ethical uses of nmap: scanning your home network

I routinely monitor the devices on my home network for many reasons:

  • did the kids really turn off their phones / tablets at night when I told them to?
  • has someone hacked my wifi?
  • are my routers / switches up and running?
  • are my home servers up?
  • what IP address did the device I just plugged in get from the my ISP’s router?

While there are many tools at my disposal for any of these issues, nmap is usually where I start.  While one could easily use nmap for nefarious purposes,  I focus on penetration testing networks / devices that belong to me like my home network, VPS’s that I lease, and my networking lab.  My ISP actually forbids port scanning in my terms of service, so I steer clear of doing any port scanning from home

I just plugged in my new pine64 running debian into my home network, and wanted to know the IP address so I could ssh into it.  To discover this, I did a ‘before’ scan of my network to see what was online.

nmap -T5 192.168.0.2-51

This tells nmap to scan the specified address range, and to make it quick.  Here are the results.

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-21 22:20 CST
Warning: 192.168.0.13 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.8 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.10 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.9 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.12 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.2 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.0.2
Host is up (0.0037s latency).
Not shown: 733 closed ports, 266 filtered ports
PORT STATE SERVICE
62078/tcp open iphone-sync

Nmap scan report for 192.168.0.5
Host is up (0.00031s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh

Nmap scan report for 192.168.0.7
Host is up (0.00018s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
445/tcp open microsoft-ds
995/tcp open pop3s
3128/tcp open squid-http
3306/tcp open mysql

Nmap scan report for 192.168.0.8
Host is up (0.0039s latency).
Not shown: 694 closed ports, 304 filtered ports
PORT STATE SERVICE
49153/tcp open unknown
62078/tcp open iphone-sync

Nmap scan report for 192.168.0.9
Host is up (0.018s latency).
Not shown: 646 closed ports, 351 filtered ports
PORT STATE SERVICE
49152/tcp open unknown
49154/tcp open unknown
62078/tcp open iphone-sync

Nmap scan report for 192.168.0.10
Host is up (0.00027s latency).
Not shown: 790 closed ports, 203 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
515/tcp open printer
631/tcp open ipp
7443/tcp open oracleas-https
9100/tcp open jetdirect

Nmap scan report for 192.168.0.11
Host is up (0.011s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh

Nmap scan report for 192.168.0.12
Host is up (0.0020s latency).
Not shown: 671 closed ports, 328 filtered ports
PORT STATE SERVICE
62078/tcp open iphone-sync

Nmap scan report for 192.168.0.13
Host is up (0.0028s latency).
Not shown: 569 filtered ports, 430 closed ports
PORT STATE SERVICE
62078/tcp open iphone-sync

Nmap done: 50 IP addresses (9 hosts up) scanned in 32.16 seconds

Here I can see that my LAMP server is up, a few iPhones, my printer, and a few PC’s.  Now, I turn on the pine64 and rescan.

BOOYizzAH!  A new device at 192.168.0.16 with port 22 ssh open.

Nmap scan report for 192.168.0.16
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh

using namp for OS detection

The OS detection feature is pretty awesome.  Here, I scan  a cisco 2940 ethernet switch.


nmap -vv -T5 -A 192.168.0.200

Below is a portion of the output of this command.  It correctly guesses a cisco device (easily ascertained by the OUI section of the MAC address), specifically a 2900 series switch running IOS 12.x.

PORT STATE SERVICE REASON VERSION
23/tcp open telnet syn-ack ttl 255 Cisco router telnetd
80/tcp open http syn-ack ttl 255 Cisco IOS http config
| http-auth:
| HTTP/1.0 401 Unauthorized
|_ Basic realm=level 15 access
| http-methods:
|_ Supported Methods: GET POST
|_http-title: Authorization Required
MAC Address: 00:14:XX:XX:XX:XX (Cisco Systems)
Device type: switch
Running: Cisco IOS 12.X
OS CPE: cpe:/o:cisco:ios:12.1
OS details: Cisco 2900-series or 3700-series switch (IOS 12.1)
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=11/21%OT=23%CT=1%CU=41341%PV=Y%DS=1%DC=D%G=N%M=00141C%
OS:TM=5BF63311%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%TS=
OS:U)OPS(O1=M5B4%O2=M578%O3=M280%O4=M218%O5=M218%O6=M109)WIN(W1=1020%W2=102
OS:0%W3=1020%W4=1020%W5=1020%W6=1020)ECN(R=Y%DF=N%T=FF%W=1020%O=M5B4%CC=N%Q
OS:=)T1(R=Y%DF=N%T=FF%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=FF%W=0%S=A%A=S%F=
OS:AR%O=%RD=0%Q=)T3(R=Y%DF=N%T=FF%W=1020%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=)T4(R=
OS:Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=FF%W=0%S=A%A=S+%F=A
OS:R%O=%RD=0%Q=)T6(R=Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=F
OS:F%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%CD=S)

Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: IOS; Devices: router, switch; CPE: cpe:/o:cisco:ios

Leave a Reply

Your email address will not be published. Required fields are marked *