NETWORK SCANNING NMAP Gordon “Fyodor” Lyon islet me elfe) Nmap.OrgNmap Network Scanning Official Nmap Project Guide to Network Discovery and Security Scanning Gordon “Fyodor” Lyon From port scanning basics for novices to the type of packet crafting used by advanced hackers, this book by Nmap's author and maintainer suits all levels of security and networking professionals. Rather than simply document what every Nmap option does, Nmap Network Scanning demonstrates how these features can be applied to solve real world tasks such as penetration testing, taking network inventory, detecting rogue wireless access points or open proxies, quashing network worm and virus outbreaks, and much more. Examples and diagrams show actual communication on the wire. This book is essential for anyone who needs to get the most out of Nmap, particularly security auditors and systems or network administrators.Nmap Network Scanning: Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon “Fyodor” Lyon 2 978-0-979958 7-1-7 ISBN-10: 0-9799587-1-7 Library of Congress Control Number (LCN): 2008940582 Library Of Congress Subject Headings: 1. Computer networks--Security measures 2. Computer security Published by Insecure.Com LLC. For information on bulk purchases, special sales, rights, book distributors, or translations, please contact us directly Insecure.Com LLC 370 Altair Way #113 Sunnyvale, CA 94086-6161 United States Email: sales @insecure.com; Phone: +1-650-989-4206; Fax: +1-650-989-4206 December 2008 -Release: August 2008 ‘Zero-Day Release: May 2008 Copyright © 2008 by Insecure.Com LLC. All rights reserved. Except where noted otherwise in this work, no part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner. Nmap is a registered trademark of Insecure.Com LLC. Other product and company names mentioned herein may be the trademarks of their respective owners. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out ofthe use of the information or programs contained hereinTable of Contents Preface ...... ai z xxi 1. Introduction .. xxi 2. Intended Audience and Organization - eeenee XXL 3. Conventions xxii 4, Other Resources ....... xxiii 5. Request for Comments... : ea see XIV 6. Acknowledgements r sevseeee XXIV 6.1. Technology Used to Create This Book * J a ey 7. TCPIP Reference .... : x aes eee, KYL 1, Getting Started with Nmap 1.1. Introduction 1.2, Nmap Overview and D 1.2.1, Avatar On 1.2.2, Saving the Human Race 1.2.3, MadHat in Wonderland 1.3. The Phases of an Nmap Scan 1.4, Legal Issues 1.4.1 Is Unauthorized Port Scanning a Crime? : 1.4.2. Can Port Scanning Crash the Target Computer/Networks? 1.4.3, Nmap Copyright 1.5. The History and Future of Nmap 2. Obtaining, Compiling, Installing, and Removing Nmap 2.1. Introduction 2.11. Testing Whether Nmap is Already Installed 2.12. Command-line and Graphical Interfaces 2.1.3. Downloading Nmap 2.14, Verifying the Integrity of Nmap Downloads 2.1.5. Obtaining Nmap from the Subversion (SVN) Repository 2.2. Unix Compilation and Installation from Source Code 3 2.1. Configure Directives 222. 1f You Encounter Compilation Problems 2.3. Linux Distributions .. ee yes 2.3.1. RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) 2.3.2. Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum 2.3.3, Debian Linax and Derivatives such as Ubuntu 2.3.4. Other Linux Distributions 2.4. Windows eater 2.4.1. Windows 2000 Dependencies 2.4.2. Windows Self-installer 2.4.3. Command-line Zip Binaries Installing the Nmap zip binaries 2.4.4. Compile from Source Code 2.4.5. Executing Nmap on Windows .. 2.5. Sun Solaris, 2.6. Apple Mac OS X .. 2.6.1. Executable Installer = iii2.6.2. Compile from Source Code .. ‘Compile Nmap from source code Compile Zenmap from source code... 2.6.3. Third-party Packages ... 2.6.4. Executing Nmap on Mac OS X 2.1. FreeBSD / OpenBSD / NetBSD .. 211. OpenBSD Binary Packages and Source Ports Instructions 2.7.2, FreeBSD Binary Package and Source Ports Instructions... Installation of the binary package Installation using the source ports tree 2.7.3. NetBSD Binary Package Instructions .... 2.8. Amiga, HP-UX, IRIX, and Other Platforms 2.9. Removing Nmap 3. Host Discovery (Ping Scanning) . 3.1. Introduction 3.2. Specifying Target Hosts and Networks ... 3.2.1. Input From List (iL) .. 3.2.2. Choose Targets at Random (iR ) 3.2.3. Excluding Targets (~exclude, -excludefile ) 3.2.4, Practical Examples Finding an Organization's IP Addresses 3.1. DNS Tricks ..... 33.2, Whois Queries Against IP Registries... 3.3.3. Internet Routing Information . DNS Resolution ... Host Discovery Controls. 3.5.1. List Scan (-sL) 3.5.2. Ping Scan (-sP) 3.5.3. Disable Ping (-PN) . Host Discovery Techniques 3.6.1. TCP SYN Ping (-PS) .. 3.6.2. TCP ACK Ping (-PA) 3.6.3. UDP Ping (-PU) .. 3.6.4. ICMP Ping Types (-PE, -PP, and -PM) .. 3.6.5. IP Protocol Ping (-PO ‘Based on download frequency, number of Google hits, and Fres neat.Net software “popularity” ranking. 2 huptumap.org/movies himl fe 1. Introduction xxiStarting with the basies, this book gives an overview of Nmap by example in Chapter |. Then Chapter 2 covers obtaining, compiling and installing Nmap. Chapters 3 through 5 cover features in the order you might tuse them when conducting a penetration test. First comes host discovery (“ping scanning”), which determines the available hosts on a network. Next, port scanning is covered in depth. In Chapter 5, all the Nmap scanning techniques are detailed, with advice and examples. Scanning a large network can take a long time, so Chapter 6 is full of performance optimization advice. Chapter 7 details service and application version detection, in which Nmap queries ports to determine exactly what is running rather than simply guessing based on the Port number, Chapter 8 covers one of Nmap's most loved features: remote OS detection. Chapter 9 details ‘one of Nmap's newest features: the Nmap Scripting Engine. NSE allows users and developers to easily extend Nmap with new features by writing simple scripts to be efficiently executed against target machines, My favorite chapter is number 10: Detecting and Subverting Firewalls and Intrusion Detection Systems. For balance, that is followed by a chapter on defending against Nmap scans. Chapter 12 then fully documents the Zenmap multi-platform Nmap GUI and results viewer. The next two chapters cover output formats and data files. The final and longest chapter is the Nmap Reference Guide, a quick resource for looking up specific Nimap options. Scattered throughout the book are detailed instructions for performing common tasks such as scanning a network for a certain single open TCP port or detecting wireless access points by scanning from the wired side, First each problem is described, then an effective solution is provided. A final discussion section describes the solution in more depth and may provide alternative solutions and insights into similar problems. 3. Conventions Nmap output is used throughout this book to demonstrate principles and features. The output is often edited {0 cut out lines which are irrelevant to the point being made. The dates/times and version numbers printed by Nmap are generally removed as well, since some readers find them distracting. Sensitive information such as hostnames, IP addresses, and MAC addresses may be changed or removed. Other information may be cut or lines wrapped so that they fit on a printed page. i editing is done for the output of other applications. Example 1 gives a glimpse at Nmap's capabilities while also demonstrating output formatting xxii 3. Conventions =Example 1. A typical Nmap scan # nmap -A -T4 scanme.nmap.org Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org (64.13.134.52): Not shown: 994 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh 25/tcp closed smtp OpenSSH 4.3 (protocol 2.0) 53/tcp open domain ISC BIND 9.3.4 70/tcp closed gopher 80/tep open http Apache httpd 2.2.2 ((Fedora)) |_ HTML title: Go ahead and ScanMe! /tcp closed auth Device type: general p pose Running: Linux 2.6.X 0S details: Linux 2. 6-20-1 (Fedora Core 5) TRACEROUTE (using port 80/tcp) HOP RIT ADDRESS [Cut first seven hops for brev 1 8 10.59 so-4-2-0.mpr3.paol.us.above.net (64.125.28.142) 9 11.00 metrod.sv.. svcolo.com (208.185.168.173) 10 9.93 scanme.nmap.org (64.13.134.52) Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds Special formatting is provided for certain tokens, such as filenames and application commands. Table 1 demonstrates the most common formattin Table 1. Formatting “onventions. style conventions ‘Token type Example literal sti T get much more excited by ports in the open state than those reported as closed or filtered. [Command-l ine options [One of the coolest, yet least understood Nmap options is --packet—trace Filenames Follow the option with the input filename such as IC: \net \dhep-Leases.txt or /home/h4x/hosts-to-pwn.1st. [Emphasis [Using Nmap from your work or school computer to attack banks and military targets is a bad idea ‘Application commands [Trinity scanned the Matrix with the command nmap -v -sS -O 10,2.2.2. Replaceable variables Let be the machine running Nmap and be microsoft .com. 4. Other Resources While this book is an important reference for Nmap, it isn't the only one. The Nmap web page at Iutp://nmap.org is not just for downloads. It also provides substantial documentation from Nmap developers 4. Other Resources xxiiiand third parties. For example, you can find the Nmap Reference Guide translated into a dozen languages there. Other books, videos, and articles covering Nmap are also available. ‘The official web site for this book is at hutp://nmap.org/bool/. Go there for errata, updates, and many sample chapters. Any serious Nmap user should subscribe to the nmap-hackers mailing list for announcements about Nmap and Insecure.Org. Traffic is very light (about six posts per year) because it is reserved for only the most important announcements. Developers and particularly devoted users can also subscribe to the nmap-dev mailing list. Traffic is much higher (hundreds of posts per month), but itis a great place to learn about and try new features before they are released and to pick up tips from advanced users. Subscription information and archives for both lists are available at http://seclists.org While Nmap can be useful, it won't solve all of your security problems. Every few years I do a survey of thousands of Nmap users to determine what other tools they like. The list is posted at http://sectools.org, which has become one of my most popular web sites. Read through the list and you are sure to find many ‘gems you had never even heard of. Most of the tools are free and open source. 5. Request for Comments While I tried my best to make this book comprehensive, accurate, and up-to-date, we all make mistakes. If you find any problems or just have suggestions for making this book better, please let me know by email at . The open source principle of many readers and contributors is just as viable for documentation as for software. As the next section attests, dozens of people have already generously contributed their time and skills to make this book a success. If you have a question or comment about Nmap (rather than this book itself), itis best sent to the Nmap development list as described at Section 15.17, “Bugs” [411]. 6. Acknowledgements When first floated the idea of writing an Nmap book to the nmap-hackers mailing list, I was inundated with Suggestions and offers to help. This outpouring of enthusiasm convinced me to proceed. My complete naivety about how much work was involved also contributed to my decision. It has been quite an undertaking, but what kept me going chapter by chapter was a private review group called the nmap-writers. They provided invaluable feedback, advice, and detailed review notes throughout the process. In particular, I would like to thank the following people: + David Fifield is listed first (everyone else is alphabetical) because he was a tremendous help during the book writing process. He solved a number of technical DocBook problems, created many of the final ustrations from my terrible drafts, dramatically improved the index, helped with proofreading, and even wrote Chapter 12, Zenmap GUI Users' Guide [307]. * Matt Baxter allowed the use of his beautiful TCP/IP header diagrams (in Section 7, “TCP/IP Reference” [xxvi]). Several other diagrams in this book were done in that style to match, * Saurabh Bhasin contributed detailed feedback on a regular basis. xxiv 5. Request for Comments es*+ Mark Brewis could always be counted on for good advice. *+ Ellen Colombo was a big help from the beginning. *+ Patrick Donnelly helped improve Chapter 9, Nmap Scripting Engine {205}. *+ Brandon Enright printed out the whole book and reviewed it chapter by chapter. * Brian Hatch has always been a big help, *+ Loren Heal was a continual source of ideas. + Dan Henage provided advice and proofread numerous chapters. * Tor Houghton reviewed every chapter, probably giving me more feedback than anyone else. * Doug Hoyte documented the many Nmap features he added, and also handled most of the book indexing. + Marius Huse Jacobsen reviewed many chapters, providing detailed feedback. * Kris Katterjohn performed thorough reviews of several chapters. * Eric Krosnes sent useful technical review feedback and also regularly nagged me about book progress. This was helpful since I didn’t have a traditional editor to do so. * Viad Alexa Mancini created the Nmap eye logo for the cover (and the Nmap web site), + Michael Naef kindly reviewed many chapters. * Bill Pollock of No Starch Press was always happy to provide advice and answer book publishing questions based on his decades of experience. * David Pybus was one of the most frequent contributors of ideas and proofreading, + Tyler Reguly helped by reviewing multiple chapters just when it was most needed. *+ Chuck Sterling provided both high level advice and detailed proofreading of several chapters. * Anders Thulin provided detailed reviews of many chapters. + Bennett Todd sent dozens of suggestions. + Diman Todorov wrote an initial draft of Chapter 9, Nmap Scripting Engine (205), * Catherine Tornabene read many chapters and sent extremely detailed feedback. 6.1. Technology Used to Create This Book Asan author of open source tools myself, I'm a big believer in their power and capability. So I made an effort to use them wherever possible in creating this book. I wasn't about to write it in Microsoft Word and then handle layout with Adobe FrameMaker! f 6. Acknowledgements xxvNmap Network Scanning was written with the GNU Emacs text editor in the DocBook XML format, The free online chapters are created from the XML using Norman Walsh's XSL Stylesheets and the xsltproc XSL processor. The print version also uses Norman's stylesheets and xsliproc, but the output is to the XSL-FO format’. An XSL-FO processor is then used to build a PDF. I would like to use Apache FOP* for this, but a footnote-related bug® prevents this, so I switched to the RenderX XEP Engine. XEP is proprietary, but at least it runs on Linux. I hope to switch back to FOP after the footnote bug is fixed. Cover layout was done with Scribus and (due to printing company format requirements) Adobe InDesign. Raster graphics for the cover and internal illustrations were created with The Gimp, while Inkscape was used for vector graphics. Subversion was used for revision control and the free web chapters are serviced by Apache httpd. 7. TCP/IP Reference with TCP/IP and networking concepts. You won't find a primer on the OSI seven-layer model or a rundown of the Berkeley Socket API within these pages. For a comprehensive guide to TCP/P, [recommend “The TCP/IP Guide” by Charles Kozierok or the old classic “TCP/IP Illustrated, Volume I” by W. Richard Stevens. While TCP/IP familiarity is expected, even the best of us occasionally forget byte offsets for packet header fields and flags. This section provides quick reference diagrams and field descriptions for the IPv4, TCP, UDP, and ICMP protocols. These beautiful diagrams from hutp:/vww:fatpipe.org/~mjb/Drawings are used by permission of author Matt Baxter. * hunp:/en.wikipediaorghviki/XSL_Formatiing Objects * haptanlgraphics.apacke. orton hps:fssnes. apache orgfougiillalshow_bug.cgiPid=37579 xxvi 7. TCP/IP Reference =Figure 1. [Pv4 header pe Nt eM 8 OF version | FCP Type of Series (TOS) Total Length eee ~ TIP Flags Aeuecet LT oe | Source Adcross IP Option (variable length, optional, not common) IL (ntemet Header Length) Bt 56718991234506789,123456789 51 fein sf oe ofend OT ASR ST OEY Version rt Protocol Fragment Ofset ( P rags Targrrcon tse FhonsD hoon Hapererentereatt Suovald Tedagan”* rotintes) tecmagrem: Masoued 8 focertsvonon cies ace bye Ewes tb) x on reaved(ov bn rears ony He Ue Stew Rivne TPaasyans 5 oan cenerrigmen HBG REET fommiod temortsce Moco now Pate (Header Longin) (Total Length) must be a follow mutiple of 8 bytes. Number of 82 Di words my ag ener econ —) a Terrase eared) (eas Casa) Serer ‘count ‘orIP fragment it fragmented. Checksum of enti IP rotocol IP) Spec aie igen ea Protea) Speciation & 7. TCP/IP ReferenceFigure 2. TCP header tear JO 2p 7 Destination Port a 4 1 a iL Ee) O12 S456 BGO 1234 NTE 2 aS 678 4 ‘Neto >F— yo —PF— worg —— Sv" "0 Noiiication ECN (Explicit Congestion Notification). See RFC ‘8168 for ful doa, vals TOP Options ‘0nd of Options List 1 No Operation (NOP, Pad) 2 Maximum segment size ‘Ofeet ‘Number of 32-bit words "TCP header, minimum value Of 5. Multiply by 4 to got Congestion 080 Reduced (WR) ‘Slates below. 