security Scanner written by Fyodor is a widely used security and network administration tool that can be used to perform a port scan of remote systems.  A port scan of a system can let the Nmap user know which services are available on a system as well as if these services are accessible through a firewall.

This article discusses features that are available in Nmap 5.0 and higher. To download Nmap and access other related security resources, please visit www.insecure.org.

Conducting a Basic Nmap Scan from the Command Line

While a GUI front-end (Zenmap) now exists, Nmap has traditionally been used by administrators from the command line in both Windows and Unix/Linux environments.  When a basic Nmap scan is performed without any additional options, the following will occur:

-      Your system will scan the 1,000 most commonly used TCP ports on your target(s).  These ports were enumerated by Fyodor when he conducted an Nmap scan against every host on the Internet and compiled the end results.  The scan type conducted is a standard SYN scan.
-      Nmap will randomize the order in which the ports are scanned.  If you wish for the ports to be scanned in sequential order, perhaps to test your IDS/IPS capabilities, use the r option.
-      In addition to scanning ports, Nmap will attempt to retrieve the MAC address associated with the remote IP address(es) being scanned and resolve the MAC address to its associated manufacturer.
-      If an IP address is specified as the scan target, Nmap will attempt to perform a reverse DNS lookup to identify the FQDN of the scanned host(s).

In the following example, Nmap is used to conduct a basic port scan of the system at 192.168.2.38.

 Conducting an Nmap Basic Scan
C:\>nmap 192.168.2.38

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-06 23:12 Eastern Standard Time

Interesting ports on webserver.company.net (192.168.2.38):
Not shown: 998 closed ports
PORT      STATE 	SERVICE
80/tcp      open  	http
3389/tcp    open  	ms-term-serv
MAC Address: 00:1C:23:55:55:55 (Dell)

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

Open in new window


As you can see, the above scan discovered that two TCP ports were running on the system  noted by the open state.  The remaining 998 scanned ports were reported as closed as no services were running on the system.  By default, Nmap will guess which services are running on each of these ports based on the common usage of each port number.  

In our example, based on the Nmap determining that TCP 80 and TCP 3389 are open on the system, Nmap will report that the two services that appear to be running on the system are HTTP (to act as a web server on TCP port 80) and Microsofts Terminal Services (for remote access to the system on TCP port 3389).  To have Nmap perform additional tests on open ports to determine which service is truly running on a port, use the sV (Service) scan option.

REMEMBER  Each system has 65,535 TCP and 65,535 UDP ports.  The standard Nmap scan only scans the 1,000 most commonly used ports to help expedite scan times.

In addition to the discovered services that were running on the system, the system was determined to be a Dell system based on its MAC address (00:1C:23:55:55:55).  Nmap also performed a reverse DNS lookup to resolve the targets IP address of 192.168.2.38 to webserver.company.net.

NOTE  If you do see a result state as filtered, this means that access to the port by Nmap has been blocked.  Typically, this result indicates that a firewall has prevented the Nmap scan from reaching the system on the filtered ports.

As you can see, Nmap can perform a basic scan in order to determine common services that are running on a remote system.
1
Comment
Author:MikeHolcomb
0 Comments

Featured Post

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Join & Write a Comment

The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month