![[Note]](note.png) | Note |
---|
This document describes the very latest version of
Nmap available from http://nmap.org/download.html or http://nmap.org/dist/?C=M&O=D Please
ensure you are using the latest version before reporting that a
feature doesn't work as described. |
Nmap (“Network Mapper”) is an open source tool for network
exploration and security auditing. It was designed to rapidly
scan large networks, although it works fine against single
hosts. Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other
characteristics. While Nmap is commonly used for security audits,
many systems and network administrators find it useful for routine
tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime.
The output from Nmap is a list of scanned targets, with
supplemental information on each depending on the options
used. Key among that information is the “interesting ports
table”. That table lists the port number and protocol,
service name, and state. The state is either
open
, filtered
,
closed
, or unfiltered
. Open
means that an application on the target machine is listening for
connections/packets on that port. Filtered
means that a firewall,
filter, or other network obstacle is blocking the port so that
Nmap cannot tell whether it is open
or closed
. Closed
ports have
no application listening on them, though they could open up at any
time. Ports are classified as unfiltered
when they are responsive
to Nmap's probes, but Nmap cannot determine whether they are open
or closed. Nmap reports the state combinations
open|filtered
and
closed|filtered
when it cannot determine which
of the two states describe a port. The port table may also
include software version details when version detection has been
requested. When an IP protocol scan is requested
(-sO
), Nmap provides information on supported IP
protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide
further information on targets, including reverse DNS names,
operating system guesses, device types, and MAC addresses.
A typical Nmap scan is shown in Example 15.1, “A representative Nmap scan” The only Nmap arguments used in
this example are -A
, to enable OS and version
detection, script scanning, and traceroute; -T4
for
faster execution; and then the two target hostnames.
Example 15.1. A representative Nmap scan
# nmap -A -T4 scanme.nmap.org playground
Starting nmap ( http://nmap.org )
Interesting ports on scanme.nmap.org (205.217.153.62):
(The 1663 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
53/tcp open domain
70/tcp closed gopher
80/tcp open http Apache httpd 2.0.52 ((Fedora))
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)
Interesting ports on playground.nmap.org (192.168.0.40):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1002/tcp open windows-icfw?
1025/tcp open msrpc Microsoft Windows RPC
1720/tcp open H.323/Q.931 CompTek AquaGateKeeper
5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900)
5900/tcp open vnc VNC (protocol 3.8)
MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
Service Info: OSs: Windows, Windows XP
Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds