Course info
Oct 25, 2014
2h 2m

NMAP is a powerful network scanning tool that can be used by a network administrator or security practitioner to audit a network. This course will lead the student through a discussion of NMAP's scanning phases and a discussion of the tool's capabilities and options for network, host, and service discovery. After completion of the course, the student will have a thorough knowledge of NMAP and be able to use it to effectively ensure the security of their network.

About the author
About the author

Mr. Marshall (CISSP) has over 20 years of professional IT experience and 15 years in network security. He is analytical and has excellent communications skills and has in-depth experience with TCP/IP networking, UNIX systems design, systems administration, risk management and network vulnerability analysis.

More from the author
Risk Management
Mar 12, 2015
Section Introduction Transcripts
Section Introduction Transcripts

UDP and TCP Port Scanning
Hi my name is Kirk Marshall. In this module of Network Security Testing with NMAP we'll be discussing UDP and TCP Port Scanning. Port scanning is NMAP's core process and the functionality that originally prompted the tool's construction. We're already discussed how to specify on the command line which ports NMAP should scan, now we're going to talk about the options that tell how NMAP to scan those ports. Before we discuss port scanning options, let's put the process in perspective with respect to the other phases of operation that we've already discussed. So far, NMAP has expanded the target list and performed the host enumeration phase. The results of host enumeration are the identification of live systems. Now what? In performing a network security audit, our next questions should be, what function does the system perform? What services does it offer? Is the system a web server, a mail server, a database server? NMAP can help us determine the system's purpose through port scanning. How does port scanning help? Let's suppose we find a system with an open service running on port 25. We can deduce that the system functions as a mail server, but it might have other applications, all associated with mail, running on it at the same time. It might also have port 587, which is open to allow the secure submission of email from authorized clients. Other ports that might be found on a mail server are ports 110, 143, 993, and 995, which are associated with IMAP in the Post Office protocol. A proper network security audit should be able to identify all services running on a particular system.

Performance and Timing
Hi my name is Kirk Marshall. In this module of Network Security Testing with NMAP, we'll be discussing options that control NMAP's Performance and Timing. This is a bit of a break from our progression through the scan phases since these options affect both the host enumeration and port scanning phases. If we scan a target and get an immediate response, there's little need to worry about performance issues or accuracy since we know quickly and assuredly that the target is there and that the port is open or closed. If we don't get a response, things are a little less clear. It could be that the network is slow or congested. It could be that a firewall is blocking our access. It could be, well, all kinds of things. By default, NMAP will delay a scan by waiting or sending repeat probes, all in an attempt to be as accurate as possible. But waiting and resending probes takes time. When scanning thousands of ports on thousands of systems, any delays can stretch the scan time to unacceptable levels. By fiddling with the options presented in this section, the network security tester can pick the right balance between speed and precision. A number of these options take an argument of some time value. These values can have an associated character string that defines the unit of time being specified. Valid character strings are ms for milliseconds, s for seconds, m for minutes, or h for hours. The default value is seconds. Here are 2 examples where we specified a host-timeout value of 5 minutes and 3 hours respectively.

Evading Firewalls and Other Sneakiness
Hi my name is Kirk Marshall. In this module of Network Security Testing with NMAP, we'll be discussing techniques that can be used to evade firewall and IDS detection. As revealed in the title we're going to look at some options that allow us to work through firewalls, evade intrusion detection systems, and in other ways be sneaky. Most of them work at the port scanning phase, but some of these options effect the host enumeration phase as well. Let me just voice a quick disclaimer here. We're going to be discussing some basics of firewall design and architecture and I'm going to be making some generalizations that may not be 100% accurate for all firewalls. The objective is simply to provide a framework for the discussion of NMAP's options and not define specific functionality for a particular firewall brand.

OS and Service Version Detection
Hi my name is Kirk Marshall. In this module of Network Security Testing with NMAP, we'll be discussing Operating System and Service Version Detection. Up until now, everything we've discussed has been focused on identifying systems and services on the network. Beginning with this module we'll start to look at the discovered services and see what we can deduce about them and they systems they are running on.

NMAP Scripting Engine
Hi my name is Kirk Marshall. In this module of Network Security Testing with NMAP, we'll be discussing the NMAP Scripting Engine. The NMAP Scripting Engine, or NSE, is a capability that allows NMAP to be extended using user-defined plugins, which are limited only by a programmer's creativity. Currently there are 484 scripts in the NSE library, that's 4 more than when I began writing this course, so new ones are getting added all the time.

Wrap Up
In this module of Network Security Testing with NMAP, we'll be wrapping up our discussion with a walkthrough of a simple, but actual, network security audit.