Nmap is a tool that is already very famous, so famous even used by a very famous movie. Well who does not know the movie Matrix Reloaded, if you are careful at the end of the movie Trinity uses nmap to break into computer systems of emergency electrical power that makes proud maker of this tool is Fyodor. Yes Fyodor proud that Matrix is the only Hollywood film that uses the methods of breaking into a real not like Swordfish or Pernod Hackers who do not show a real way. But again I warn you not to use it on other people's systems because it is illegal and unlawful actions that can make you go to jail.
1. Installing Nmap
Nmap stands for Network Mapper is a tool used by hackers to do the mapping of a network . With Nmap can be known, or host computer where the active and some can be further exploitation. Nmap is available in a variety of operating systems ranging from Unix, Linux to Windows. You can download the http://www.nmap.org or http://www.insecure.org/nmap. In this paper we use Nmap with the Windows operating system. However, we did not use the graphical version but the text version or the command line , so the instructions or the same command line you can do on other operating systems like Linux, Unix and family. Installing Nmap version of windows is very easy, all you have to do is as follows:
1. Install Winpcap version 2.1-beta or newer version of http://winpcap.polito.it/, namely WinPcap_3_0.exe (the version used when this writing)
2. Reboot
3. Download files from www.nmap.org Nmap program, the nmap-3:45-win32.zip (version as of this writing)
4. Unzip the file using WinZip or other decompression utility.
2. Starting Nmap
Before starting, you should need to know what facilities are available from the Nmap. For that you can start by looking at the options available. To find out the options available from the Nmap , simply call Helpnya as follows:
C: \> nmap-h
Nmap V. 3:00 Usage: nmap [Scan Type (s)] [Options]C: \
Some Common Scan Types ('*' options require root privileges)
*-SS TCP SYN stealth port scan (default if privileged (root))
-ST TCP connect () port scan (default for unprivileged users)
*-SU UDP port scan
-SP ping scan (Find any reachable machines)
*-SF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC / Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
*-O Use TCP / IP fingerprinting to guess remote operating system
-P ports to scan. Example range: '1 -1024,1080,6666,31337 '
-F Only scans ports listed in nmap-services
-V Verbose. Its use is recommended. Use twice for Greater effect.
-P0 Do not ping hosts (needed to scan www.microsoft.com and others)
*-Ddecoy_host1, decoy2 [,...] Hide scan using many decoys
-T
General timing
policy
-n/-R Never do DNS resolution / Always resolve [default: Sometimes
resolvable]
Output -oN/-oX/-oG normal / XML / grepable scan logs to
-IL Get targets from file; Use '-' for stdin
*-S /-e Specify source address or network
interface
-Interactive Go into interactive mode (then press h for help)
-Win_help Windows-specific features
Example: nmap-v-sS-O www.my.com 192.168.0.0/16 '192 .88-90 .*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, descriptions, AND EXAMPLES
The simplest way to find out whether a host computer or on or off is by using the command ping as follows:
C: \> ping server1
Pinging server1 [128.1.10.25] with 32 bytes of data :C: \>
Reply from 128.1.10.25: bytes = 32 time <10ms TTL = 128
Reply from 128.1.10.25: bytes = 32 time <10ms TTL = 128
Reply from 128.1.10.25: bytes = 32 time <10ms TTL = 128
Reply from 128.1.10.25: bytes = 32 time <10ms TTL = 128
Ping statistics for 128.1.10.25:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Reply above results indicate that the host is active alias server1 is not dead. If the host is off alias die results are as follows:
C: \> ping 192.168.1.95
Pinging 192.168.1.95 with 32 bytes of data:C: \>
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.95:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Well the problem and the headache is what if you (hackers) want to find out if there are hosts that are active in a particular enterprise network that is connected to the internet. If the network company is a class C network the maximum number of hosts is 256 hosts. So if you have to use the ping command one by one, how many times you have to type the ping command? Well, of course, takes a long time and certainly make dizzy and lazy. Nmap offers a quick solution. Suppose you want to check whether there are active hosts on class C network with the IP number 192.168.1.91 s / d 192.168.1.100 Then you can check with the command as follows:
C: \> nmap-sP 192.168.1.91-100
Starting nmap 3:45 (http://www.insecure.org/nmap) at 2003-09-26 15:40C: \>
SE Asia
Standard Time
NARUTO Host (192.168.1.91) Appears to be up.
Sasuke Host (192.168.1.92) Appears to be up.
SAKURA Host (192.168.1.93) Appears to be up.
Neji Host (192.168.1.94) Appears to be up.
LEE Host (192.168.1.96) Appears to be up.
Kiba Host (192.168.1.97) Appears to be up.
COUJI Host (192.168.1.98) Appears to be up.
ADMINISTRATION Host (192.168.1.100) Appears to be up.
