Thursday, October 2, 2014

nmap Run Time Interaction

Even if you've only been in network security a short time, you've probably come across nmap by now, the port scanner written by Fyodor (Gordon Lyon). It's been around a long time and is the de facto standard for reliable and feature rich port scanning.

You may have installed it and played with it or maybe you're now using it in your job duties. nmap is up to version 6.40 and has a whole slew of options including scripting that can do so much more than just return what ports are open on a box.

But once you've carefully consulted the man page and crafted that command to do just what you need and hit Enter, did you know you can still interact with your scan?

nmap has several run time interaction functions that can give you additional insight into your scan. For example, if you omitted verbosity flags (-v or -vv or even -vvv) to show you more of what the program is doing, you can increase the level while the scan is running by hitting the "v" key. Hitting it a second or third time increases the verbosity each time. Too much data? Hitting the capital "v" key will decrease verbosity each time you use it, all the way back down to the original run time level.

If you're having issues with a scan and not getting the right results, you can use the "d" key to turn up the debug level. Like verbosity, each subsequent use of the key increases the level and and using the upper case version moves it back down.

"p" will turn on packet tracing, showing you a tcpdump-like log of each packet. For this one, there's (obviously) only one level and capital "p" will turn it back off.  Your packet trace will look similar to this:

SENT (14.1570s) TCP 10.82.250.105:59073 > 10.82.250.7:777 S ttl=42 id=54028 iplen=44  seq=2857954232 win=3072
SENT (14.1570s) TCP 10.82.250.105:59072 > 10.82.250.8:451 S ttl=52 id=48876 iplen=44  seq=2858019769 win=1024
RCVD (14.1570s) TCP 10.82.250.8:451 > 10.82.250.105:59072 RA ttl=128 id=14308 iplen=40  seq=0 win=0
SENT (14.1600s) TCP 10.82.250.105:59073 > 10.82.250.7:578 S ttl=53 id=64554 iplen=44  seq=2857954232 win=2048
SENT (14.1600s) TCP 10.82.250.105:59072 > 10.82.250.8:112 S ttl=41 id=33103 iplen=44  seq=2858019769 win=2048
SENT (14.1600s) TCP 10.82.250.105:59072 > 10.82.250.11:729 S ttl=37 id=37013 iplen=44  seq=2858019769 win=2048
RCVD (14.1600s) TCP 10.82.250.8:112 > 10.82.250.105:59072 RA ttl=128 id=14309 iplen=40  seq=0 win=0
SENT (14.1620s) TCP 10.82.250.105:59072 > 10.82.250.11:54 S ttl=49 id=30436 iplen=44  seq=2858019769 win=2048

No comments:

Blog Archive