Cyber Forensics Tools

Nmap

Nmap is a tool generally used for remote network discovery, but can be used on the forensics side of things as well. Some Nmap uses include determining what hosts are available on a network, finding open ports on a system,  performing a traceroute, DNS resolution, and detecting operating system and services used.

On Windows, Nmap can be downloaded from Nmap.org. On Linux, Nmap can be found in the popular package managers. By installing Nmap on Windows, you also get the Ncat tool (also known as Netcat).

Nmap has a graphical interface (Zenmap) as well as a command line interface. It is easy to use, portable, and well maintained/documented.

There are many parameters Nmap can use:

  • -sV : probe open ports to find service information
  • -p : specify which ports to scan
  • -sU : UDP scan
  • -sN : TCP Null scan
  • -sn : Ping scan, no ports
  • -Pn : skip host discovery, scan all possible hosts
  • -O : enable OS detection
  • -v : verbose
  • -A : OS detection, version detection, script scanning, and traceroute
  • -T4 : scan with faster execution

Nmap man page.

Nmap is a useful forensics tool in that you can determine what ports on a system are open and what services are running.

Some useful Nmap flag combinations:

  • nmap -A -T4 [ip_address] – service/OS detection with port scan
  • nmap -sP [ip_address_range] – scan network with ping only scan

Sans has published a handy Nmap cheat sheet.

Leave a Reply