Skip to main content

NMAP

 Nmap is an open source network monitoring and port scanning tool to find the hosts and services in the computer by sending the packets to the target host for network discovery and security auditing.

Numerous frameworks and system admins additionally think that its helpful for assignments, for example, network inventory, overseeing administration overhaul timetables, and observing host or administration uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts. it runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results in the viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

You can also take Master in Ethical Hacking & Penetration Testing Online course where you can learn more about NMAP and advance level Ethical hacking skills.

Nmap is …

Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.

Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.

Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.

Easy: While NMAP offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference.

 Free: The primary goals of this  NMAP Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. it is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.

 Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.

 Supported: While it comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines.

 Acclaimed: Nmap has won various honors, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been included in many magazine articles, a few motion pictures, many books, and one comic book arrangement. Visit the press page for further subtleties.

Popular: Thousands of people download every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Usage of Nmap

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
  • Identifying open ports on a target host in preparation for auditing.
  • Network inventory, network mapping, and maintenance and asset management.
  • Auditing the security of a network by identifying new servers.
  • Generating traffic to hosts on a network, response analysis and response time measurement.
  • Finding and exploiting vulnerabilities in a network.
  • DNS queries and subdomain search

  NMAP COMMEANDS:

1: To find out nmap version, run:

 # nmap --version

Sample outputs:

Nmap version 5.51 ( http://nmap.org )


2: To scan an IP address or a host name (FQDN), run:

 # nmap 1.2.3.4

 # nmap localhost

 # nmap 192.168.1.1


3:  Information out of the remote system:

 # nmap -v -A scanme.nmap.org

 # nmap -v -A 192.168.1.1


Sample outputs:

 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-19 16:38 IST

 NSE: Loaded 30 scripts for scanning.

 Initiating ARP Ping Scan at 16:38

 Scanning 192.168.1.1 [1 port]

 Completed ARP Ping Scan at 16:38, 0.04s elapsed (1 total hosts)

 Initiating Parallel DNS resolution of 1 host. at 16:38

 Completed Parallel DNS resolution of 1 host. at 16:38, 0.00s elapsed

 Initiating SYN Stealth Scan at 16:38

 Scanning 192.168.1.1 [1000 ports]

 Discovered open port 80/tcp on 192.168.1.1

 Discovered open port 22/tcp on 192.168.1.1

 Completed SYN Stealth Scan at 16:38, 0.27s elapsed (1000 total ports)


4:  Scan multiple IP address or subnet (IPv4):

 nmap 192.168.1.1 192.168.1.2 192.168.1.3

 ## works with same subnet i.e. 192.168.1.0/24

 nmap 192.168.1.1,2,3


You can scan a range of IP address too:

nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

Finally, you scan an entire subnet:

nmap 192.168.1.0/24

5: Find out if a host/network is protected by a firewall:

 nmap -sA 192.168.1.254

 nmap -sA server1.gbhackers.com


6: Turn on OS and version detection scanning script (IPv4):

 nmap -A 192.168.1.254

 nmap -v -A 192.168.1.1

 nmap -A -iL /tmp/scanlist.txt 


7:  Scan a host when protected by the firewall:

 nmap -PN 192.168.1.1

 nmap -PN server1.gbhackers.com


8: Scan an IPv6 host/address:

 The -6 option enable IPv6 scanning. The syntax is:

 nmap -6 IPv6-Address-Here

 nmap -6 server1.gbhackers.com

 nmap -6 2607:f0d0:1002:51::4

 nmap -v A -6 2607:f0d0:1002:51::4


9:  How do I perform a fast scan:

 nmap -F 192.168.1.1


10: Display the reason a port is in a particular state:

 nmap --reason 192.168.1.1

 nmap --reason server1.gbhackers.com


11: Only show open (or possibly open) ports:

 nmap --open 192.168.1.1

 nmap --open server1.gbhackers.com


12: Show all packets sent and received:

 nmap --packet-trace 192.168.1.1

 nmap --packet-trace server1.gbhackers.com


13: Show host interfaces and routes:

