Insecure.org has released a new major version of the free, open source \u201cnmap\u201d security scanner. (Don\u2019t just call nmap a port scanner - Thanks to many improvements over the last years, nmap has become an excellent security scanner).<\/p>\n
Visit http:\/\/nmap.org\/5\/<\/a> for more information about this new version.<\/p>\n Although there are roughly 600 updates in this new version, these are the top 5 improvements in nmap 5 :<\/p>\n Download<\/a>\u00a0and install the new version, buy\/read the book<\/a>, spread the word, and scan \u2018til you drop !<\/p>\n \u00a0<\/p>\n Some of my favorite nmap parameters\/scan parameters :<\/span><\/p>\n Detecting common stateless firewall misconfigurations : Some people allow incoming connections originated from port 20 (FTP), 53 (DNS) or 500 (IKE) in order to \u201cmake things work\u201d. Big mistake. This misconfiguration can allow you to find open ports (and traverse firewalls) by setting one of these ports as source port : use parameter -g<\/p>\n Launch multiple scan types at once (syn scan, os & version detection, traceroute, script) : use parameter -A<\/p>\n Scan all ports : use parameter -p-<\/p>\n Display the reason why a port is in a particular state : --reason<\/p>\n Example :<\/p>\n \u00a0<\/p>\n Some other interesting parameters are :<\/span><\/p>\n -6 : enabled IPv6 scanning<\/p>\n -sO : IP Protocol scan<\/p>\n -D <ip,ip,ip> : try to hide a scan with decoy IP addresses<\/p>\n \u00a0<\/p>\n Finally, a couple of words about script scans : (http:\/\/nmap.org\/nsedoc\/)<\/span><\/p>\n --script-updatedb : update the script database<\/p>\n Starting Nmap 5.00 ( http:\/\/nmap.org<\/a> ) at 2009-07-16 21:07 Romance Daylight Time<\/p>\n NSE: Updating rule database.<\/p>\n NSE script database updated successfully.<\/p><\/blockquote>\n --script=<script> : run a script. You can find the default scripts in the \u201cscripts\u201d folder<\/p>\n --script-args=unsafe=1\u00a0\u00a0 (needed to enable certain checks, such as running a regsvc DoS test)<\/p>\n Example :\u00a0 run all smb scripts against a given host :<\/p>\n C:\\>nmap -P0 -nvv -A -p- -g 20 --reason --script=smb* 192.168.0.9 <\/span><\/p>\n Starting Nmap 5.00 ( <\/span>http:\/\/nmap.org<\/span><\/a> ) at 2009-07-16 21:09 Romance Daylight Time<\/span><\/p>\n NSE: Loaded 15 scripts for scanning.<\/p>\n Initiating ARP Ping Scan at 21:10<\/span><\/p>\n Scanning 192.168.0.9 [1 port]<\/p>\n Completed ARP Ping Scan at 21:10, 0.23s elapsed (1 total hosts)<\/p>\n Initiating SYN Stealth Scan at 21:10<\/p>\n Scanning 192.168.0.9 [65535 ports]<\/p>\n Discovered open port 445\/tcp on 192.168.0.9<\/p>\n Discovered open port 3389\/tcp on 192.168.0.9<\/p>\n Discovered open port 1723\/tcp on 192.168.0.9<\/p>\n Discovered open port 135\/tcp on 192.168.0.9<\/p>\n Discovered open port 139\/tcp on 192.168.0.9<\/p>\n Discovered open port 27010\/tcp on 192.168.0.9<\/p>\n Discovered open port 1049\/tcp on 192.168.0.9<\/p>\n Discovered open port 902\/tcp on 192.168.0.9<\/p>\n Discovered open port 27000\/tcp on 192.168.0.9<\/p>\n Completed SYN Stealth Scan at 21:10, 57.15s elapsed (65535 total ports)<\/p>\n Initiating Service scan at 21:10<\/p>\n Scanning 11 services on 192.168.0.9<\/p>\n Completed Service scan at 21:12, 106.20s elapsed (11 services on 1 host)<\/p>\n Initiating OS detection (try #1) against 192.168.0.9<\/p>\n NSE: Script scanning 192.168.0.9.<\/p>\n NSE: Starting runlevel 0.5 scan<\/p>\n Initiating NSE at 21:12<\/p>\n Completed NSE at 21:12, 11.72s elapsed<\/p>\n NSE: Starting runlevel 1 scan<\/p>\n Initiating NSE at 21:12<\/p>\n Completed NSE at 21:12, 1.12s elapsed<\/p>\n NSE: Starting runlevel 2 scan<\/p>\n Initiating NSE at 21:12<\/p>\n Completed NSE at 21:12, 0.14s elapsed<\/p>\n NSE: Script Scanning completed.<\/p>\n Host 192.168.0.9 is up, received arp-response (0.00s latency).