Nmap scanning basics w/Debian Linux part I
I wanted to begin writing more tutorial based post so I thought I’d start off with an Nmap tutorial. This is going to be just a basic Nmap scanning tutorial, more advanced tutorials about Nmap will come later. Let’s begin.
So what is Nmap? Nmap is for all intent purposes, a port scanner. You might ask, “Well what is a port?”. Think of an IP address as a business and inside your business you might have various departments that provide different services. There might be an Accounting department or a Human Resources department. These departments symbolize the different services that run on your computer such as email, Web browser and so on. If mail (data traffic) needs to get to the HR department, how does it know how to get there? The answer….port numbers. If mail is addressed to MyFakeBusiness attn: HR department, we know to deliver that mail to the HR department and not to the Accounting department. Ports and port numbers work in a similar fashion. Your computer will have an IP address of 192.168.1.100 and data may need to get to the web browser on that computer and not emai,l so in order for that to happen the data has to be addressed with the port number for the web browser in order for the web browser to receive it. So in the header of that packet you will have the IP address and the port number, which would be 80. These services or programs are usually “listening” on their port numbers for incoming data. Nmap takes advantage of the ports that are in the listening state (and even takes advantage of ones that aren’t listening) in order to obtain information about what services are running on a particular computer.
So let’s begin with nmap. To install nmap on your Debian computer run the command “aptitude install nmap” or “apt-get install nmap”. Either one will work but the latter is a deprecated command.
Before we get into nmap syntax I want to touch on a couple of things concerning TCP connection packet flags.
SYN packet– establishes a TCP connection
ACK packet – acknowledges a message
RST packet – resets a connection because of a problem
FIN packet – tears down a connection
Two of the most common type of nmap scans are Syn scans and TCP connect scan.
Syn scans work by the nmap host sending a Syn packet, if the port is open on the target it will send back a syn/ack packet, the nmap host will then send a RST packet to reset the connection. Some of the common flags you may see with an nmap scan are as follows:
-sS – SYN scan
-sT – TCP full connect scan
-sU UDP port scan ( not as reliable)
-vv very verbose
-O OS detection (better known as fingerprinting)
-sV service version detection (used to find out what version of what services are running on target host)
-P0 – no ping (this option is used to tell nmap not to ping the target host. By default nmap sends an ICMP request to the target host to check if the host is alive. This is detected by most firewalls and is a useful option in case the firewall is blocking pings. This also is used so that nmap will proceed scanning for open ports despite whether or not the host responds to a ping)
-A aggressive scan
-p port (gives ability to choose specific port or port range
-F fast scan (scans ports in nmap service file)
-n (tells nmap to not perform a reverse DNS lookup)
These are some of the basic flags that you might encounter. Next post I will give examples of usage along with screen shots on the output.