A Summary of New Nmap Features from Blackhat/DEFCON 2008

Fyodor

At Fyodor‘s talk last week at Blackhat he talked about the research he’s been doing, and the ways that research has helped him to improve Nmap. I was lucky enough to attend, and even got to chat with him briefly and get a signed copy of his new book.

Anyway, after receiving numerous complaints over the years regarding performance, he did some colossal scans of the Internet in order to see how Nmap handled extremely large address ranges. What follows is a collection of the most interesting features he added, and information he learned, while doing his research.

Setup

First off, in case you want to test out some of these features as well, you’ll need to get the version of Nmap that he was using during this presentation. The current, stable branch does not have much of this functionality. You can get it via SVN like so:

svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/bhdc08/

Then build it the standard way:

  1. ./configure

  2. make

  3. make install

The --top-ports Scan Option

One of Fyodor’s main focuses was improving Nmap’s speed through improved efficiency. One of the best ways to do this is to allow for scans of fewer ports, but this requires that you choose those ports carefully so as to miss as little as possible. So what he did, through trial and error and tons of scans, was figure out the most frequently open ports on the Internet.

Here they are for each protocol:

TCP

  1. 80

  2. 23

  3. 22

  4. 443

  5. 3389

  6. 445

  7. 139

  8. 21

  9. 135

  10. 25

UDP

  1. 137

  2. 161

  3. 1434

  4. 123

  5. 138

  6. 445

  7. 135

  8. 67

  9. 139

  10. 53

Ok, so now that we know what the top 10 ports are, wouldn’t it be cool to be able to scan based on them? And what if we wanted to scan the top 50? Or the top 100?

Fyodor has built this in with the --top-ports option. It’s wicked nice, and you invoke it like this:

nmap –top-ports 100 $target

And of course, 100 is just an arbitrary number, so you could just as easily do this:

nmap –top-ports 3000 $target

As you increase this number you obviously gain more and more accuracy, but because the ports are organized according to the most commonly found on the Internet, you can scan relatively few and still have good chances of finding everything open.

Stats from his presentation on TCP port efficiency using --top-ports:

–top-ports 10: 48%–top-ports 50: 65%–top-ports 100: 73%–top-ports 250: 83%–top-ports 500: 89%–top-ports 1000: 93%–top-ports 2000: 96%–top-ports 3764: 100%

This means for just curiosity scans I can go with --top-ports 1000 and get roughly 93% accuracy in a fraction of the time.

Do like.

Rate Limiting

Another feature that he’s been wanting to add for a while is rate limiting by packet count. He actually found a need for this when he was doing his research. He started some of his first scans and got a call from his ISP. They thought he’d been hacked.

He got it worked out, but he decided it was a good idea to be able to set a threshold for how hard you hit the network you’re scanning from. And here it is:

nmap –max-rate 1000 $targetnmap –min-rate 500 $target

The --reason Option

This thing is awesome; when it shows you that a port was open or filtered or whatever—it shows you the reason it thought so.

Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 994 filtered ports
Reason: 994 no-responses
PORT    STATE  SERVICE REASON
22/tcp  open   ssh     syn-ack
25/tcp  closed smtp    reset
53/tcp  open   domain  syn-ack
70/tcp  closed gopher  reset
80/tcp  open   http    syn-ack
113/tcp closed auth    reset

Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

Packet Trace with --packet-trace

This will show you what the packets look like that you send and receive, with a handy little “sent” and “received” marker.

nmap –packet-trace -p80 danielmiessler.com

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

SENT (0.1160s) TCP 204.11.219.126:40117 > 204.11.219.126:80 S ttl=40
     id=52313 iplen=44  seq=2829670227 win=1024 
RCVD (0.1160s) TCP 204.11.219.126:40117 > 204.11.219.126:80 S ttl=40
     id=52313 iplen=44  seq=2829670227 win=1024 
RCVD (0.1160s) TCP 204.11.219.126:80 > 204.11.219.126:40117 SA ttl=64
     id=0 iplen=44  seq=2909000595 win=32792 ack=2829670228 
Interesting ports on danielmiessler.com (204.11.219.126):
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

Traceroute

You can now add the -traceroute option to your scan and Nmap will pick a port and traceroute to the target host over that port.

Nmap’s GUI (Zenmap) Now Creates Maps!

cheops_screenshot

You heard me right. The latest version of Zenmap (bhdc08) now actually has a tab for creating maps like Cheops. The one above is an actual old Cheops screenshot because I don’t have X installed on the box running bhdc08, but you get the idea.

Ndiff

Ndiff is a sick little tool that compares Nmap XML files and produces XML or YAML formatted difference files. In other words, you can regularly scan your networks with Nmap and use Ndiff to not only tell you when new boxes pop up on (or drop off of) the network, but it’ll also tell you when new services are added or deleted to the boxes you already know about.

Brutally nice.

svn://svn.insecure.org/nmapexp/ndiff/ (same credentials as above)

Ncat

An über version of Hobbit’s classic. Supports SSL, IPv6, connection brokering, proxies, shell execution, and tons of other stuff.

svn://svn.insecure.org/ncat (login: guest/guest)

The Nmap Scripting Engine

If you’re not using this yet, you should probably get that way. Remember, it’s not just port scanning; you can actually check for vulnerabilities using this. Here’s one from his presentation that checks for DNS issues:

nmap -PN -v -sU -p53 -T4 –script=dns-test-open-recursion,dns-safe-recursion-port.nse,dns-safe-recursion-txid.nse dns-1.blackhat.com archimedes.shmoo.com

Fin

I’ll be adding these options, as well as a ton of additional new functionality, to my Nmap tutorial/primer located at https://danielmiessler.com/study/nmap/.

But no matter what you do, go get a copy of Fyodor’s new book. It’s a must.:

Links

Related posts: