Nmap Security Scanner
*Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors





Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Interpreting scan results
Prev Chapter 12. Zenmap GUI Users' Guide Next

Interpreting scan results

After scanning, Nmap’s output is displayed. This output will be familiar to Nmap users. Apart from Zenmap’s output highlighting it doesn’t offer any advantages over running Nmap in a terminal. However, other parts of Zenmap’s interface interpret and aggregate the terminal output in a way that aims to make the scan results easy to understand and use.

Scan results tabs

Within each scan tab, there are four sub-tabs that display different aspects of the scan results. They are: “Ports / Hosts”, “Nmap Output”, “Host Details”, and “Scan Details”. Each of these will be discussed.

The Ports / Hosts tab’s display is different depending on whether a host or a service is currently selected. When a host is selected, it shows all the interesting ports on a certain host, along with version information if available. For how to select a host, see the section called “Sorting by host”

When a service is selected, the Ports / Hosts tab shows all the hosts which have that port open or filtered. This is a good way to quickly answer the question “What computers are running HTTP?” For how to select a service, see the section called “Sorting by service”

The Nmap Output tab is the one displayed by default when a scan is run. It shows the familiar Nmap terminal output. The output is refreshed from the running Nmap every few seconds but if you are impatient you can click the “Refresh” button to do it more frequently. The display highlights parts of the output according to their meaning; for example, open and closed ports are displayed in different colors. The highlighting can be turned on and off by toggling the “Enable Nmap output highlight” check box. Near the bottom of the display, there is a “Preferences” button, which when clicked opens a dialog that shows what parts of the output are highlighted and allows the highlighting to be customized. Custom highlights are stored in zenmap.conf; see the section called “Description of zenmap.conf”

The Host Details tab breaks all the information about a single host into a hierarchical display. Shown are the host’s names and addresses, its state (up or down), and the number and status of scanned ports. The host’s uptime, operating system, its OS icon (see Table 12.2, “OS icons”), and other associated details are shown if they are available. (If no exact OS match was found there will be a display showing the closest matches.) There is an icon that gives a rough estimate of the host’s “vulnerability”, which is based solely on the number of open ports. The icons are shown in Table 12.1, “Vulnerability icons” There is also a collapsible text field for storing a comment about the host which will be saved when the scan is saved to a file (see the section called “Saving and loading scan results”).

Table 12.1. Vulnerability icons

0–3 open ports.

4–5 open ports.

6–7 open ports.

8–9 open ports.

10 or more open ports.


The Scan Details tab gives miscellaneous information about the scan as a whole (it is not host-specific). Among other things, this tab shows the Nmap command that was run, the version of Nmap used, start and end times for the scan, and a list of ports or protocols that were scanned.

Sorting by host

Figure 12.5. Host selection

Host selection

On the left side of a scan tab is a column headed by two buttons labeled “Hosts” and “Services”. Clicking the “Hosts” button will bring up a list of all hosts that were scanned, as in Figure 12.5, “Host selection” Commonly this will be just a single host, but it could be thousands in a large scan. The host list can be sorted by OS or host name/IP address by clicking the headers at the top of the list.

Each host is labeled with its host name or IP address and has an icon indicating the operating system that was detected for that host. The icon is meaningful only if operating system detection was performed using the -O option. Otherwise, the icon will be a default one indicating that the OS is unknown. Table 12.2, “OS icons” shows what icons are possible. Note that Nmap’s OS detection cannot always provide the level of specificity implied by the icons; often a Red Hat Linux host will be displayed with the generic Linux icon.

Table 12.2. OS icons

OS detection not performed

FreeBSD

Irix

Linux

Mac OS

OpenBSD

Red Hat Linux

Solaris or OpenSolaris

Ubuntu Linux

Microsoft Windows

Other (no specific icon)

 

Selecting a host will cause the “Ports / Hosts” tab to display the interesting ports on that host.

Sorting by service

Figure 12.6. Service selection

Service selection

Above the same list that contains all the scanned hosts is a button labeled “Services”. Clicking that will change the list into a list of all ports that are open, filtered, or open|filtered on any of the targets, as in Figure 12.6, “Service selection” The ports are identified by service name (http, ftp, etc.). The list can be sorted by clicking the header of the list.

Selecting a host will cause the “Ports / Hosts” tab to display all the hosts that have that service open or filtered.


Prev Up Next
Scanning Home Saving and loading scan results
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]