July 15, 2007

Network Scanning with NMAP

NMAP, developed by Fyodor, is one of those rare tools that can be used by IT
professionals regardless of the specialization that they have chosen (i.e. system
administrator, network engineer, security consultant, etc…)

If you are not familiar with nmap a simple definition would be that it is a network
scanning tool.The beauty of the tool is the countless options
that accompany it.As a security consultant I use nmap for information
gathering during security assessments and penetration tests.The
default scan configuration for nmap is very robust and can take quite some time.Fyodor
gave a lecture about nmap at Defcon one year and gave people ideas to speed up scanning.I
took a lot away from that lecture and currently use nmap as seen below when I am performing
host discovery:
nmap –oX C:scan.xml -P0 -sS -p80,25,22,443,21,113,23,53,554,3389,1723 –n target

What it all means:

-P0: Do not ping,
treat all hosts as alive.

-sS: Perform a
TCP Syn scan

-p: Specifies which
ports to scan. The numbers following are common ports found within a network.

-n: Do not perform
a reverse DNS query

Target to scan. This can be a single ip or a list of ip’s. It can be a
range using the method or just using cidr notation

Although these are common ports this is not to say that they are definitive
and if you are working with a client to perform either an assessment or penetration
test you should adjust the port numbers to coincide with their environment.

To list all of the other interesting abilities and options found in nmap is
a little outside the scope of this blog.I suggest that you download
nmap (available for Linux and Windows) and read the man pages or the documentation.
NMAP and related documentation can be found at:


-Jason Pieters