Scan Your Home Network With Nmap

January 16, 2013, by | Start Discussion

Who should read this article?

Everyone that is interested in computer security and computer networking should read this article.

Introduction

If you run a network, a small or big one, you need a flexible and productive way to monitor it. You need to provide security to machines connected to your network, especially if you have a WI-FI network. Monitoring the ‘health’ of your network is an important step to keep attacks, viruses and malwares out of your network perimeter. Ask yourself these questions: “Is there anybody outside using my wireless internet connection?”, “Are my machines and devices secured?”, “Is my router firewall working?”, “Why is this port open? Is there any virus in my computer that opened that port?”

What is Nmap?

Nmap is a free and open source tool for network discovery, helping us to map the network. Network administrators find it very useful in their daily job, so if you are planning to be a network administrator you should learn how to use Nmap. Nmap can help us to discover how many hosts are in a network, what operating systems are they running, what open ports do they have and services running in these open ports. It is a command line tool but for those that do not like to remember many commands   there is a graphical version of Nmap that is called Zenmap. Both Nmap and Zenmap are multi-platform (Linux, Windows, Mac OS X, BSD, etc.), so you do not have to worry about the operating system you need in order to use these tools. Nmap has the ability to save scan results to files and   we can use these files for later analyzes. The great thing that i like about Nmap is its scripting engine (NSE). We can write our own scripts and use them with Nmap.

Download and install Nmap

a) Installing Nmap on Ubuntu

Installing NmaponUbuntu is very easy. Fire up the terminal and type this command “sudo apt-get install nmap” without the quotation marks.This simple command does everything; it downloads and installs the Nmap for you.
NOTE: You will need root privileges to use Nmap tool on Linux machine.

b) Installing Nmap in windows

Download the latest release self-installer from the official   Nmap page (nmap.org) and double click it.After the installation is completed   open command prompt (cmd), type this command “cd C:Program FilesNmap” like shown in Figure 1 and hit enter.

Type “nmap” like shown in Figure 2 and hit enter.This command gives us information about Nmap usage like options and target specifications so every time we do not remember a command we can type “nmap” in the command prompt and read the output.

Scanning with Nmap

Performing a simple scan with Nmap requires a target   and the target can be specified as an IP address or a hostname. A simple scan does not require any options and the syntax for it is “nmap IP or HOSTNAME”. My router is the target in this case; if you need another target then think about your computer; do not scan machines that are not yours.

Figure 1 – Simple nmap scan

The nmap scan report tells us that the host is up and is running a web service in port 80, the port for http (hypertext transfer protocol) traffic. A simple nmap scan will check for the 1000 most commonly used TCP/IP ports and based in the respond that these ports do to the probe Nmap will classify them into one of six port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered.To perform a simple scan in your machine type this command in the command prompt “nmap localhost”.

Can Nmap be used to scan multiple hosts?  Yes,Nmap can be used to scan multiple hosts and the easiest way to do this is to string together the target IP addresses or hostnames separated by a space, like shown in Figure 2.

Figure 2

Figure 2 demonstrates using Nmap to scan two addresses at the same time (host1 and host2). If the number of hosts is big, than the scanning process will take more time and is good to save the results in a file. Sometimes you want to scan  an entire subnet and to do that you need some information about Classless Inter-Domain Routing (CIDR).I will not explain you in this tutorial what CIDR is so  feel free to Google  it.For now only remember that to scan an entire subnet you need an ip address in the subnet.If you want to scan your entire subnet get your ip and use this syntax: “nmap [IP/CIDR]”.What is the value for your CIDR?To find out the CIDR value we will use an online subnet calculator. You can find it here http://www.subnet-calculator.com/.Put your ip address in the ip box and copy the number in the Mask Bits box.My CIDR is 24.To scan the entire subnet we use this command: “nmap [IP/24]” without quotation marks.This process will take some time and the speed of scanning will depend on your internet connection. If you have a slow connection, feel free to get a coffee.

Figure 3

Nmap accepts text file input, so if you have a large number of machines to scan, you can enter the ip addresses in a text file and use it as input for Nmap. Each entry in the text file must be separated by a space, tab or new line. The syntax for performing this scan is   “nmap –iL filename.txt”, where the –iL parameter is used to instruct Nmap to extract the list of targets from the filename.txt.

