Best NMAP Pentest Tutorial /CheetSheet

What is NMAP ?

 

Nmap (Network Mapper) is an open-source tool that specializes in network exploration and security auditing, originally published by Gordon “Fyodor” Lyon. The official website is (http://nmap.org). Nmap is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

 

Beginner Commands

 

This Page is for 3 year old girls or someone who is just starting in NMAP.

Basic Scanning Techniques

 

So here I will show the basic techniques for scanning network/host. But before that, you should know some basic stuff regarding Nmap status after scanning.

Port Status: After scanning, you may see some results with a port status like filtered, open, closed, etc. Let me explain this.

 

Open: This indicates that an application is listening for connections on this port.

Closed: This indicates that the probes were received but there is no application listening on this port.

Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.

Unfiltered: This indicates that the probes were received but a state could not be established.

Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.

Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

 

 

  1. Let’s say our target is http://dshaw.net/

Open command prompt and type

 

Scan Multiple Network/Targets

In Nmap you can even scan multiple targets for host discovery/information gathering.

Command: nmap host1 host2 host3 etc….It will work for the entire subnet as well as different IP addresses.

Scan a Range Of IP address

 

Command:nmap 192.168.2.1-192.168.2.100

Nmap can also be used to scan an entire subnet using CIDR (Classless Inter-Domain Routing) notation.

Usage syntax: nmap [Network/CIDR]

nmap 192.168.2.1/24

 

Scan a list of targets

 

If you have a large number of systems to scan, you can enter the IP address (or host names) in a text file and use that file as input for Nmap on the command line.

syntax: nmap -iL [list.txt]

Scan Random Targets

 

The -iR parameter can be used to select random Internet hosts to scan. Nmap will randomly generate the specified number of targets and attempt to scan them.

 

syntax: nmap -iR [number of host]

It is not a good habit to do a random scan unless you have been given some project.

The –exclude option is used with Nmap to exclude hosts from a scan.

syntax: nmap [targets] –exclude [host(s)]

ex:nmap 192.168.2.1/24 –exclude 192.168.2.10

 

Aggressive Scan

 

The aggressive scan selects most commonly used options within Nmap to try to give a simple alternative to writing long strings. It will also work for traceroute, etc.

 

Command:   nmap –A host

 

Discovery With Nmap

 

Discovery with Nmap is very interesting and very helpful for penetration testers. During discovery one can learn about services, port numbers, firewall presence, protocol, operating system, etc. We will discuss one by one. See the below image from SANS which contains different probing options and Scan Types. Go through this completely

 

Service Version Detection

COMMAND DESCRIPTION
-sV Probe open ports to determine service/version info
–version-intensity “level” Set from 0 (light) to 9 (try all probes)
–version-light Limit to most likely probes (intensity 2)
–version-all Try every single probe (intensity 9)
–version-trace Show detailed version scan activity (for debugging)

Example:

Firewalls IDS Evasion and Spoofing

COMMAND DESCRIPTION
-f; –mtu VALUE Fragment packets (optionally w/given MTU)
-D decoy1,decoy2,ME Cloak a scan with decoys
-S IP-ADDRESS Spoof source address
-e IFACE Use specified interface
-g PORTNUM
–source-port PORTNUM
Use given port number
–proxies url1,[url2],… Relay connections through HTTP / SOCKS4 proxies
–data-length NUM Append random data to sent packets
–ip-options OPTIONS Send packets with specified ip options
–ttl VALUE Set IP time to live field
–spoof-mac ADDR/PREFIX/VENDOR Spoof NMAP MAC address
–badsum Send packets with a bogus TCP/UDP/SCTP checksum

 

Now get up and gets some coffee because next part will be intense (hopefully)……..

50 thoughts on “Best NMAP Pentest Tutorial /CheetSheet

Leave a Reply

Your email address will not be published. Required fields are marked *