Nmap run completed - 10 IP addresses (8 hosts up) scanned in 9880
seconds
Note the Nmap results above that of the 10 hosts that were scanned only found 8 active hosts, the IP 192.168.1.95 and 192.168.1.99 IP is not found or is inactive or may indeed not ada.Mudah course not.
-SP option is one type of ICMP-based scanning of Nmap, which is generally used to ping to the IP number as well. Please note that the sP is case-sensitive. If you use the-sp then the command is not known.
In general, public web servers are either always be behind a firewall, so usually the ping may be blocked when passing through the router or firewall, consequently you can not detect whether a web server is active or not. For that other techniques are needed to ascertain whether the web server in the living conditions or not. Consider the example of the ping on the web server is behind a firewall the following:
C: \> ping webserver
Pinging webserver [128.1.7.13] with 32 bytes of data:C: \>
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 128.1.7.13:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Nmap can be used to circumvent the above problems by performing the scanning of the open ports of the target host. If the host is the target of investigation is a web server, it will generally open up port 80 http. By utilizing the port 80, then you can detect whether the target host is alive or dead.
C: \> nmap-sP-PT80 128.1.7.13
Starting nmap 3:45 (http://www.insecure.org/nmap) at 2003-09-26 16:42C: \>
SE Asia
Standard Time
Host webserver (128.1.7.13) Appears to be up.
Nmap run completed - 1 IP address (1 host up) scanned in 3890 seconds
Option-PT80 show port to be used is port 80. Nmap's default is port 80, so actually you can specify-PT just to show the process of scanning through the port 80.
Furthermore you can also test for other common ports. For example, if your target host is the mail then you can test with port 25 (SMTP) or port 110 (POP3), and so on.
Scanning 3.Port
Port scanning is the process of connection to the port-TCP or UDP port on the target host to determine what services are running (Listening). By identifying the ports that are listening you can determine the type of application and what operating system used on the host. Service that the status of this listening allows people who are not entitled to break through into the host.
To find out what ports are listening from a host can use the following ways:
C: \> nmap-sS 128.1.71.103
Starting nmap V. 3.00 (www.insecure.org / nmap)C: \>
Interesting ports on (128.1.71.103):
(The 1589 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1026/tcp open LSA-or-nterm
1031/tcp open iad2
Nmap run completed - 1 IP address (1 host up) scanned in 5 seconds
Option-sS scanning is one type of TCP SYN scan Nmap is used to detect any open ports. This technique is often called the Half Open scan because in the evaluation of a communication port is not open TCP / IP in full. This means that technically the computer you use to detect these ports will send a SYN packet to the target host. If a SYN | ACK packet sent back, meaning the port is closed. After obtaining the reply packets, your computer will respond with a RST packet to reset the relationship that almost happened (that's why so-called half the Open). This technique is virtually undetectable by the target host that is not optimally record port activity. The term cool-sS is a stealth scans or scans that are not detected.
To scan a specific port can use the-p option as follows:
C: \> nmap-sS-p 21,23,25,53,80,110 adminristek
Starting nmap 3:45 (http://www.insecure.org/nmap) at 2003-09-30 14:50 SEC: \>
Asia
Standard Time
Interesting ports on adminristek (128.1.9.81):
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp closed domain
80/tcp open http
110/tcp closed pop-3
Nmap run completed - 1 IP address (1 host up) scanned in 1590 seconds
Note that there is a port 53 which is not open alias close.
More about the type of the Nmap port scanning
Every manager has a system security strategy that is different. For the ways described above may not always be applied. Nmap itself gives some port scanning techniques to face the "field" a different fighter. For it sometimes takes practice and creativity are high for those who want to penetrate the opponent's defense system without known owner (Oops, we do not recommend especially provoke you know). Above have introduced several options of Nmap is a scan techniques. The following advanced scanning techniques that you can use in accordance with existing battlefield:
a. -ST TCP connect scan
This type of scan is connected to the target port and complete the three-way handshake (SYN, SYN / ACK and ACK) This scan is easily detected by the management target host.
b. -SS TCP SYN Scan
This technique is known as the half-opening scanning because a full connection is not up to form. A SYN packet is sent to the target port. When the SYN / ACK is received from the target port, then you can conclude that the port is in listening status. If a RST / ACK packet you received, it usually indicates that the port is not listening. A RST / ACK is sent by machines that do the scanning so that the connection will not be fully formed. This technique is invisible compared to the TCP connection is full and will not be recorded in the log target host.
c. TCP FIN scan-sF
This technique sends a FIN packet to the target port. Based on RFC 793, the target host will send back an RST for all closed ports. This technique can only be used on the stack TCP / IP-based Unix.
d. TCP Xmas Tree scan-sX
This technique sends a FIN packet, URG and PUSH to the target port. Based on RFC 793, the target host will return an RST for all closed ports.
e. TCP Null scan-sN
This technique turns off all flags. Based on RFC 793, the target host will send back an RST for all closed ports.
