Nmap is the first tool used by any penterster in the early phase of ethical hacking. So in this nmap tutorial we are gonna familiarize the nmap scanning tool.
What is Nmap ?
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.
So it provides a number of features for probing computer networks, including host discovery and service and operating system detection.
It can be used for :
- Host discovery
- Port Scanning
- Version detection
- OS detection etc
Zenmap for those who like to click
Start zenmap either from the command line or through your menu. This is the GUI interface to the Nmap scanner.
It’s important to know how to use Nmap to easily carry out hacking.
How Scanning works ?
Understanding how the default and most common SYN scan works is a good place to start to examine how the scan works and interpreting the results.
Basic SYN Scan will sort ports into Open, Closed and Filtered
To understand how it works we need to check the basics of TCP communication. TCP initiates with a 3 way hand shake process.
First the client will send a SYN request to the server. And server returns SYN ACK. The client sends an ACK message to the server, resulting in creation of a connection between client and server.
open ports
If a server returns SYN ACK , the port will be open port
filtered ports
filtered port result from Nmap indicates that the port has not responded at all. It may be due to request simply been dropped by the firewall.
closed ports
closed port most commonly indicate there is no service running on the port, but the firewall has allowed the connection to go through to the server.
Nmap cheatsheet
Target Specification
Example Description ------- ------------ nmap 192.168.1.1 Scan a single IP nmap 192.168.1.1 192.168.2.1 Scan specific IPs nmap 192.168.1.1-254 Scan a range nmap scanme.nmap.org Scan a domain nmap 192.168.1.0/24 Scan using CIDR notation nmap -iL targets.txt Scan targets from a file nmap -iR 100 Scan 100 random hosts nmap --exclude 192.168.1.1 Exclude listed hosts
Scan Techniques
Example Description ------- ------------ nmap 192.168.1.1 -sS TCP SYN port scan (Default) nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege) nmap 192.168.1.1 -sU DP port scan nmap 192.168.1.1 -sA TCP ACK port scan nmap 192.168.1.1 -sW TCP Window port scan nmap 192.168.1.1 -sM TCP Maimon port scan
Host Discovery
Example Description ------- ------------ nmap 192.168.1.1-3 -sL No Scan. List targets only nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only. nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only. nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x. Port 80 by default nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x. Port 80 by default nmap 192.168.1.1-5 -PU53 UDP discovery on port x. Port 40125 by default nmap 192.168.1.1-1/24 -PR ARP discovery on local network nmap 192.168.1.1 -n Never do DNS resolution
Port Specification
Example Description ------- ------------ nmap 192.168.1.1 -p 21 Port scan for port x nmap 192.168.1.1 -p 21-100 Port range nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports nmap 192.168.1.1 -p- Port scan all ports nmap 192.168.1.1 -p http,https Port scan from service name nmap 192.168.1.1 -F Fast port scan (100 ports) nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports nmap 192.168.1.1 -p-65535 Leaving off initial port in range, makes the scan start at port 1 nmap 192.168.1.1 -p0- Leaving off end port in range, makes the scan go through to port 65535
Service and Version Detection
Example Description ------- ------------ nmap 192.168.1.1 -p 21 Port scan for port x nmap 192.168.1.1 -p 21-100 Port range nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports nmap 192.168.1.1 -p- Port scan all ports nmap 192.168.1.1 -p http,https Port scan from service name nmap 192.168.1.1 -F Fast port scan (100 ports) nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports nmap 192.168.1.1 -p-65535 Leaving off initial port in range, makes the scan start at port 1 nmap 192.168.1.1 -p0- Leaving off end port in range, makes the scan go through to port 65535
OS detection
Example Description ------- ------------ nmap 192.168.1.1 -sV Attempts to determine the version of the service running on port nmap 192.168.1.1 -sV --version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness nmap 192.168.1.1 -sV --version-light Enable light mode. Lower possibility of correctness. Faster nmap 192.168.1.1 -sV --version-all Enable intensity level 9. Higher possibility of correctness. Slower nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute
NSE Scripts
Example Description ------- ------------ nmap 192.168.1.1 -sC Scan with default NSE scripts. Considered useful for discovery and safe nmap 192.168.1.1 --script default Scan with default NSE scripts. Considered useful for discovery and safe nmap 192.168.1.1 --script=banner Scan with a single script. Example banner nmap 192.168.1.1 --script=http* Scan with a wildcard. Example http nmap 192.168.1.1 --script=http,banner Scan with two scripts. Example http and banner nmap 192.168.1.1 --script "not intrusive" Scan default, but remove intrusive scripts nmap --script snmp-sysdescr --script-args NSE script with arguments snmpcommunity=admin 192.168.1.1
Firewall / IDS Evasion and Spoofing
Example Description ------- ------------ nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters nmap 192.168.1.1 --mtu 32 Set your own offset size nmap -D 192.168.1.101,192.168.1.102, Send scans from spoofed IPs 192.168.1.103,192.168.1.23 192.168.1.1 ( explanation : nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip) nmap -S www.microsoft.com www.facebook.com Scan Facebook from Microsoft (-e eth0 -Pn may be required) nmap -g 53 192.168.1.1 Use given source port number nmap --proxies http://192.168.1.1:8080, Relay connections through HTTP/SOCKS4 proxies http://192.168.1.2:8080 192.168.1.1 nmap --data-length 200 192.168.1.1 Appends random data to sent packets
Output
switch Description ------- ------------ -oN Normal output to the file normal.file -oX XML output to the file xml.file -oG Grepable output to the file grep.file -oA Output in the three major formats at once -oG - Grepable output to screen. -oN -, -oX - also usable --append-output Append a scan to a previous scan file -v Increase the verbosity level (use -vv or more for greater effect) -d Increase debugging level (use -dd or more for greater effect) --reason Display the reason a port is in a particular state, same output as -vv --open Only show open (or possibly open) ports --packet-trace Show all packets sent and received --iflist Shows the host interfaces and routes --resume Resume a scan
Hope this nmap tutorial article helped you to understand the process. If any queries feel free to comment.
Interested in wifi hacking ? read this