This article was linked off of slashdot this morning .. great read for those wanting a nice detailed explanation of nmap and it’s uses (ethical or otherwise).

From the conclusion:

This should give you a great running start with Nmap. We covered not only what each scan does, but, more importantly, we gave you some valuable insight as to what an ethical hacker should be thinking when scanning. If the bad guys are thinking it, then you should, too. In Part 2 we will discuss all the special options we can add to our Nmap scans to really bring it to a much higher level.

One of the most useful scan types that I use on a regular basis is the RPC scan (-sR) a sample output that one might expect to see from a scan of this type:

murex@lepus:~$ sudo nmap -n -v -sR 192.168.1.XX
Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-03 12:02 CDT
Initiating ARP Ping Scan at 12:02
Scanning 192.168.1.XX [1 port]
Completed ARP Ping Scan at 12:02, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:02
Scanning 192.168.1.XX [1697 ports]
Discovered open port 22/tcp on 192.168.1.XX
Discovered open port 427/tcp on 192.168.1.XX
Discovered open port 445/tcp on 192.168.1.XX
Discovered open port 548/tcp on 192.168.1.XX
Discovered open port 3689/tcp on 192.168.1.XX
Discovered open port 5900/tcp on 192.168.1.XX
Discovered open port 139/tcp on 192.168.1.XX
Completed SYN Stealth Scan at 12:02, 9.93s elapsed (1697 total ports)
Initiating RPCGrind Scan against 192.168.1.XX at 12:02
Completed RPCGrind Scan against 192.168.1.XX at 12:02, 3.03s elapsed (7 ports)
Host 192.168.1.XX appears to be up … good.
Interesting ports on 192.168.1.XX:
Not shown: 1398 closed ports, 292 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh
139/tcp open netbios-ssn
427/tcp open svrloc
445/tcp open microsoft-ds
548/tcp open afpovertcp
3689/tcp open rendezvous
5900/tcp open vnc
MAC Address: 00:16:CB:A8:C1:BA (Apple Computer)
Nmap finished: 1 IP address (1 host up) scanned in 13.701 seconds
Raw packets sent: 2841 (125.002KB) | Rcvd: 1406 (64.672KB)

As the article says, this is Part 1 of 2 .. should prove to be a very good read in it’s entirety. If you are an “old hat” at nmap, give it a go .. I got some new ideas out of it, as well as a better idea of when and where I should be using the different scan types.

This entry was posted on Monday, September 3rd, 2007 at 11:34 am and is filed under geek stuff, nmap. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.