Nmap ( Network Mapper) is an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
Nmap was written by Gordon Lyon.
Installing Nmap is a standard emerge; no configuration should be required. Pay attention to the optional USE flags in case there are some "non-stock" features that you might find useful. See the USE flags list below before running the following command:
emerge --ask net-analyzer/nmap
A quick way to add many USE flags at once for Nmap:
echo ">=net-analyzer/nmap-6.25 gtk ipv6 lua nls ssl ncat ndiff nmap-update nping" >> /etc/portage/package.use
USE flags for net-analyzer/nmap A utility for network discovery and security auditing
||Add support for IP version 6|
||Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)|
||Enable SSH support through net-libs/libssh2|
||Install the ncat utility|
||Install the ndiff utility|
||Add Native Language Support (using gettext - GNU locale utilities)|
||Install nmap-update, which uses dev-vcs/subversion to update nmap scripts in your home directory|
||Install the nping utility|
||Include support for the Nmap Scripting Engine (NSE)|
||Use dev-lang/lua instead of the bundled liblua|
||Install the GTK+ based nmap GUI, zenmap|
Nmap is an extremely powerful tool. Entire books have been written about its use, and there is more information than we could possibly do justice to here. The following section will a brief overview in order to give users a feel for its output. If you'd like a more thorough tutorial, the man page is an excellent guide.
To see if port 80 was open at example.com, run nmap with the
-p option to specify the port:
nmap example.com -p 80
To check multiple ports, port 80 and port 8080 for example, separate each port with a comma:
nmap example.com -p 80,8080,443
To check for open SQL ports, run:
nmap example.com -p 1433,3306,5432
To check a wide range of ports, such as ports 1-1000, separate the low-end & high-end of the range with a - (dash):
nmap example.com -p 1-1000
Specify multiple port ranges by:
nmap example.com -p 6660-6670,6690-6700
To find out if a server was running an IRC daemon, and then find out information about that IRC daemon do the same as above but add the
nmap -sV irc.afraidirc.net -p 6660-6670,6690-6700
Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-07 20:11 CDT Nmap scan report for irc.afraidirc.net (220.127.116.11) Host is up (0.060s latency). rDNS record for 18.104.22.168: 51.df.7aae.static.theplanet.com PORT STATE SERVICE VERSION 6660/tcp closed unknown 6661/tcp closed unknown 6662/tcp closed radmind 6663/tcp closed unknown 6664/tcp closed unknown 6665/tcp open irc ratbox, charybdis, or ircd-seven ircd 6666/tcp open irc 6667/tcp open irc ratbox, charybdis, or ircd-seven ircd 6668/tcp open irc 6669/tcp open irc 6670/tcp closed irc 6690/tcp closed unknown 6691/tcp closed unknown 6692/tcp closed unknown 6693/tcp closed unknown 6694/tcp closed unknown 6695/tcp open irc ratbox, charybdis, or ircd-seven ircd 6696/tcp open irc ratbox, charybdis, or ircd-seven ircd 6697/tcp open irc ratbox, charybdis, or ircd-seven ircd 6698/tcp open irc ratbox, charybdis, or ircd-seven ircd 6699/tcp open irc ratbox, charybdis, or ircd-seven ircd 6700/tcp closed carracho Service Info: Host: BloodyMary.AfraidIRC.net Service detection performed. Please report any incorrect results at http://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 12.14 seconds
The output above shows the hostname as defined in the IRC daemon configuration, as well as the IRC daemon version name. In this case, it happens to be Charybdis, which is a fork of ratbox. ircd-seven is also a fork of ratbox, so Nmap is unable to tell exactly which IRC daemon is in use. It is capable of providing the IRC daemon "family".
Similar port scans can be invoked in order to get information about web servers, or other services running on a target machines. The following example will get the web server and the operating system running on a machine at Google.com:
nmap -sV -p 80 google.com
Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-07 20:16 CDT Nmap scan report for google.com (22.214.171.124) Host is up (0.022s latency). rDNS record for 126.96.36.199: lax17s02-in-f2.1e100.net PORT STATE SERVICE VERSION 80/tcp open http Google httpd 2.0 (GFE) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds
To fingerprint an operating system, use:
nmap -O -v localhost
At least one Easter egg is contained within Nmap, if more are found please document them here in the wiki!
nmap -oS - google.com
STArt1nG Nmap 6.25 ( Http://nMAp.oRg ) aT 2013-09-07 20:22 CDT Nmap ScaN rEpOrt f0r g00gLe.c0m (188.8.131.52) H0St |s up (0.012z lat3ncy). rdNS r3coRd For 184.108.40.206: lax17S02-in-f7.1E100.n3t Not Sh0wn: 998 F!lTErEd p0rt$ PORT $T4T3 seRVIc3 80/Tcp 0p3n HTTp 443/tCP Open hTtps Nmap d0nE: 1 Ip adDr3SS (1 Host up) $canned 1N 5.05 $3condz
- Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
- Wireshark — a free and open-source packet analyzer.