Started to mess around with some of Nmap 4.00′s new features. Here’s what I found so far.
The live interaction is way cool:


# nmap -sP 192.168.0.0/16
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 12:56 EST
Interactive keyboard commands:
? Display this information
v/V Increase/decrease verbosity
d/D Increase/decrease debugging
p/P Enable/disable packet tracing
anything else Print status
More help: http://www.insecure.org/nmap/man/man-runtime-interaction.html

The v/V and d/D work like a slider. So if you push “v” it increases the verbosity by 1 (by default they are set to 0). Pressing “V” decreases the verbosity. like so:


# nmap -O 192.168.23.0/24
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:01 EST
Verbosity Increased to 1.
DNS resolution of 9 IPs took 0.00s. Mode: Async [#: 2, OK: 8, NX: 1, DR: 0, SF: 0, TR: 9, CN: 0] Initiating SYN Stealth Scan against 5 hosts [1672 ports/host] at 13:01
Discovered open port 443/tcp on 192.168.23.5
Discovered open port 443/tcp on 192.168.23.20
Discovered open port 25/tcp on 192.168.23.5
Discovered open port 25/tcp on 192.168.23.6
Discovered open port 80/tcp on 192.168.23.20
Discovered open port 21/tcp on 192.168.23.20
Discovered open port 22/tcp on 192.168.23.5
Discovered open port 22/tcp on 192.168.23.6
Discovered open port 22/tcp on 192.168.23.20
Discovered open port 139/tcp on 192.168.23.20
Discovered open port 548/tcp on 192.168.23.20
Discovered open port 445/tcp on 192.168.23.20
Discovered open port 37/tcp on 192.168.23.5
Completed SYN Stealth Scan against 192.168.23.5 in 1.45s (4 hosts left)
Completed SYN Stealth Scan against 192.168.23.20 in 2.47s (3 hosts left)
Completed SYN Stealth Scan against 192.168.23.6 in 2.50s (2 hosts left)
Verbosity Decreased to 0.

You can do the same with debug information by using “d/D”:


# nmap -O 192.168.23.0/24
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:03 EST
Debugging Increased to 1.
Finished block: srtt: 232070 rttvar: 303203 timeout: 1444882 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 23
Finished block: srtt: 232070 rttvar: 303203 timeout: 1444882 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 27
We got a ping packet back from 192.168.23.100: id = 62034 seq = 23724 checksum = 45312
Hostupdate called for machine 192.168.23.100 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 4186)
We got a TCP ping packet back from 192.168.23.100 port 80 (hostnum = 100 trynum = 0
Hostupdate called for machine 192.168.23.100 state HOST_UP -> HOST_UP (trynum 0, dotimeadj: yes time: 4306)
Finished block: srtt: 178662 rttvar: 263119 timeout: 1231138 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 31
Finished block: srtt: 178662 rttvar: 263119 timeout: 1231138 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 13
massping done: num_hosts: 128 num_responses: 7
mass_rdns: Using DNS server 192.168.128.9
mass_rdns: Using DNS server 192.168.128.11
mass_rdns: 0.00s 0/9 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 9] caught SIGINT signal, cleaning up

You can also do packet tracing (which is nice, because I used to open another window and use tcpdump):


Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:06 EST
Packet Tracing enabled
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.83 Echo request (type=8/code=0) ttl=50 id=52529 iplen=28
SENT (3.0590s) TCP 192.168.23.140:53596 > 192.168.23.83:80 A ttl=55 id=5015 iplen=40 seq=1118672030 win=4096 ack=1118672030
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.82 Echo request (type=8/code=0) ttl=46 id=2197 iplen=28
SENT (3.0590s) TCP 192.168.23.140:53596 > 192.168.23.82:80 A ttl=41 id=62936 iplen=40 seq=2888667998 win=2048 ack=3933049694
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.81 Echo request (type=8/code=0) ttl=37 id=23214 iplen=28

Another cool feature is nmap now comes with an xsl stylesheet. What do you do with this? Well, you can generate a nice HTML report:


# nmap -oX report.xml -O 192.168.23.1-254

# xsltproc /usr/local/share/nmap/nmap.xsl report.xml > samplereport.html

The command “xsltproc” is available from the libxslt project (Did you know this tool is built right into OS X?). This applies a stylesheet to the xml data so you can then view the report in HTML. I have posted a sample here. Its pretty nice, and heck if you don’t like it you can change it, its a stylesheet. (Thanks to my cow-worker John for info on that tip).
The other cool thing is that if you are scanning hosts on the same subnet it will use arp to find hosts (bypassing firewalls). This does not seem to be displayed in the interactive mode packet tracing, but it still a cool feature, especially for those pesky Windows XP firewalls.
That’s all for now, happy nmap’ing!
.com

About the author

Paul Asadoorian is the Founder & CEO of Security Weekly, where the flagship show recently re-titled "Paul's Security Weekly" has been airing for over 8 years. By day he is the Product Evangelist for Tenable Network Security. Paul produces and hosts the various shows here at Security Weekly, all dedicated to providing the latest security news, interviews with the industries finest and technical how-to segments. Paul is also the founder and host of "The Stogie Geeks Show", featuring cigar reviews for cigar enthusiasts.