1 Installing NMAP on Ubuntu

bob@ubuntu-server:~$ sudo apt-get install nmap

2 Which hosts are alive on my network?

bob@ubuntu-server:~$ nmap -sn <target network>

2.1 How does it work?

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. ¹

2.2 Give it a try

Lets target the workshop network with our host discovery scan:

bob@ubuntu-server:~$ nmap -sn 10.10.2.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-21 11:08 PST
Nmap scan report for 10.10.2.1
Host is up (0.0011s latency).
Nmap scan report for 10.10.2.101
Host is up (0.0017s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.73 seconds

2.3 Interpreting the output

There are two hosts on the network 10.10.2.0/24 that responded to our probes

3 Which TCP ports are these hosts listening on?

bob@ubuntu-server:~$ sudo nmap -sS <target network>

3.1 How does it work?

This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. ²

3.2 Give it a try

Lets target our workshop network with our SYN scan. Remember to use your own network!

bob@ubuntu-server:~$ sudo nmap -sS 10.10.(group).0/24
[sudo] password for bob:

Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-21 11:17 PST
Nmap scan report for 10.10.2.1
Host is up (0.00045s latency).
All 1000 scanned ports on 10.10.2.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmap scan report for 10.10.2.100
Host is up (0.000042s latency).
All 1000 scanned ports on 10.10.2.100 are filtered
MAC Address: 08:00:27:1C:66:7C (Cadmus Computer Systems)

Nmap scan report for 10.10.2.101
Host is up (0.000056s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 256 IP addresses (3 hosts up) scanned in 277.40 seconds

3.3 Interpreting the output

It appears that our SYN-scan discovered another host alive on our network at 10.10.2.100
- This host is not listening on any TCP ports
192.168.1.1 is also not listening on any TCP ports. Maybe its our gateway?
192.168.1.101 is running two TCP services:
- SSH
- HTTP

4 Seeing change in your network over time

Knowing when new services appear on your network is really important! Lets combine Bash, Nmap and cron to schedule periodic scans of our network.

4.1 Copy the script to your monitoring server

bob@ubuntu-server:~$ cd /usr/local/bin
bob@ubuntu-server:~$ editor nmap-cron-diff.sh

#!/bin/sh

TARGETS="10.10.2.0/24"
OPTIONS="-v -T4 -F"
date=`date +"%F-%H:%M:%S"`

if [ ! -d /root/scans ]
then
        mkdir -p /root/scans
fi

cd /root/scans
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
if [ -e scan-prev.xml ]; then
        ndiff scan-prev.xml scan-$date.xml > diff-$date
        echo "*** NDIFF RESULTS ***"
        cat diff-$date
        echo
fi
echo "*** NMAP RESULTS ***"
cat scan-$date.nmap
ln -sf scan-$date.xml scan-prev.xml

Script adapted from a script found on NMAP's website.³

4.2 Create a cronjob to execute the script

1. SU to root

bob@ubuntu-server:~$ sudo su -
[sudo] password for bob: 
root@ubuntu-server:~#

2. Edit your crontab

root@ubuntu-server:~# crontab -e

3. Add a job that executes 'nmap-cron-diff.sh' every day at 12:00:00 AM

Crontab accepts commands in the format:

(minute) (hour) (month) (day of month) (day of week) (command)

The * character means "every"
We want to execute "/usr/local/bin/nmap-cron-diff.sh" on the 0 minute, of the 0 hour, every month, every day of the week
```
0 0 * * * /usr/local/bin/nmap-cron-diff.sh
```

4.3 Interpreting the output

'nmap-cron-diff' creates a folder under '/root' called "scans". The "scans" folder contains a number of different files, labelled scan-<date>-<time> or diff-<date>-<time>
Files labelled scan-<date>-<time>.nmap contain the output you would expect to see at the command-line:

# Nmap 6.40 scan initiated Wed Jan 21 13:52:31 2015 as: nmap -v -T4 -F -oA scan-2015-01-21-13:52:31 10.10.2.0/24
adjust_timeouts2: packet supposedly had rtt of -105981 microseconds.  Ignoring time.
Nmap scan report for 10.10.2.0 [host down]
Nmap scan report for 10.10.2.2 [host down]
Nmap scan report for 10.10.2.3 [host down]
Nmap scan report for 10.10.2.4 [host down]
Nmap scan report for 10.10.2.5 [host down]
Nmap scan report for 10.10.2.6 [host down]
Nmap scan report for 10.10.2.7 [host down]
Nmap scan report for 10.10.2.8 [host down]
Nmap scan report for 10.10.2.9 [host down]
Nmap scan report for 10.10.2.10 [host down]
...

Files labelled diff-<date>-<time> contain a 'diff' of output the most recent scan against the previous scan. ``` -Nmap 6.40 scan initiated Wed Jan 21 13:52:31 2015 as: nmap -v -T4 -F -oA scan-2015-01-21-13:52:31 10.10.2.0/24 +Nmap 6.40 scan initiated Wed Jan 21 13:52:57 2015 as: nmap -v -T4 -F -oA scan-2015-01-21-13:52:57 10.10.2.0/24

10.10.2.101: -Not shown: 98 closed ports +Not shown: 99 closed ports PORT STATE SERVICE VERSION -80/tcp open http ```

Lines beginning with '-' existed in the previous scan, but not in the most recent
Lines beginning with '+' exist in the most recent scan, but not in the previous
We see that the host 10.10.2.101 is no longer listening on port 80

http://nmap.org/book/man-host-discovery.html↩
http://nmap.org/book/man-port-scanning-techniques.html↩
http://nmap.org/book/ndiff-man-periodic.html↩

Host Discovery and Port Scanning with NMAP