Nmap deep dive
Nmap, the stealthy port scanner, is a vital tool for any helpful hacker or nefarious network administrator’s arsenal.
We’ve seen how the humble ping command can tell us not just if our machines are reachable, but how many of them are on the local network. If we read into the timings column a bit, we might even speculate about how far away these machines are. However, for network reconnaissance and port scanning, you can’t beat Nmap.
Since we’ve already got an XML list of machines on our LAN it would be nice if we could re-use it here to save scanning again. Sadly, the XML files generated by
Nmapsi4’s network discovery can’t be easily digested by
Nmap itself (or we couldn’t figure out a way). So let’s open a terminal and do it manually. To start, just enter the following: $ sudo nmap 192.168.0.0/24
This will scan the local network as before, but instead of pinging the machines it’ll probe the 1,000 most common service ports on each machine, and tell you if any are listening. As well as this, when we run it as root it gives us some additional information about each host. Namely its MAC address and the manufacturer identification associated with that. This is our favourite way of finding the IP addresses of Raspberry Pis on our home networks. Since we tend to have enabled SSH on most of these devices, we need only scan port 22 here:
$ sudo nmap -p22 192.168.0.*
As you can see, Nmap doesn’t mind if you prefer wildcards or subnet masks. Just a small caveat though: the Pi 4 uses a different Ethernet adapter than its predecessors, so this shows up as something other than
Raspberry Pi Foundation
Spotting running services
Let’s forget about stray Pis and consider the services running on your own network. Looking at the previous scan results may (depending on what the boxes on your network are doing) reveal hosts running SSH, web interfaces, Windows File Sharing (NetBIOS/SMB/CIFS), remote desktop (VNC/RDP) as well as some things you’ve probably never heard of. The services running may be different to those listed – service names are just assumed from the port number at this stage.
Now consider your home router. It’ll almost certainly be running a web control panel on port 80, but there may be all kinds of other services running. If you want to scan every single port, you could do so with:
$ sudo nmap -p1-65535 192.168.0.1
This isn’t particularly smart, though. Nmap’s default SYN scan may be stealthy, but it’s not fast at scanning closed ports. Those ports might reject the incoming SYN packets, in which case the scan will finish quickly. Or the connection attempts will be silently dropped, leaving Nmap waiting for a response that’s never coming. Or there could be a rate-limiting firewall in effect.
If you leave the previous command running for a while and then push Space, you’ll see a progress estimate and an estimated time of completion. In our case this was close to a day, so we thought we’d try a different tool. Masscan (Information Gathering>Network & Port Scanners) took a mere 15 minutes to tell us it couldn’t find any services running on obscure ports.
Note the increase in the noise in our reconnaissance so far. We started by silently spying on the network with Etherape, did a barely detectable probe with Nmap to find all the hosts, and now we’re picking one host and doing thorough inspections. And it’s about to get worse.