Figure 4

Figure 4 show us that nmap failed to open input file hostlist.txt, which is a text file that contains a list of hosts.In order for this scanning technique to work you need   to copy the text file in the Nmap folder.By default, before scanning for open ports, Nmap sends ICMP echo requests to the host to see if it is online and if the host in not ‘alive’ Nmap does not probe the host.This can save time when scanning a lot of machines as Nmap will not waste time probing hosts that are not ‘alive’. The –sP option is used to perform a simple ping and is very useful when you want to see which hosts are online without   scanning for open ports. To see which hosts are online in your network type this command “nmap –sP [IP/CIDR]” in the command line and wait for the output. Figure 5 shows that 256 ip addresses in my subnet are pinged and   there are only three hosts ‘alive’.

Figure 5

Determining the operating system of your target is very important because many exploits are specific to a specific platform. The process   of discovering the host operating system is called fingerprinting.The syntax for performing operating system detection is “nmap –O [IP or hostname]”. Figure 10 shows the output of my os scan detection.

Sometimes Nmap is unable to detect the operating system and it will provide only a fingerprint,but you can force the os detection   by using the –osscan-guess option.  But what is the reason that some port is closed or open? The –reason parameter helps us to understand the reason why a port is considered to be open or closed. Figure 6 shows how this option can be used.

Figure 6

If you want to keep your nmap scanning output simple you can use the –open parameter which helps you to display only the open ports on your target.Sometimes is hard to remember all these commands and to do the job right you can use the –A   parameter, which can be used to perform an aggressive scan. This parameter selects some of the most commonly options used with Nmap. Now that we have learned the basics of Nmaplet me takesome examples.

Example 1

I want to know if there is any SSH or web server in my subnet.

The most popular  ports for  SSH  and web servers   are 22 and 80 so we  need to use the  –open parameter  to check only  for  open ports  and   from these open ports we are only interested about  22 and 80 ports.

Figure 7

As you can see from figure 7, we used -p 22,80 to perform a scan on TCP ports 22 and 80.

Example 2

How can Nmap help me to discover FTP servers in my subnet?

File transfer protocol (FTP) is known for its weak security. The issue with file transfer protocol is that all the traffic is sent in plain text meaning that all data can be easily intercepted. An Nmap scan can helps us to identify ftp servers. The command syntax for this scan is “nmap -sP -p 21 [target/CIDR]”.

Example 3

How to tell if your wireless router has been “hacked”

Most wireless routers allow administration through a web page interface. Open a web browser and connect to your router by typing in its IP address. The default IP set for many routers is   192.168.0.1 or 192.168.1.1. If you are not sure about your router’s IP open the command prompt, type “ipconfig” and then press enter. This command gives you information about the internet connection. The IP address under “Default Gateway” should be your router’s IP.

After you have entered router’s IP address in the web browser,   a pop-up window will ask for your username and password. Enter your username and password to log into your router.  Search through the administrative menus that your router offers and try to find the place that shows a list of devices using the network. Figure 8 shows   all devices connected to my network. Now it is very easy, isn’t it? If the page shows more DHCP clients than you have, it means that your wireless router has been compromised and you should immediately improve its security.

Figure 8

But how can you tell if your wireless router has been “hacked” if you are not the administrator of the router? Nmap does the magic for us. We learned to perform simple ping scan in a subnet by using -sP option. If    the command result displays more hosts than you expect, it means that your router has been “hacked”. Figure 9 shows the output of my simple ping scan.


Figure 9

Figure 9shows that 2 hosts are up. One of these hosts is my computer and the other one is my router. If the scan shows more than two hosts up itmeansthat someoneis using my wireless network.

Conclusion

We’ve looked at the basics we need to know about Nmap. In the next tutorial we’ll takea look at more advanced stuff and use Nmap in real world examples.

Oltjano is persuing Computer Engineering from Polytechnic University of Tirana. He is passionate about Information Security, Computer Forensics & game development.

Leave a Reply