Recap: Part 1 introduced port scanners in general, and Nmap in particular. You learned where to get Nmap for free, and you installed it. In Part 2, you learned your network IP address and used Nmap to count the active devices on your network. Now, in the series’ conclusion, you’re ready to port scan your network and interpret the results.Nmap has many powerful options. However, you probably don’t have time to learn all of Nmap’s features right now. So we’ll jut show you a single big ol’ Nmap command, with some options switched on, that should provide almost all you want to know about your local network. Think of this command as “Nmap’s greatest hits.”
Here it is:
Nmap -P0 -sS -sV -O 192.168.111.0/24 > output.txt
As usual, when you try this command, replace our sample network’s IP address with your own network IP. You can also change “output.txt” to any filename you like. You’re naming the file where Nmap will record the output from this scan.
What does each parameter in the command do? Briefly:
- -P0. This switch tells Nmap not to ping a host before scanning it. As we alluded to when we described ping in Part 2, in some exceptional cases a computer that is active won’t respond to ping (for example, when guarded by a firewall). Smart little Nmap can still find these stealth computers without relying on ping.
- -sS. This switch tells Nmap to perform a SYN-based port scan. SYN is short for “synchronize,” the first packet sent when one computer tries to connect to another using TCP. A SYN-based port scan is the most common method, among many possible methods.
- -sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open. For instance, if Nmap learns port 80 is open, it tries to discern which web server runs on that port, as well as what version. Think of these as very educated guesses. Nmap is not always right.
- -O. This switch tells Nmap to guess what operating system is running on any computer it scans. This, too, is a very informed estimate, not necessarily rock-solid truth.
We assume that as your company’s network administrator, you have senior management’s permission to perform analytical operations on your network. If not, this type of Nmap scan can be interpreted as a hostile or provocative action, so go no farther without authorization. But if you are authorized, we encourage you to try this command now.
Type the command above in your command prompt (carefully…remember, syntax matters!) and press Enter. Depending on the size of your network, and speed of your computer, this command could complete in a minute, an hour, or longer.
When the command completes, you see a new command prompt. But you won’t see any obvious results. That’s because you redirected the results to a text file called output.txt (or whatever you renamed it). To see Nmap’s results, open output.txt in a text editor. If you followed the default install in Part 1, you’ll find output.txt in c:\program files\nmap.
Interpreting the Results of Your Scan
You just scanned your whole network, so your results could be lengthy, depending on how many active hosts are on your network. Rather than describing the entire result at once, let’s take it a chunk at a time.
If you click this link for Figure 2, you’ll see a sample representing results from the Nmap scan you just performed. This excerpt contains Nmap’s results for one host on our sample network. Once you understand how to read this one excerpt, you’ll be able to read the rest of Nmap’s results. So click the link and follow along with our commentary.
The first line of this excerpt tells you that the following result correlates to the IP address, 192.168.39.1.
The second line of this excerpt says that Nmap scanned 1,659 of that host’s ports during the scan. Yes, you’re right: 1,659 is fewer than a host’s potential 65,535 ports. To save time, by default Nmap scans only the common, well-known ports. You can force Nmap to scan all 65,535 ports if you like. However, scans that large take an extremely long time. And really, scanning the well-known ports usually tells you all you need to know about that host.
The third line of this excerpt lists four column headings: PORT, STATE, SERVICE, and VERSION. Here’s what each heading means:
- The PORT column represents the ports (and protocols) Nmap found on the sample host, 192.168.39.1.
- The STATE column tells you whether each port is open or in some other intermediary state of open (stealth). You will never see closed ports in Nmap’s results. Nmap doesn’t display the port if it’s closed.
- The SERVICE column tells you the well-known network service that usually resides on that port. It displays the service either by formal protocol name, or listed in a sort of technical short hand. You will recognize some of these services, such as HTTP, SMTP, and FTP, from your network experience. With over a thousand possible services, you won’t recognize them all. But you have a few options to help you learn what a service is. First, in Nmap’s c:\program files\nmap directory, you can open a file named nmap-services in any text editor to read all the services Nmap recognizes. This list contains a longer description of most of the services that appear in the service column. If you still don’t recognize a service by either its short-hand or longer description, look both up using Google. You typically find a hundred sites that explain what that service does.
- The VERSION column tells you what specific program the host you scanned uses to control the service in question. It also attempts to tell you that program’s version.
Now that you know what each heading is, you should be able to interpret much of what follows. A new line appears under these four headings for each open port on a scanned host.
Let’s practice interpreting a few random lines from our sample excerpt. First:
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
This line tells you that the host Nmap scanned has port 25 open. Port 25 is the SMTP, or email, service port. Nmap thinks the host is probably running Microsoft’s ESMTP Mail Server, version 5.0.2195.6713.
Second example:
80/tcp open http Microsoft IIS webserver 5.0
In this line, we learn that port 80, the HTTP or web service port, is open on the scanned host. According to Nmap’s best guess, this port is probably running Microsoft’s IIS version 5.0 Web server. This is not really rocket science, huh?
After all the lines that follow the PORT, STATE, SERVICE, VERSION columnar format, you eventually come to lines that no longer follow this format. You’ll see a line that tells you the MAC address of the host that was scanned. In our example, the host uses a 3COM network card.
The next line tells you the type of device you most likely scanned. So far, we’ve referred to the IP we scanned as a “host” because we don’t know if it’s a computer, a printer, a specialized network device, or what — until now, that is. The “Device Type” line tells you what device Nmap thinks it’s found. Our example says “general purpose,” which typically indicates a computer.
Finally, the remaining lines tell you what operating system Nmap thinks is running on this computer. Nmap thinks this computer runs either Windows ME, 2000, or XP.
And that is enough to get you started. You now can interpret Nmap’s port scan results. Sure, if you have a large network, you may have hundreds of excerpts like this. But you interpret them all the same way. Lather, rinse, repeat.
Are you now a port scanning expert? Well, hardly. Our hope is that this small amount of interaction with Nmap has torn away any intimidating mystique that command line tools might have held for you. We hope it’s whet your appetite to learn more.
Scan on a regular, recurring basis until you have a feel for what’s normal on your network. Read up on results that puzzle you. Then you’ve dramatically increased your likelihood of spotting interlopers — and it didn’t take a penny out of your department’s budget. ##
Back to Part 1
Back to Part 2
Other LiveSecurity articles on Cool Tools
Good article! What/how could I monitor for nmap scans (assuming these are being used maliciously)? Is it easy to do?