0

Nmap tutorial

Nmap tutorial

Nmap is the first tool used by any penterster in the early phase of ethical hacking. So in this nmap tutorial we are gonna familiarize the nmap scanning tool.

What is Nmap ?

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.

So it provides a number of features for probing computer networks, including host discovery and service and operating system detection.

It can be used for :

  • Host discovery
  • Port Scanning
  • Version detection
  • OS detection etc

Zenmap for those who like to click

Start zenmap either from the command line or through your menu. This is the GUI interface to the Nmap scanner.

Nmap tutorial - Zenmap interface

It’s important to know how to use Nmap to easily carry out hacking.

How Scanning works ?

Understanding how the default and most common SYN scan works is a good place to start to examine how the scan works and interpreting the results.

Basic SYN Scan will sort ports into Open, Closed and Filtered

To understand how it works we need to check the basics of TCP communication. TCP initiates with a 3 way hand shake process.

Nmap tutorial - Basic TCP communication

First the client will send a SYN request to the server. And server returns SYN ACK. The client sends an ACK message to the server, resulting in creation of a connection between client and server.

open ports

If a server returns SYN ACK , the port will be open port

filtered ports

filtered port result from Nmap indicates that the port has not responded at all. It may be due to request simply been dropped by the firewall.

closed ports

closed port  most commonly indicate there is no service running on the port, but the firewall has allowed the connection to go through to the server.

Nmap cheatsheet

Target Specification

Example                         Description
-------                         ------------
nmap 192.168.1.1                Scan a single IP
nmap 192.168.1.1 192.168.2.1    Scan specific IPs
nmap 192.168.1.1-254            Scan a range
nmap scanme.nmap.org            Scan a domain
nmap 192.168.1.0/24             Scan using CIDR notation
nmap -iL targets.txt            Scan targets from a file
nmap -iR 100                    Scan 100 random hosts
nmap --exclude 192.168.1.1      Exclude listed hosts

Scan Techniques

Example                         Description
-------                         ------------
nmap 192.168.1.1 -sS            TCP SYN port scan (Default)
nmap 192.168.1.1 -sT            TCP connect port scan (Default without root privilege)
nmap 192.168.1.1 -sU            DP port scan
nmap 192.168.1.1 -sA            TCP ACK port scan
nmap 192.168.1.1 -sW            TCP Window port scan
nmap 192.168.1.1 -sM            TCP Maimon port scan

Host Discovery

Example                         Description
-------                         ------------
nmap 192.168.1.1-3 -sL          No Scan. List targets only
nmap 192.168.1.1/24 -sn         Disable port scanning. Host discovery only.
nmap 192.168.1.1-5 -Pn          Disable host discovery. Port scan only.
nmap 192.168.1.1-5 -PS22-25,80  TCP SYN discovery on port x. Port 80 by default
nmap 192.168.1.1-5 -PA22-25,80  TCP ACK discovery on port x. Port 80 by default
nmap 192.168.1.1-5 -PU53        UDP discovery on port x. Port 40125 by default
nmap 192.168.1.1-1/24 -PR       ARP discovery on local network
nmap 192.168.1.1 -n             Never do DNS resolution

Port Specification

Example                                 Description
-------                                 ------------
nmap 192.168.1.1 -p 21                  Port scan for port x
nmap 192.168.1.1 -p 21-100              Port range
nmap 192.168.1.1 -p U:53,T:21-25,80     Port scan multiple TCP and UDP ports
nmap 192.168.1.1 -p-                    Port scan all ports
nmap 192.168.1.1 -p http,https          Port scan from service name
nmap 192.168.1.1 -F                     Fast port scan (100 ports)
nmap 192.168.1.1 --top-ports 2000       Port scan the top x ports
nmap 192.168.1.1 -p-65535               Leaving off initial port in range, makes the scan start at port 1
nmap 192.168.1.1 -p0-                   Leaving off end port in range, makes the scan go through to port 65535

Service and Version Detection

Example                                 Description
-------                                 ------------
nmap 192.168.1.1 -p 21                  Port scan for port x
nmap 192.168.1.1 -p 21-100              Port range
nmap 192.168.1.1 -p U:53,T:21-25,80     Port scan multiple TCP and UDP ports
nmap 192.168.1.1 -p-                    Port scan all ports
nmap 192.168.1.1 -p http,https          Port scan from service name
nmap 192.168.1.1 -F                     Fast port scan (100 ports)
nmap 192.168.1.1 --top-ports 2000       Port scan the top x ports
nmap 192.168.1.1 -p-65535               Leaving off initial port in range, makes the scan start at port 1
nmap 192.168.1.1 -p0-                   Leaving off end port in range, makes the scan go through to port 65535

OS detection

Example                                         Description
-------                                         ------------
nmap 192.168.1.1 -sV                            Attempts to determine the version of the service running on port
nmap 192.168.1.1 -sV --version-intensity 8      Intensity level 0 to 9. Higher number increases possibility of correctness
nmap 192.168.1.1 -sV --version-light            Enable light mode. Lower possibility of correctness. Faster
nmap 192.168.1.1 -sV --version-all              Enable intensity level 9. Higher possibility of correctness. Slower
nmap 192.168.1.1 -A                             Enables OS detection, version detection, script scanning, and traceroute

NSE Scripts

Example                                     Description
-------                                     ------------
nmap 192.168.1.1 -sC                        Scan with default NSE scripts. Considered useful for discovery and safe
nmap 192.168.1.1 --script default           Scan with default NSE scripts. Considered useful for discovery and safe
nmap 192.168.1.1 --script=banner            Scan with a single script. Example banner
nmap 192.168.1.1 --script=http*             Scan with a wildcard. Example http
nmap 192.168.1.1 --script=http,banner       Scan with two scripts. Example http and banner
nmap 192.168.1.1 --script "not intrusive"   Scan default, but remove intrusive scripts

nmap --script snmp-sysdescr --script-args   NSE script with arguments
snmpcommunity=admin 192.168.1.1

Firewall / IDS Evasion and Spoofing

Example                                         Description
-------                                         ------------
nmap 192.168.1.1 -f                             Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
nmap 192.168.1.1 --mtu 32                       Set your own offset size

nmap -D 192.168.1.101,192.168.1.102,            Send scans from spoofed IPs
192.168.1.103,192.168.1.23 192.168.1.1          ( explanation : nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip)

nmap -S www.microsoft.com www.facebook.com      Scan Facebook from Microsoft (-e eth0 -Pn may be required)
nmap -g 53 192.168.1.1                          Use given source port number

nmap --proxies http://192.168.1.1:8080,         Relay connections through HTTP/SOCKS4 proxies
http://192.168.1.2:8080 192.168.1.1             

nmap --data-length 200 192.168.1.1              Appends random data to sent packets

Output

switch              Description
-------             ------------
-oN                 Normal output to the file normal.file
-oX                 XML output to the file xml.file
-oG                 Grepable output to the file grep.file
-oA                 Output in the three major formats at once
-oG -               Grepable output to screen. -oN -, -oX - also usable
--append-output     Append a scan to a previous scan file
-v                  Increase the verbosity level (use -vv or more for greater effect)
-d                  Increase debugging level (use -dd or more for greater effect)
--reason            Display the reason a port is in a particular state, same output as -vv
--open              Only show open (or possibly open) ports
--packet-trace      Show all packets sent and received
--iflist            Shows the host interfaces and routes
--resume            Resume a scan

Hope this nmap tutorial article helped you to understand the process. If any queries feel free to comment.

Interested in wifi hacking ? read this

Leave a Reply

Your email address will not be published. Required fields are marked *