This is useful for debugging (ip command or route command or netstat command like

 output using nmap)

 nmap --iflist


Sample outputs:


Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST

 ************************INTERFACES************************

 DEV (SHORT) IP/MASK TYPE UP MAC

 lo (lo) 127.0.0.1/8 loopback up

 eth0 (eth0) 192.168.1.5/24 ethernet up B8:AC:6F:65:31:E5

 vmnet1 (vmnet1) 192.168.121.1/24 ethernet up 00:50:56:C0:00:01

 vmnet8 (vmnet8) 192.168.179.1/24 ethernet up 00:50:56:C0:00:08

 ppp0 (ppp0) 10.1.19.69/32 point2point up


**************************ROUTES**************************

 DST/MASK DEV GATEWAY

 10.0.31.178/32 ppp0

 209.133.67.35/32 eth0 192.168.1.2

 192.168.1.0/0 eth0

 192.168.121.0/0 vmnet1

 192.168.179.0/0 vmnet8

 169.254.0.0/0 eth0

 10.0.0.0/0 ppp0

 0.0.0.0/0 eth0 192.168.1.2


14: How do I scan specific ports:


 nmap -p [port] hostName

 ## Scan port 80

  nmap -p 80 192.168.1.1


## Scan TCP port 80

 nmap -p T:80 192.168.1.1


## Scan UDP port 53

 nmap -p U:53 192.168.1.1


## Scan two ports ##

 nmap -p 80,443 192.168.1.1


## Scan port ranges ##

 nmap -p 80-200 192.168.1.1


## Combine all options ##

 nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1

 nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz

 nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254


## Scan all ports with * wildcard ##

 nmap -p "*" 192.168.1.1


## Scan top ports i.e. scan $number most common ports ##

 nmap --top-ports 5 192.168.1.1

 nmap --top-ports 10 192.168.1.1


Sample outputs:


Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 IST

 Interesting ports on 192.168.1.1:

 PORT STATE SERVICE

 21/tcp closed ftp

 22/tcp open ssh

 23/tcp closed telnet

 25/tcp closed smtp

 80/tcp open http

 110/tcp closed pop3

 139/tcp closed netbios-ssn

 443/tcp closed https

 445/tcp closed microsoft-ds

 3389/tcp closed ms-term-serv

 MAC Address: BC:AE:C5:C3:16:93 (Unknown)

nmap done: 1 IP address (1 host up) scanned in 0.51 seconds


Basic Scanning Commands

GoalCommandExample
Scan a Single Targetnmap [target]nmap 192.168.0.1
Scan Multiple Targetsnmap [target1, target2, etcnmap 192.168.0.1 192.168.0.2
Scan a Range of Hostsnmap [range of ip addresses]nmap 192.168.0.1-10
Scan an Entire Subnetnmap [ip address/cdir]nmap 192.168.0.1/24
Scan Random Hostsnmap -iR [number]nmap -iR 0
Excluding Targets from a Scannmap [targets] – exclude [targets]nmap 192.168.0.1/24 –exclude 192.168.0.100, 192.168.0.200
Excluding Targets Using a Listnmap [targets] – excludefile [list.txt]nmap 192.168.0.1/24 –excludefile notargets.txt
Perform an Aggressive Scannmap -A [target]nmap -A 192.168.0.1
Scan an IPv6 Targetnmap -6 [target]nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Discovery Options

GoalCommandExample
Perform a Ping Only Scannmap -sP [target]nmap -sP 192.168.0.1
Don’t Pingnmap -PN [target]nmap -PN 192.168.0.1
TCP SYN Pingnmap -PS [target]nmap -PS 192.168.0.1
TCP ACK Pingnmap -PA [target]nmap -PA 192.168.0.1
UDP Pingnmap -PU [target]nmap -PU 192.168.0.1
SCTP INIT Pingnmap -PY [target]nmap -PY 192.168.0.1
ICMP Echo Pingnmap -PE [target]nmap -PE 192.168.0.1
ICMP Timestamp Pingnmap -PP [target]nmap -PP 192.168.0.1
CMP Address Mask Pingnmap -PM [target]nmap -PM 192.168.0.1
IP Protocol Pingnmap -PO [target]nmap -PO 192.168.0.1


