Thursday, February 09, 2006

Trying Nmap 4.00

Several days ago, I read an announcement about Nmap 4.00 release. In that announcement there are at least 200 fixes and features added to this version compare to Nmap 3.50. And also Fyodor said this version has many performance improvement I couldn't resist to download the newest version.

Last night, I installed it on my machine.

When I tried to run it first :
# nmap localhost

It complained about some DNS servers problem.

Starting Nmap 4.00 ( http://www.insecure.org/nmap/) at 2006-02-02 00:06 WIT
Unable to determine any DNS servers. Try using --system_dns or specify valid servers with --dns_servers
QUITTING!
I fired up the manual page :
$ man nmap

Fortunately I don't have to read the whole manual, my eyes caught something interesting about -n option (Never do DNS resolution). Cha-ching.

Notes (as of Feb 8, 2006) :
Last night, I checked my /etc/resolv.conf file and looked like there is no nameserver. So I setup the nameserver and I didn't need to specify -n option anymore.

I run nmap again, but this time I chose other machine as a target :
# nmap -sV -O 192.168.x.y

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-02 00:10 WIT
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1672 scanned ports on 192.168.x.y are: closed
MAC Address: aa:bb:cc:dd:ee:ff
Device type: general purpose
Running: Apple Mac OS X 10.1.X, Apple Mac OS 8.X, FreeBSD 5.X|6.X
Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 11.046 seconds

A new feature that interesting is now you can specify some option while nmap is running (it is called runtime interaction). To get the supported options, press "?" and it will display the information like this :

Interactive keyboard commands:
? Display this information
v/V Increase/decrease verbosity
d/D Increase/decrease debugging
p/P Enable/disable packet tracing
anything else Print status
More help: http://www.insecure.org/nmap/man/man-runtime-interaction.html

I played a little bit with verbosity level. I set it to level 5 (by pressing "v" button 5 times) :

# nmap -sV -O -P0 192.168.198.128

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-08 23:32 WIT
Verbosity Increased to 1.
Verbosity Increased to 2.
Verbosity Increased to 3.
Verbosity Increased to 4.
Verbosity Increased to 5.
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan against 192.168.198.128 [1672 ports] at 23:33
Increasing send delay for 192.168.198.128 from 0 to 5 due to max_successful_tryno increase to 4
The SYN Stealth Scan took 10.27s to scan 1672 total ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Host 192.168.198.128 appears to be up ... good.
All 1672 scanned ports on 192.168.198.128 are: closed
MAC Address: 00:0C:29:C0:60:1A (VMware)
Device type: general purpose
Running: Apple Mac OS X 10.1.X, Apple Mac OS 8.X, FreeBSD 5.X|6.X
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SInfo(V=4.00%P=i686-pc-linux-gnu%D=2/8%Tm=43EA1D4E%O=-1%C=1%M=000C29)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)

Nmap finished: 1 IP address (1 host up) scanned in 23.918 seconds
Raw packets sent: 1912 (76.8KB) | Rcvd: 1677 (77.1KB)

Another interesting interactive command is p (for packet tracing, it's like our old beloved tcpdump output) :

# nmap -sV -O -P0 192.168.198.128

.Packet Tracing enabled
.SENT (15.9950s) TCP 192.168.198.1:52479 > 192.168.198.128:158 S ttl=41 id=53246 iplen=40 seq=1815539322 win=2048
SENT (15.9950s) TCP 192.168.198.1:52479 > 192.168.198.128:164 S ttl=43 id=44916 iplen=40 seq=1815539322 win=4096
SENT (15.9950s) TCP 192.168.198.1:52479 > 192.168.198.128:740 S ttl=58 id=19079 iplen=40 seq=1815539322 win=3072


Pressing any other key beside the ones listed on the interactive keyboard command will display current status. Here I use "spacebar" :

# nmap -sV -O -P0 192.168.198.128

System DNS resolution Timing: About 0.00% done; ETC: 20:11 (596:31:18 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (0 up), 0 undergoing ARP Ping Scan
System DNS resolution Timing: About 0.00% done; ETC: 20:11 (596:31:13 remaining)
Stats: 0:00:18 elapsed; 1 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 52.58% done; ETC: 23:40 (0:00:04 remaining)

No comments: