What is NMAP ?
Nmap (Network Mapper) is an open-source tool that specializes in network exploration and security auditing, originally published by Gordon “Fyodor” Lyon. The official website is (http://nmap.org). Nmap is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
This Page is for 3 year old girls or someone who is just starting in NMAP.
Basic Scanning Techniques
So here I will show the basic techniques for scanning network/host. But before that, you should know some basic stuff regarding Nmap status after scanning.
Port Status: After scanning, you may see some results with a port status like filtered, open, closed, etc. Let me explain this.
Open: This indicates that an application is listening for connections on this port.
Closed: This indicates that the probes were received but there is no application listening on this port.
Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
Unfiltered: This indicates that the probes were received but a state could not be established.
Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.
- Let’s say our target is http://dshaw.net/
Open command prompt and type
Scan Multiple Network/Targets
In Nmap you can even scan multiple targets for host discovery/information gathering.
Command: nmap host1 host2 host3 etc….It will work for the entire subnet as well as different IP addresses.
Scan a Range Of IP address
Nmap can also be used to scan an entire subnet using CIDR (Classless Inter-Domain Routing) notation.
Usage syntax: nmap [Network/CIDR]
Scan a list of targets
If you have a large number of systems to scan, you can enter the IP address (or host names) in a text file and use that file as input for Nmap on the command line.
syntax: nmap -iL [list.txt]
Scan Random Targets
The -iR parameter can be used to select random Internet hosts to scan. Nmap will randomly generate the specified number of targets and attempt to scan them.
syntax: nmap -iR [number of host]
It is not a good habit to do a random scan unless you have been given some project.
The –exclude option is used with Nmap to exclude hosts from a scan.
syntax: nmap [targets] –exclude [host(s)]
ex:nmap 192.168.2.1/24 –exclude 192.168.2.10
The aggressive scan selects most commonly used options within Nmap to try to give a simple alternative to writing long strings. It will also work for traceroute, etc.
Command: nmap –A host
Discovery With Nmap
Discovery with Nmap is very interesting and very helpful for penetration testers. During discovery one can learn about services, port numbers, firewall presence, protocol, operating system, etc. We will discuss one by one. See the below image from SANS which contains different probing options and Scan Types. Go through this completely
Service Version Detection
|-sV||Probe open ports to determine service/version info|
|–version-intensity “level”||Set from 0 (light) to 9 (try all probes)|
|–version-light||Limit to most likely probes (intensity 2)|
|–version-all||Try every single probe (intensity 9)|
|–version-trace||Show detailed version scan activity (for debugging)|
Firewalls IDS Evasion and Spoofing
|-f; –mtu VALUE||Fragment packets (optionally w/given MTU)|
|-D decoy1,decoy2,ME||Cloak a scan with decoys|
|-S IP-ADDRESS||Spoof source address|
|-e IFACE||Use specified interface|
|Use given port number|
|–proxies url1,[url2],…||Relay connections through HTTP / SOCKS4 proxies|
|–data-length NUM||Append random data to sent packets|
|–ip-options OPTIONS||Send packets with specified ip options|
|–ttl VALUE||Set IP time to live field|
|–spoof-mac ADDR/PREFIX/VENDOR||Spoof NMAP MAC address|
|–badsum||Send packets with a bogus TCP/UDP/SCTP checksum|
Now get up and gets some coffee because next part will be intense (hopefully)……..