f. TCP ACK scan-sA
This technique is used to map firewall rulesets. This greatly helps you in determining whether the firewall that is used is a simple packet filter allowing only full-course connections (connections with ACK bit set) or a firewall is performing advance packet filtering.
g. TCP Windows scan-sw
This technique can detect open ports as well as filtered / not filtered in certain systems such as AIX and Free BSD in connection with anomalies of the size of windows TCPnya.
h. Scan-sR RPC TCP
This technique is specific only on Unix systems and is used to detect and identify the RPC ports and programs and the version number associated with it
i. Scan-sU UDP
This technique sends a UDP packet to the target port. If the target port provide a response message "ICMP port unreachable" means that the port is closed. Conversely if you do not receive such messages, you can conclude that the port is open. Because UDP is known as a connectionless protocol, then the accuracy of this technique depends on many things in connection with the use of network and other reources systems.
Whatever port scan techniques that you'll use, you need to be careful in the use of the target host. Actions you perform a port scan to the target host is not the authority you can only lead to reactions that you may not expect from the manager before the target host as a counterattack, blocking against acount by ISPs and so on. So should you test on your own system.
3.Mendeteksi Operating System
The classic way to detect a particular host operating system can actually be done by using telnet as follows:
# Telnet-aizu.ac.jp hpux.u
Trying 163.143.103.12 ...
Connected to hpux.u-aizu.ac.jp.
Escape character is'^]'.
HP-UX hpux B.10.01 A 9000/715 (ttyp2)
login:
Managing computer systems that experience certainly will not give you a banner with just the operating system and the banner they usually modify the facility or eliminated. If that happens, you can try in other ways such as through an open service like FTP as follows:
# Telnet ftp.netscape.com 21
Trying 207.200.74.26 ...
Connected to ftp.netscape.com.
Escape character is'^]'.
Ftp29 220 FTP server (UNIX (r) System V Release 4.0) ready.
Syst
215 UNIX Type: L8 Version: SunOS
However, all the defaults again usually modified by a computer system administrator. For that it is generally the hackers immediately take advantage of Nmap!
To detect the operating system of the target host, you can actually analyze the results of scanning ports on top. If you find any open ports 139 and 135, it is likely that the target host is Windows NT. Windows NT is generally listen on port 135 and 139. Contrary to listen on Windows 95/98 only listen on port 139. Inactive ports on Unix systems can also characterize the type of operating system.
enggunaan option-O is intended to detect the type of operating system, as follows:
C: \> nmap-O ristbook
Starting nmap V. 3.00 (www.insecure.org / nmap)C: \>
Interesting ports on ristbook (128.1.71.103):
(The 1589 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1026/tcp open LSA-or-nterm
1031/tcp open iad2
Remote operating system guess: Windows Millennium Edition (Me), Win 2000,
or Win XP
Nmap run completed - 1 IP address (1 host up) scanned in 2 seconds
Here is an example for the results on the Linux operating system:
C: \> nmap-O adminristek
Starting nmap 3:45 (http://www.insecure.org/nmap) at 2003-09-26 18:01C: \>
SE Asia
Standard Time
Interesting ports on adminristek (128.1.9.81):
(The 1646 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
80/tcp open http
98/tcp open linuxconf
113/tcp open auth
139/tcp open netbios-ssn
513/tcp open login
514/tcp open shell
1984/tcp open BigBrother
Device type: general purpose
Running: Linux 2.1.x | 2.2.x
OS details: Linux 2.1.19 - 2.2.25, Linux 2.2.19 on a DEC Alpha
Nmap run completed - 1 IP address (1 host up) scanned in 12 020 seconds
Here is an example for the results on a Cisco 1750:
C: \> nmap-sS-O 128.1.8.5
Starting nmap 3:45 (http://www.insecure.org/ nmap ) at 2003-09-30 15:18C: \>
SE Asia
Standard Time
Interesting ports on 128.1.8.5:
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
79/tcp open finger
Device type: router | switch
Running: Cisco IOS 11.x
OS details: Cisco switches / routers with IOS 11.1 (7) -11.2 (8.10), Cisco
Router / Switch
with IOS 11.2
Nmap run completed - 1 IP address (1 host up) scanned in 30 160 seconds
If the target host is only open port 80 (http), then we can anticipate with port scanning through those ports as follows:
C: \> nmap-O-PT80 webserver
Starting nmap 3:45 (http://www.insecure.org/nmap) at 2003-09-26 18:55Original source: http://jhezer.web.id/tutorial-nmap/
SE Asia
Standard Time
Interesting ports on the webserver (128.1.7.13):
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1027/tcp open IIS
1433/tcp open ms-sql-s
Imtc-mcs 1503/tcp open
1720/tcp open H.323/Q.931
3372/tcp open msdtc
Device type: general purpose
Running: Microsoft Windows 95/98/ME | NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000
Professional
or Advanced Server, or Windows XP
Nmap run completed - 1 IP address (1 host up) scanned in 7520 seconds