3 Window Scale byte count E 0x40 ECN Echo (ECE) asain coo coum 4 Selective ACK ok U 0320 Urgent on oe tr 8 Timestamp ‘A Oxi0 Ack orig G8 3h P 0x08 Push Checksum Please refer lo AFC 793 for 0x04 Reset ecromion 01 00 the completo Transmission S 0x02 Syn een ns stat" ‘Checksum of entre TOP Control Protocol (TCP) F x01 Fin Crem 31 90 ‘segment and pseudo Specification. ome nepeme 14 98 header (parts of IP header) Figure 3. UDP header Byte ofise @piiaiii ts Source Port Destination Port 0123456789 fem +} pk Checksum FO 768, ‘Checksum of entire UDP segment and pseudo Please reter to RFC 768 for the complete User header (parts of IP header) Datagram Protocol (UDP) Specification xxviii 7. TCP/IP Reference s.Figure 4, ICMP header Checksum TOMP Message Types Checksum} ie tone "ore xaohams Tipe cosets ‘Checksum or ICMP 3 Darter brett 2vod reactor TOS OTT Edd heater rt commen taney Pas | Paar em Tim Een i Ploase reer to RFC 782 fo the internet Sdnaraton herr Unown Contro! Message $ Seeraon fet rs 1S mormon eget protocol (CMP) Souci ams 2 four Aavteonet 16 elon Pep spectiation, Shino Ramee Frenetee 19 Pou Gaecon 17 Rogen est sbterhaecny Pein 1s en ay eS 7. TCPAP Reference xxixChapter 1. Getting Started with Nmap 1.1. Introduction Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available. This chapter uses fictional stories to provide a broad overview of Nmap and how itis typically used. An important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines as well as miscellaneous issues such as the Nmap license (GNU GPL), and copyright. 1.2. Nmap Overview and Demonstration Sometimes the best way to understand something is to see it in action. This section includes examples of Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand everything at once. This is simply a broad overview of features that are described in depth in later chapters. The “solutions” included throughout this book demonstrate many other common Nmap tasks for security auditors and network administrators. 1.2.1. Avatar Online Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small San Francisco penetration-testing firm he works for has been quict lately due to impending holidays. Felix spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireles assessments and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and fascination since a childhood spent learning everything he could about networking, security, Unix, and phone systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of network intrusions as before, but with the added benefit of contractual immunity from Prosecution and even a paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to announce that the sales department finally closed a pen-testing deal with the Avatar Online gaming company. Avatar Online (AO) is a small company working to create the next generation of massive multi-player onli tole-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil Stevenson's LL Introduction 1‘Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak! of Valve Software's upcoming game source code, AO quickly hired the security consultants. Felix's task is to initiate an external (from outside the firewall) vulnerability assessment while his partners work on. Physical security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities found. ‘The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what IP address ranges the target is using, what hosts are available, what services those hosts are offering, general network topology details, and what firewalV/filtering policies are in effect. Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another ‘geographical registry) lookups, DNS queries and zone transfer attempis, various web sleuthing techniques, and more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0,0/22. Felix checks the ARIN IP allocation records anyway and confirms that these IP ranges belong to AO*. Felix subconsciously decodes the CIDR notation’ and recognizes this as 1,280 IP addresses. No problem, Being the careful type, Felix first starts out with what is known as an Nmap list scan (~sL. option). This feature simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless ~n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells*. Felix is doing this for another reason—to double-check that the IP ranges are correct. The systems. administrator who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will not help if Felix accidentally roots another company's server! The command he uses and an excerpt of the results are shown in Example 1.1 " hup:/hwwv.smh.com.au/artcles/2003/10/03/1064988378345 emt “These IP addresses are actually registered to the United States Army Yuma Proving Ground, which is used to testa wide variety of arillery, missiles, tanks, and other deadly weapons. The moral is o be very careful about who you scan, lest you accidentally hit a highly sensitive network. The scan results in this tory are not actually ftom this IP range. °ClasslessInter-Domain Routing (CIDR) notation is a method for describing networks with more granularity than class A (CIDR /8), lass B (CIDR /16), o class C (CIDR /24) notation. An excellent description is available at hnp:/ublic.pacbell.nevdedicated/cidr. hi. “itis possible that the target nameserver will log a suspicious bunch of reverse-DNS queries from Felix’ nameserver, but most ‘organizations dont even keep such logs, much less analyze them. 2 1.2. Nmap Overview and Demonstration ssExample 1.1. Nmap list scan against Avatar Online IP addresses felix> nmap -sL 6.209.24.0/24 61207-040/22 Starting Nmap ( http://nmap.org ) Host 6.209.24.0 not scanned Host fw.corp.avataronline.com (6.209.24.1) not scanned Host dev2.corp.avataronline.com (6.209.24.2) not scanned Host 6.209.24.3 not scanned Host 6.209.24.4 not scanned Host 6.209.24.5 not scanned Host dhep-21.corp.avatarenline.com Host dhcp~22.corp.avataronline.com Host dhcp-23.corp.avataronline.com Host dhcp-24.corp.avataronline.com Host dhcp-25.corp.avataronline.c Host dhcp-26.corp.avataronline.com +21) not scanned +22) not seanned +23) not scanned +24) not scanned +25) not scanned +26) not scanned Host 6-207.0.0 not scanned Host gw.avataronline.com (6.207.0.1) not scanned Host nsl.avataronline.com (6.207.0.2) not scanned Host ns2.avataronline.com (6.207.0.3) not scanned Host ftp.avataronline.com (6.207.0.4) not scanned Host 6.207.0.5 not scanned Host 6.207.0.6 not scanned Host www.avataronline.com (6.207.0.7) not scanned Host 6.207.0.8 not scanned Host cluster-cl20.avataronline.com (6.207.2.120) not scanned Host cluster-cl21.avataronline.com (6.207.2.121) not scanned Host cluster-cl22.avataronline.com (6.207.2.122) not scanned Host cluster-cl23.avataronline.com (6.207.2.123) not scanned Host eluster-cl24.avataronline.com (6.207.2.124) not scanned Host 6.207.3.253 not scanned Host 6.207.3.254 not scanned Host 6.207.3.255 not scanned limap done: 1280 IP addresses scanned in 331.49 seconds felix> Reading over the results, Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online. No other businesses seem to share the IP space. Moreover, these results give Felix a rough idea of howmany machines are in use and a good idea of what many are used for. He is now ready to get a bit more intrusive and try a port scan, He uses Nmap features that try to determine the application and version number ‘ofeach service listening on the network. He also requests that Nmap try to guess the remote operating system ia @ series of low-level TCP/IP probes known as OS fingerprinting. This sort of scan is not at all stealthy, but that does not concern Felix. He is interested in whether the administrators of AO even notice these blatant Scans. After a bit of consideration, Felix settles on the following command: map -sS -p- -PS22,80,113,33334 -PA80,113,21000 -PU19000 -PE -A -T4 -oA avatartepscat 6.209.24.0/24 6.207.0.0/22 1121503 e 1.2. Nmap Overview and Demonstration 3