About This Book

When I started writing this book, I thought it would be a quick twenty-page tutorial on how to use the most basic nmap functions. As I began writing, I found that nmap's feature-rich functionality began to pull me in. My focus completely changed. My two-week writing plans turned into months of nmap network scans, megabytes of protocol decodes, and a complete immersion in nmap's source code.


This book was written from the perspective of the security team, because it is the security team that is managing some of the largest technological responsibilities that our industry has ever experienced. As the first line of this book affirms, our networks really are a Wild West. The security group is always scrambling for methods to combat these constantly increasing and evolving threats.

Nmap is a tool that has been available to network security professionals for years, but it's surprising how many haven't taken advantage of the most basic nmap functionality. I hope that this book will allow security teams to learn more about this incredibly powerful program and help them become better security professionals.


How This Book is Organized
This book consists of eleven chapters, with each chapter designed as a stand-alone set of related topics. If you are already familiar with the basic nmap scans but you need more information about timing and tuning options, you can skip ahead without missing too much.

Chapter 1: The Basics
It's almost impossible to understand the foundation of nmap without an understanding of the underlying protocols, and it's just as difficult to understand nmap's operation without an overview of its architecture. If you've never touched a network or you are just learning nmap, this is a great place to start.


Chapter 2: Nmap Scanning Techniques
Nmap is about scanning, so the first nmap-specific chapter details every possible scanning method. Every nmap scan type is profiled in technical minutia, all the way down to the packet. Each scan technique also includes a list of advantages, disadvantages, and usage recommendations.

Chapter 3: Nmap's Ping Options
The process that runs prior the actual nmap scan is the lesser-known but exceedingly vital nmap ping process. If nmap can't ping a remote device, all of the work that went into choosing a scanning method and its associated options is completely wasted.

Chapter 4: Operating System Fingerprinting
Nmap's operating system fingerprinting process is often overlooked, so this chapter should turn some heads. Nmap can provide amazing detail about a remote device using only fourteen IP frames that never open an application session or log in. If you've never used nmap to fingerprint an OS, you'll be floored after reading this chapter.

Chapter 5: Host and Port Options
Chapters 5 through 10 categorize the remaining nmap options into six distinct categories. Chapter 5 details the nmap options related to hosts and ports. If an nmap scan requires that a specific IP address be excluded or UDP port 535 be included, these options will provide a wealth of information.

Chapter 6: Logging Options
The scan is simply the means to an end. The end, or the log file, is where all of the important information will be stored. Nmap includes many different logging options, and this chapter will document all of them!

Chapter 7: Real-Time Information Options
As nmap runs, it can provide real-time packet decode information, internal debugging data, or feedback about the version scanning process. Chapter 7 presents each real-time information option and provides suggestions of when each option might be best applied.

Chapter 8: Tuning and Timing Options
Nmap allows customization of the timing and structure of every packet sent to the network. Chapter 8 documents this advanced feature set and shows how it can be applied to almost any scanning scenario.

Chapter 9: Windows-Only Nmap Options
Nmap can run in many different operating systems, but successfully using nmap in Microsoft Windows can be a challenge. Chapter 9 will document each Windows-based option and describes how these options can be used to troubleshoot nmap in a Windows environment.

Chapter 10: Miscellaneous Options
There are some options that just won't fit anywhere else. Chapter 10 provides a catch-all for nmap's more esoteric (or bland) choices.

Chapter 11: Using Nmap in the "Real World"
This is the chapter that started it all. If a security manager wants to know how nmap could assist with security-related challenges, this chapter should provide some talking points.


Conventions Used in This Book
There are some standard conventions used throughout this book that should assist in identifying important information:

  • Fixed-width fonts are used to display nmap output or to specify command syntax. These fonts are also displayed when nmap options or filenames are referenced.
  • Less-than signs (<) and greater-than signs (>) are used to delineate non-optional syntax. For example, the text –P <portnumber> signifies that the portnumber variable is required whenever the –P option is used.
  • Square brackets [ ] delineate optional syntax. For example, the text -PS[portlist] signifies that the –PS option could be used without the portlist variable.
clock
The NetworkUptime.com glow-in-the-dark clock highlights "secrets" about nmap or its functions. These important notes are worth the read!