Nmap is an open source network monitoring and port scanning tool to find the hosts and services in the computer by sending the packets to the target host for network discovery and security auditing.
Numerous frameworks and system admins additionally think that its helpful for assignments, for example, network inventory, overseeing administration overhaul timetables, and observing host or administration uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single hosts. it runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.
In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results in the viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
You can also take Master in Ethical Hacking & Penetration Testing Online course where you can learn more about NMAP and advance level Ethical hacking skills.
Nmap is …
Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
Easy: While NMAP offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference.
Free: The primary goals of this NMAP Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. it is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
Supported: While it comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines.
Acclaimed: Nmap has won various honors, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been included in many magazine articles, a few motion pictures, many books, and one comic book arrangement. Visit the press page for further subtleties.
Popular: Thousands of people download every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.
Usage of Nmap
- Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
- Identifying open ports on a target host in preparation for auditing.
- Network inventory, network mapping, and maintenance and asset management.
- Auditing the security of a network by identifying new servers.
- Generating traffic to hosts on a network, response analysis and response time measurement.
- Finding and exploiting vulnerabilities in a network.
- DNS queries and subdomain search
NMAP COMMEANDS:
1: To find out nmap version, run:
# nmap --version
Sample outputs:
Nmap version 5.51 ( http://nmap.org )
2: To scan an IP address or a host name (FQDN), run:
# nmap 1.2.3.4
# nmap localhost
# nmap 192.168.1.1
3: Information out of the remote system:
# nmap -v -A scanme.nmap.org
# nmap -v -A 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-19 16:38 IST
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 16:38
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 16:38, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:38
Completed Parallel DNS resolution of 1 host. at 16:38, 0.00s elapsed
Initiating SYN Stealth Scan at 16:38
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 16:38, 0.27s elapsed (1000 total ports)
4: Scan multiple IP address or subnet (IPv4):
nmap 192.168.1.1 192.168.1.2 192.168.1.3
## works with same subnet i.e. 192.168.1.0/24
nmap 192.168.1.1,2,3
You can scan a range of IP address too:
nmap 192.168.1.1-20
You can scan a range of IP address using a wildcard:
nmap 192.168.1.*
Finally, you scan an entire subnet:
nmap 192.168.1.0/24
5: Find out if a host/network is protected by a firewall:
nmap -sA 192.168.1.254
nmap -sA server1.gbhackers.com
6: Turn on OS and version detection scanning script (IPv4):
nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt
7: Scan a host when protected by the firewall:
nmap -PN 192.168.1.1
nmap -PN server1.gbhackers.com
8: Scan an IPv6 host/address:
The -6 option enable IPv6 scanning. The syntax is:
nmap -6 IPv6-Address-Here
nmap -6 server1.gbhackers.com
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4
9: How do I perform a fast scan:
nmap -F 192.168.1.1
10: Display the reason a port is in a particular state:
nmap --reason 192.168.1.1
nmap --reason server1.gbhackers.com
11: Only show open (or possibly open) ports:
nmap --open 192.168.1.1
nmap --open server1.gbhackers.com
12: Show all packets sent and received:
nmap --packet-trace 192.168.1.1
nmap --packet-trace server1.gbhackers.com
13: Show host interfaces and routes:
This is useful for debugging (ip command or route command or netstat command like
output using nmap)
nmap --iflist
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo (lo) 127.0.0.1/8 loopback up
eth0 (eth0) 192.168.1.5/24 ethernet up B8:AC:6F:65:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet up 00:50:56:C0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet up 00:50:56:C0:00:08
ppp0 (ppp0) 10.1.19.69/32 point2point up
**************************ROUTES**************************
DST/MASK DEV GATEWAY
10.0.31.178/32 ppp0
209.133.67.35/32 eth0 192.168.1.2
192.168.1.0/0 eth0
192.168.121.0/0 vmnet1
192.168.179.0/0 vmnet8
169.254.0.0/0 eth0
10.0.0.0/0 ppp0
0.0.0.0/0 eth0 192.168.1.2
14: How do I scan specific ports:
nmap -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1
## Scan UDP port 53
nmap -p U:53 192.168.1.1
## Scan two ports ##
nmap -p 80,443 192.168.1.1
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 IST
Interesting ports on 192.168.1.1:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Basic Scanning Commands
| Goal | Command | Example |
|---|---|---|
| Scan a Single Target | nmap [target] | nmap 192.168.0.1 |
| Scan Multiple Targets | nmap [target1, target2, etc | nmap 192.168.0.1 192.168.0.2 |
| Scan a Range of Hosts | nmap [range of ip addresses] | nmap 192.168.0.1-10 |
| Scan an Entire Subnet | nmap [ip address/cdir] | nmap 192.168.0.1/24 |
| Scan Random Hosts | nmap -iR [number] | nmap -iR 0 |
| Excluding Targets from a Scan | nmap [targets] – exclude [targets] | nmap 192.168.0.1/24 –exclude 192.168.0.100, 192.168.0.200 |
| Excluding Targets Using a List | nmap [targets] – excludefile [list.txt] | nmap 192.168.0.1/24 –excludefile notargets.txt |
| Perform an Aggressive Scan | nmap -A [target] | nmap -A 192.168.0.1 |
| Scan an IPv6 Target | nmap -6 [target] | nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe |
Discovery Options
| Goal | Command | Example |
|---|---|---|
| Perform a Ping Only Scan | nmap -sP [target] | nmap -sP 192.168.0.1 |
| Don’t Ping | nmap -PN [target] | nmap -PN 192.168.0.1 |
| TCP SYN Ping | nmap -PS [target] | nmap -PS 192.168.0.1 |
| TCP ACK Ping | nmap -PA [target] | nmap -PA 192.168.0.1 |
| UDP Ping | nmap -PU [target] | nmap -PU 192.168.0.1 |
| SCTP INIT Ping | nmap -PY [target] | nmap -PY 192.168.0.1 |
| ICMP Echo Ping | nmap -PE [target] | nmap -PE 192.168.0.1 |
| ICMP Timestamp Ping | nmap -PP [target] | nmap -PP 192.168.0.1 |
| CMP Address Mask Ping | nmap -PM [target] | nmap -PM 192.168.0.1 |
| IP Protocol Ping | nmap -PO [target] | nmap -PO 192.168.0.1 |
| ARP Ping | nmap -PR [target] | nmap -PR 192.168.0.1 |
|---|---|---|
| Traceroute | nmap –traceroute [target] | nmap –traceroute 192.168.0.1 |
| Force Reverse DNS Resolution | nmap -R [target] | nmap -R 192.168.0.1 |
| Disable Reverse DNS Resolution | nmap -n [target] | nmap -n 192.168.0.1 |
| Alternative DNS Lookup | nmap –system-dns [target] | nmap –system-dns 192.168.0.1 |
| Manually Specify DNS Server(s) | nmap –dns-servers [servers] [target] | nmap –dns-servers 201.56.212.54 192.168.0.1 |
| Create a Host List | nmap -sL [targets] | nmap -sL 192.168.0.1/24 |
Advanced Scanning Options
| Goal | Command | Example |
|---|---|---|
| TCP SYN Scan | nmap -sS [target] | nmap -sS 192.168.0.1 |
| TCP Connect Scan | nmap -sT [target] | nmap -sT 192.168.0.1 |
| UDP Scan | nmap -sU [target] | nmap -sU 192.168.0.1 |
| TCP NULL Scan | nmap -sN [target] | nmap -sN 192.168.0.1 |
| TCP FIN Scan | nmap -sF [target] | nmap -sF 192.168.0.1 |
| Xmas Scan | nmap -sX [target] | nmap -sX 192.168.0.1 |
| TCP ACK Scan | nmap -sA [target] | nmap -sA 192.168.0.1 |
| Custom TCP Scan | nmap –scanflags [flags] [target] | nmap –scanflags SYNFIN 192.168.0.1 |
| IP Protocol Scan | nmap -sO [target] | nmap -sO 192.168.0.1 |
| Send Raw Ethernet Packets | nmap –send-eth [target] | nmap –send-eth 192.168.0.1 |