ARP Pingnmap -PR [target]nmap -PR 192.168.0.1
Traceroutenmap –traceroute [target]nmap –traceroute 192.168.0.1
Force Reverse DNS Resolutionnmap -R [target]nmap -R 192.168.0.1
Disable Reverse DNS Resolutionnmap -n [target]nmap -n 192.168.0.1
Alternative DNS Lookupnmap –system-dns [target]nmap –system-dns 192.168.0.1
Manually Specify DNS Server(s)nmap –dns-servers [servers] [target]nmap –dns-servers 201.56.212.54 192.168.0.1
Create a Host Listnmap -sL [targets]nmap -sL 192.168.0.1/24

Advanced Scanning Options

GoalCommandExample
TCP SYN Scannmap -sS [target]nmap -sS 192.168.0.1
TCP Connect Scannmap -sT [target]nmap -sT 192.168.0.1
UDP Scannmap -sU [target]nmap -sU 192.168.0.1
TCP NULL Scannmap -sN [target]nmap -sN 192.168.0.1
TCP FIN Scannmap -sF [target]nmap -sF 192.168.0.1
Xmas Scannmap -sX [target]nmap -sX 192.168.0.1
TCP ACK Scannmap -sA [target]nmap -sA 192.168.0.1
Custom TCP Scannmap –scanflags [flags] [target]nmap –scanflags SYNFIN 192.168.0.1
IP Protocol Scannmap -sO [target]nmap -sO 192.168.0.1
Send Raw Ethernet Packetsnmap –send-eth [target]nmap –send-eth 192.168.0.1
Send IP Packetsnmap –send-ip [target]nmap –send-ip 192.168.0.1

Port Scanning Options

GoalCommandExample
Perform a Fast Scannmap -F [target]nmap -F 192.168.0.1
Scan Specific Portsnmap -p [port(s)] [target]nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Namenmap -p [port name(s)] [target]nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocolnmap -sU -sT -p U: [ports],T:[ports] [target]nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080 192.168.0.1
Scan All Portsnmap -p ‘*’ [target]nmap -p ‘*’ 192.168.0.1
Scan Top Portsnmap –top-ports [number] [target]nmap –top-ports 10 192.168.0.1
Perform a Sequential Port Scannmap -r [target]nmap -r 192.168.0.1

Version Detection

GoalCommandExample
Operating System Detectionnmap -O [target]nmap -O 192.168.0.1
Submit TCP/IP Fingerprintswww.nmap.org/submit/
Fingerprints

Attempt to Guess an Unknown OSnmap -O –osscan guess [target]nmap -O –osscan-guess 192.168.0.1
Service Version Detectionnmap -sV [target]nmap -sV 192.168.0.1
Troubleshooting Version Scansnmap -sV –version trace [target]nmap -sV –version-trace 192.168.0.1
Perform a RPC Scannmap -sR [target]nmap -sR 192.168.0.1

Firewall Evasion Techniques

GoalCommandExample
augment Packetsnmap -f [target]nmap -f 192.168.0.1
pacify a Specific MTUnmap –mtu [MTU] [target]nmap –mtu 32 192.168.0.
Use a Decoynmap -D RND:[number] [target]nmap -D RND:10 192.168.0.1
le Zombie Scannmap -sI [zombie] [target]nmap -sI 192.168.0.38
Manually Specify a Source Portnmap –source-port [port] [target]nmap –source-port 10 192.168.0.1
Append Random Datanmap –data-length [size] [target]nmap –data-length 2 192.168.0.1
Randomize Target Scan Ordernmap –randomize-hosts [target]nmap –randomize-ho 192.168.0.1-20
Spoof MAC Addressnmap –spoof-mac [MAC|0|vendor] [target]nmap –spoof-mac Cis 192.168.0.1
Send Bad Checksumsnmap –badsum [target]nmap –badsum 192.168.0.1

