Using Nmap to Scan Networks

Find out your IP address and more

When the Command Prompt opens, enter this command & press Enter:

ipconfig

Somewhere in the results you should see something that looks like this:

Ethernet adapter Local Area Connection: 
 Connection-specific DNS Suffix . : 
 IP Address. . . . . . . . . . . . : 192.168.0.8 
 Subnet Mask . . . . . . . . . . . : 255.255.255.0 
 IP Address. . . . . . . . . . . . : fe80::211: d8ff: fe90: d67f%6 
 Default Gateway . . . . . . . . . : 192.168.0.1

Note the IP Address line; mine is 192.168.0.8. Also note your Default Gateway; mine is 192.168.0.1.

Oftentimes you might see that your IP address is 192.168.1.100—note the 1 in the 3rd place instead of 0. In that case, your Internet Gateway address is probably 192.168.1.1.

Write down these numbers on a piece of paper.

Boot with Auditor

Insert Auditor into your CD-ROM & reboot your computer. Your PC should recognize the CD & boot with it.

Once Auditor is up and running, let's first make sure you're online. Go to K menu > Settings > Netconfig (Network card config). Press OK to use DHCP. It should inform you that you now have an IP address. Note the IP address you're assigned. In my case, it was 192.168.0.118.

My IP address is 192.168.0.118. My Internet Gateway address is still 192.168.0.1, the same as when I was running Windows.

Nmap

Now let's use Nmap, a network scanner. Go to K menu > Auditor > Scanning > Network Scanner > Nmap (Network scanner).

A command line window should open. At the top it will list all of the various options for Nmap.

How many computers are on your network?

Remember your Internet Gateway address? Mine was 192.168.0.1. Enter the following and press Enter.

nmap -sP -PI -PT 192.168.0.1/24

Notice that the final part of the line is my Internet Gateway address, followed by a forward slash, and then the number 24. Duplicate that "formula," but substitute your Internet Gateway address, so that you might instead use this command:

nmap -sP -PI -PT 192.168.1.1/24

In a few seconds, Nmap will tell you all the other machines that are on your network. In my case, I had this list:

Starting nmap 3.75 (http://www.insecure.org/nmap/) at 2005-06-08 14:28 EDT
Host 192.168.0.0 seems to be a subnet broadcast address (returned 2 extra pings).
Host 192.168.0.1 appears to be up.
MAC Address: 00:12:17:31:4F: C4 (Cisco-Linksys)
Host 192.168.0.8 appears to be up.
MAC Address: 00:11: D8:90: D6:7F (Asustek Computer)
Host 192.168.0.13 appears to be up.
MAC Address: 00: C0:4F: A1:25:89 (Dell Computer)
Host 192.168.0.102 appears to be up.
MAC Address: 00: C0:4F: A1:27: BF (Dell Computer)
Host 192.168.0.108 appears to be up.
MAC Address: 00:0D:88:66: FB:87 (D-Link)
Host 192.168.0.118 appears to be up.
Host 192.168.0.160 appears to be up.
MAC Address: 00:80:77:39:3F:44 (Brother Industries)
Host 192.168.0.255 seems to be a subnet broadcast address (returned 2 extra pings).
Nmap run completed—256 IP addresses (7 hosts up) scanned in 3.626 seconds

This method doesn't always work. My Mac OS X machine, for instance, has a built-in firewall that hid it from this particular Nmap command, so 192.168.0.6 didn't show up (which is a good thing).

What ports are open on my computers?

Now let's find out what ports are open & responding on the computers on your network. Think of a port like an old-fashioned telephone operator waiting to respond to a phone call & connect you to someone. The operator sits waiting, and then the phone rings. The operator says, "Hello, who is it and who do you want?" When the operator gets that info, he can route the call appropriately. In the same way that a large office building used to have hundreds of operators, your computer has thousands of ports.

Some ports on a computer listen to World Wide Web traffic, while others listen for email, or IM, or FTP, and so on. Basically, if a program on your computer uses the network, it has to go through a port. For example, if your computer detects that World Wide Web traffic is coming in, it routes that traffic to the correct port so that your web browser can use it. After all, your IM program wouldn't know what to do with a web page, would it?

Look back at the list of computers that Nmap found on your network. Pick one of the IP addresses in that list. In my case, I'm going to use 192.168.0.8, which is my Windows XP machine. I enter the following on the command line and press Enter:

nmap -sS -O -PI -PT 192.168.0.8

I get this result after a short wait while Nmap does its job:

Starting nmap 3.75 (http://www.insecure.org/nmap/) at 2005-06-08 15:06 EDT
Interesting ports on 192.168.0.8:
(The 1658 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
8081/tcp closed blackice-icecap
8082/tcp closed blackice-alerts
MAC Address: 00:11: D8:90: D6:7F (Asustek Computer)
Device type: general purpose
Running: IBM AIX 4.X, Microsoft Windows 2003/.NET
OS details: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows Server 2003

Nmap run completed—1 IP address (1 host up) scanned in 26.524 seconds

This tell me that a few ports are open on my machine: 139, 445, 8080, 8081, and 8082.

What ports are open on my network?

If I want to scan my whole network, I use this command:

nmap -sS -O -PI -PT 192.168.0.1/24

Again, you should use your Internet Gateway address in the above command, so you may use 192.168.1.1 instead of 192.168.0.1.

After a while, I get my results back. It's a long list, since I have a lot of computers on my network. Your list will probably be much shorter.

Reboot

To stop using Auditor, just go to K menu > Logout, and then choose Restart Computer. Take out the CD when you're told you can, and your machine will go right back to Windows!

WebSanity Top Secret