| Send IP Packets | nmap –send-ip [target] | nmap –send-ip 192.168.0.1 |
Port Scanning Options
| Goal | Command | Example |
|---|---|---|
| Perform a Fast Scan | nmap -F [target] | nmap -F 192.168.0.1 |
| Scan Specific Ports | nmap -p [port(s)] [target] | nmap -p 21-25,80,139,8080 192.168.1.1 |
| Scan Ports by Name | nmap -p [port name(s)] [target] | nmap -p ftp,http* 192.168.0.1 |
| Scan Ports by Protocol | nmap -sU -sT -p U: [ports],T:[ports] [target] | nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080 192.168.0.1 |
| Scan All Ports | nmap -p ‘*’ [target] | nmap -p ‘*’ 192.168.0.1 |
| Scan Top Ports | nmap –top-ports [number] [target] | nmap –top-ports 10 192.168.0.1 |
| Perform a Sequential Port Scan | nmap -r [target] | nmap -r 192.168.0.1 |
Version Detection
| Goal | Command | Example |
|---|---|---|
| Operating System Detection | nmap -O [target] | nmap -O 192.168.0.1 |
| Submit TCP/IP Fingerprints | www.nmap.org/submit/ | |
| Fingerprints | ||
| Attempt to Guess an Unknown OS | nmap -O –osscan guess [target] | nmap -O –osscan-guess 192.168.0.1 |
| Service Version Detection | nmap -sV [target] | nmap -sV 192.168.0.1 |
| Troubleshooting Version Scans | nmap -sV –version trace [target] | nmap -sV –version-trace 192.168.0.1 |
| Perform a RPC Scan | nmap -sR [target] | nmap -sR 192.168.0.1 |
Firewall Evasion Techniques
| Goal | Command | Example |
|---|---|---|
| augment Packets | nmap -f [target] | nmap -f 192.168.0.1 |
| pacify a Specific MTU | nmap –mtu [MTU] [target] | nmap –mtu 32 192.168.0. |
| Use a Decoy | nmap -D RND:[number] [target] | nmap -D RND:10 192.168.0.1 |
| le Zombie Scan | nmap -sI [zombie] [target] | nmap -sI 192.168.0.38 |
| Manually Specify a Source Port | nmap –source-port [port] [target] | nmap –source-port 10 192.168.0.1 |
| Append Random Data | nmap –data-length [size] [target] | nmap –data-length 2 192.168.0.1 |
| Randomize Target Scan Order | nmap –randomize-hosts [target] | nmap –randomize-ho 192.168.0.1-20 |
| Spoof MAC Address | nmap –spoof-mac [MAC|0|vendor] [target] | nmap –spoof-mac Cis 192.168.0.1 |
| Send Bad Checksums | nmap –badsum [target] | nmap –badsum 192.168.0.1 |
Troubleshooting
| Goal | Command | Example |
|---|---|---|
| Getting Help | nmap -h | nmap -h |
| Display Nmap Version | nmap -V | nmap -V |
| Verbose Output | nmap -v [target] | nmap -v 192.168.0.1 |
| Debugging | nmap -d [target] | nmap -d 192.168.0.1 |
| Display Port State Reason | nmap –reason [target] | nmap –reason 192.168.0.1 |
| Only Display Open Ports | nmap –open [target] | nmap –open 192.168.0.1 |
| Trace Packets | nmap –packet-trace [target] | nmap –packet-trace 192.168.0.1 |
| Display Host Networking | nmap –iflist | nmap –iflist |
| Specify a Network Interface | nmap -e [interface] [target] | nmap -e eth0 192.168.0.1 |
NMAP Scripting Engine
| Goal | Command | Example |
|---|---|---|
| Execute Individual Scripts | nmap –script [script.nse] [target] | nmap –script banner.nse 192.168.0.1 |
| Execute Multiple Scripts | nmap –script [expression] [target] | nmap –script ‘http-*’ 192.168.0.1 |
| Script Categories | all, auth, default, discovery, external, intrusive, malware, safe, vuln | |
| Execute Scripts by Category | nmap –script [category] [target] | nmap –script ‘not intrusive’ 192.168.0.1 |
| Execute Multiple Script Categories | nmap –script [category1,category2,etc] | nmap –script ‘default or safe’ 192.168.0.1 |
| Troubleshoot Scripts | nmap –script [script] –script trace [target] | nmap –script banner.nse –script-trace 192.168.0.1 |
| Update the Script Database | nmap –script-updatedb | nmap –script-updatedb |
Conclusion
Nmap can perform various scanning operation and it has been leading scanning tool in the security industry since its release in 1997, also its worlds leading port scanners to find out open ports and firewall. still, Nmap used by various organizations and penetration tester to find out loops and secure the network.
Comments
Post a Comment