Troubleshooting 

GoalCommandExample
Getting Helpnmap -hnmap -h
Display Nmap Versionnmap -Vnmap -V
Verbose Outputnmap -v [target]nmap -v 192.168.0.1
Debuggingnmap -d [target]nmap -d 192.168.0.1
Display Port State Reasonnmap –reason [target]nmap –reason 192.168.0.1
Only Display Open Portsnmap –open [target]nmap –open 192.168.0.1
Trace Packetsnmap –packet-trace [target]nmap –packet-trace 192.168.0.1
Display Host Networkingnmap –iflistnmap –iflist
Specify a Network Interfacenmap -e [interface] [target]nmap -e eth0 192.168.0.1

NMAP Scripting Engine

GoalCommandExample
Execute Individual Scriptsnmap –script [script.nse] [target]nmap –script banner.nse 192.168.0.1
Execute Multiple Scriptsnmap –script [expression] [target]nmap –script ‘http-*’ 192.168.0.1
Script Categoriesall, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Categorynmap –script [category] [target]nmap –script ‘not intrusive’ 192.168.0.1
Execute Multiple Script Categoriesnmap –script [category1,category2,etc]nmap –script ‘default or safe’ 192.168.0.1
Troubleshoot Scriptsnmap –script [script] –script trace [target]nmap –script banner.nse –script-trace 192.168.0.1
Update the Script Databasenmap –script-updatedbnmap –script-updatedb

Conclusion

Nmap can perform various scanning operation and it has been leading scanning tool in the security industry since its release in 1997, also its worlds leading port scanners to find out open ports and firewall. still, Nmap used by various organizations and penetration tester to find out loops and secure the network.

Comments

Post a Comment

Popular posts from this blog

Python OOPs Concepts: Using Variables and Methods

  Types of Variables in OOPs Python   Instance Variable Static Variable Local Variable   Object Level Variables Class Level Variables Method Level Variables When to use: For Every Object if you want Separate copy, use Instance Variables For all object one copy is required, use static variables Inside method, Just used for temporary requirement Where to Declare Inside the constructor method (in general) Within the class directly, outside of methods (in general)   Within the method only. How to Declare Within the constructor: Instance variables can be declared within the constructor method using the self .   Using default values : Instance variables can be assigned default values during initialization.   Outside the class: use object name.   ·          Within the class directly
1 comment
Read more

Inheritance

Inheritance is a fundamental concept in object-oriented programming, which allows a class to inherit properties and methods from another class. There are several types of inheritance, including: Single Inheritance: In single inheritance, a subclass inherits properties and methods from a single parent class. The subclass is said to be derived from the parent class. Multiple Inheritance: Multiple inheritance allows a subclass to inherit properties and methods from multiple parent classes. In this case, the subclass is said to have multiple base classes. However, multiple inheritance can lead to complexity and ambiguity in the code. Multilevel Inheritance: Multilevel inheritance occurs when a subclass inherits properties and methods from a parent class, which in turn inherits from another parent class. In this case, the subclass is said to be derived from both the parent class and the grandparent class. Hierarchical Inheritance: Hierarchical inheritance occurs when multiple subclasses
Post a Comment
Read more

Polymorphism: Method Overloading vs Method Overriding

  Method Overloading In object-oriented programming languages, method overloading enables a class to have several methods with the same name but different parameters. However, in Python, method overloading is not directly supported as opposed to languages such as Java or C++. This is because Python allows developers to define default arguments for their methods and pass arguments of any type to a method. This flexibility allows a single method to handle various types of arguments, eliminating the need for overloading.   However, there is a way to simulate method overloading in Python by using default argument values or variable length arguments and conditional statements. Here's an example: Program using default arguments:       Program using variable length arguments:   Multiple methods with Same Name: When we define multiple methods with same name, Python will consider the last defined method only. Python will not support method overloading. ( Why? Method overlo
Post a Comment
Read more