<\/p>\n Scanned at 2009-07-16 21:10:00 Romance Daylight Time for 178s<\/p>\n Interesting ports on 192.168.0.9:<\/p>\n Not shown: 65526 closed ports<\/p>\n Reason: 65526 resets<\/p>\n PORT\u00a0\u00a0\u00a0\u00a0\u00a0 STATE SERVICE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 REASON\u00a0 VERSION<\/p>\n 135\/tcp\u00a0\u00a0 open\u00a0 msrpc\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syn-ack Microsoft Windows RPC<\/p>\n 139\/tcp\u00a0\u00a0 open\u00a0 netbios-ssn\u00a0\u00a0\u00a0\u00a0 syn-ack<\/p>\n 445\/tcp\u00a0\u00a0 open\u00a0 microsoft-ds\u00a0\u00a0\u00a0 syn-ack Microsoft Windows 2003 microsoft-ds<\/p>\n 902\/tcp\u00a0\u00a0 open\u00a0 ssl\/vmware-auth syn-ack VMware Authentication Daemon 1.10 (Uses VNC)<\/p>\n 1049\/tcp\u00a0 open\u00a0 msrpc\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syn-ack Microsoft Windows RPC<\/p>\n 1723\/tcp\u00a0 open\u00a0 pptp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syn-ack Microsoft (Firmware: 3790)<\/p>\n 3389\/tcp\u00a0 open\u00a0 microsoft-rdp\u00a0\u00a0 syn-ack Microsoft Terminal Service<\/p>\n 27000\/tcp open\u00a0 flexlm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syn-ack FlexLM license manager<\/p>\n 27010\/tcp open\u00a0 flexlm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syn-ack FlexLM license manager<\/p>\n MAC Address: 00:03:FF:07:23:D5 (Microsoft)<\/p>\n Device type: general purpose<\/p>\n Running: Microsoft Windows 2003<\/p>\n OS details: Microsoft Windows Server 2003 SP1 or SP2<\/p>\n TCP\/IP fingerprint:<\/p>\n OS:SCAN(V=5.00%D=7\/16%OT=80%CT=1%CU=%PV=Y%DS=1%G=N%M=0003FF%TM=4A5F7BBA%P=i<\/p>\n OS:686-pc-windows-windows)SEQ(SP=105%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=0<\/p>\n OS:)OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT<\/p>\n OS:00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=<\/p>\n OS:4000%W5=4000%W6=4000)ECN(R=Y%DF=N%TG=80%W=4000%O=M5B4NW0NNS%CC=N%Q=)T1(R<\/p>\n OS:=Y%DF=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%TG=80%W=0%S=Z%A=S%F=AR%O<\/p>\n OS:=%RD=0%Q=)T3(R=Y%DF=N%TG=80%W=4000%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%<\/p>\n OS:Q=)T4(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%TG=80%W=0%S=<\/p>\n OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R<\/p>\n OS:=Y%DF=N%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=S%TG=80%CD=<\/p>\n OS:Z) <\/span><\/p>\n Network Distance: 1 hop<\/span><\/p>\n TCP Sequence Prediction: Difficulty=261 (Good luck!)<\/p>\n IP ID Sequence Generation: Incremental<\/span><\/p>\n Service Info: OS: Windows <\/span><\/p>\n Host script results:<\/span><\/p>\n |\u00a0 smb-brute:<\/p>\n |_ guest:<anything> => Password was correct, but user's account is disabled<\/span><\/p>\n |\u00a0 smb-pwdump:<\/p>\n |\u00a0 Couldn't run smb-pwdump.nse, missing required file(s):<\/p>\n |\u00a0 - nselib\/data\/lsremora.dll<\/p>\n |\u00a0 - nselib\/data\/servpw.exe<\/p>\n |\u00a0 These are included in pwdump6 version 1.7.2:<\/p>\n |_ <<\/span>http:\/\/foofus.net\/fizzgig\/pwdump\/downloads.htm<\/span><\/a>><\/span><\/p>\n |\u00a0 smb-os-discovery: Windows Server 2003 R2 3790 Service Pack 2<\/p>\n |\u00a0 LAN Manager: Windows Server 2003 R2 5.2<\/span><\/p>\n |\u00a0 Name: CORELAN\\NILUS<\/p>\n |_ System time: 2009-07-16 21:12:57 UTC+2<\/p>\n |\u00a0 smb-security-mode: User-level authentication<\/p>\n |\u00a0 SMB Security: Challenge\/response passwords supported<\/p>\n |_ SMB Security: Message signing supported<\/p>\n |\u00a0 smb-enum-shares:<\/p>\n |\u00a0 Anonymous shares:<\/p>\n |\u00a0\u00a0\u00a0\u00a0 IPC$<\/p>\n |\u00a0 Restricted shares:<\/p>\n |\u00a0\u00a0\u00a0\u00a0 ADMIN$<\/p>\n |\u00a0\u00a0\u00a0\u00a0 C$<\/p>\n |\u00a0\u00a0\u00a0\u00a0 D$<\/p>\n |_\u00a0\u00a0\u00a0 E$<\/p>\n |\u00a0 smb-check-vulns:<\/p>\n |\u00a0 MS08-067: FIXED<\/p>\n |\u00a0 Conficker: Likely CLEAN<\/p>\n |_ regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) <\/span><\/p>\n Read data files from: C:\\Program Files\\Nmap<\/span><\/p>\n OS and Service detection performed. Please report any incorrect results at http:\/\/nmap.org\/submit\/<\/span><\/a> .<\/span><\/p>\n Nmap done: 1 IP address (1 host up) scanned in 178.92 seconds<\/p>\n\n
nmap -P0 -nvv -A -p- -g 20 --reason <targets><\/pre>\n<\/div>\n