Whether you are attacking a computer or protecting it, proper intelligence about a computer is important. A very powerful option for learning about a given system is Nmap. According to Nmap’s website:
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.
I would like to take a look at a few of the things you can do with Nmap. For these examples, my target is going to be jastreich.com (a server run by a friend and former coworker) . This is definitely not a comprehensive guide but it will cover some high points.
Determine what domain names use that server (without pinging anything)
This scan does not ping the server in any way. It simply does a reverse-DNS lookup. The nmap website says that this scan is a “good sanity check” since it lets you verify the identity of your target. I would have to agree.
nmap -sL [Insert Host Here]
Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 03:55 UTC
Nmap scan report for jastreich.com (192.81.210.134)
rDNS record for 192.81.210.134: piggyandmoo.com
Nmap done: 1 IP address (0 hosts up) scanned in 0.05 seconds
Trace path to the server (traceroute)
This sends packets to the server with decrementing TTL, in an attempt to elicit ICMP time-exceeded messages. The goal is to identify every computer between you and your target. This could help to identify alternate attack vectors. Beware: traceroute requires root on your local machine.
nmap –traceroute [Insert Host Here]
Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:37 UTC
Nmap scan report for jastreich.com (192.81.210.134)
Host is up (0.00092s latency).
rDNS record for 192.81.210.134: piggyandmoo.com
Not shown: 998 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 11.49 ms 192.81.212.1
2 0.95 ms piggyandmoo.com (192.81.210.134)
Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds
Application Version Detection
So, you know where your target is. Next, you probably want to know what services your target is running. This will tell you exactly what it is running (to the best of it’s ability). Once you know what daemons are running and what versions are running, you can start looking for exploits that can be leveraged.
nmap -A [Insert Host Here]
Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:43 UTC
Nmap scan report for jastreich.com (192.81.210.134)
Host is up (0.00061s latency).
rDNS record for 192.81.210.133: piggyandmoo.com
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: localhost, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=stkfactory
| Not valid before: 2012-10-17 21:47:37
|_Not valid after: 2022-10-15 21:47:37
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: J. A. Streich Home Page
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.00%E=4%D=12/14%OT=25%CT=1%CU=44180%PV=N%DS=2%DC=T%G=Y%TM=52ABE1
OS:FA%P=i686-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=8)OPS(O
OS:1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11N
OS:W6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R
OS:=Y%DF=Y%T=41%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:41%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S
OS:)
Network Distance: 2 hops
Service Info: Host: localhost
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.82 ms 192.81.212.1
2 1.01 ms piggyandmoo.com (192.81.210.134)
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.82 seconds
TCP SYN Scan
This is a good first scan when analyzing a server. It is fast and stealthy because it never completes a TCP connection. It uses something called a half-open scan.
nmap -sS [Insert Host Here]
Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:57 UTC
Nmap scan report for jastreich.com (192.81.210.134)
Host is up (0.00031s latency).
rDNS record for 192.81.210.134: piggyandmoo.com
Not shown: 998 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds