Nmap
Nmap is a very versatile tool to do networks and system scanning.
From the Nmap web page, they define Nmap as being "an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.".
About Nmap
The best way to know about Nmap possibilities is to look at the help page of Nmap.
nmap -hYou can check all the possible options:
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each hostFrom this you can see what Nmap can actually do.
Another important source of information is either the Nmap book and the reference guide online.
Basic scanning
Imagine that you want to know which are the machines that are active on your network. In order to do that with nmap you should do the following:
nmap -sn 192.168.8.0/24 (using CIDR notation)
nmap -sn 192.168.8.1-254 (scans all IP addresses from 192.168.8.1 until 192.168.8.254)
This will produce the list of hosts which are up on the network analysed. This is a simple ping scan, without identification of the open ports.
Scanning for open ports
The basic operation of nmap allows you to discover information about a connected system. The most basic way to use nmap for this is simply to do the following:
nmap 192.168.8.142
This will result in the following:
nmap reports the open ports and the services that are running listening for connections on such ports. nmap can indicate the following 6 different possible port states:
open – indicates that an application is listening for connections on the port. The primary goal of port scanning is to find these.
closed – indicates that the probes were received but but there is no application listening on the port.
filtered – indicates that the probes were not received and the state could not be established.
unfiltered – indicates that the probes were received but a state could not be established. In other words, a port is accessible, but Nmap is unable to determine whether it is open or closed.
open/filtered– indicates that the port was filtered or open but
nmapcouldn’t establish the state.closed/filtered – indicates that Nmap is unable to determine whether a port is closed or filtered.
Specify ports
It is possible to specify the ports that we want nmap tp analyse.
nmap -p 80 192.168.8.142 (analyses only the port 80)
nmap -p 80,443 192.168.8.142 (analyses ports 80 and 443)
nmap -p- 192.168.8.142 (analyses all possible ports - 65536 ports)
nmap --top-ports 10 192.168.8.142 (analyses the top 10 most important ports)
Results in the following:
As you can see, some are reported as open while others are closed.
Different scanning techniques
nmap can also perform different scanning techniques. Here are some examples:
nmap -sU 192.168.8.142 (scans host for UDP services)
This will produce the something similar to this:
nmap -sS 192.168.8.142 (makes a TCP SYN scan - this as to do with the TCP 3-way handshake protocol, only sends the SYN packet and never establishes the connection)
nmap -sT 192.168.8.142 (does the TCP connection, executing the complete TCP 3-way handshake)
Using different scanning techniques may produce different results and increase the chances of information collection. In this page you may find more information about these different scanning techniques.
Service identification
nmap can also be used to identify the different services that are running and listening on a given host. In order to do that we may use the following:
nmap -sV 192.168.8.142
This will result in something like this:
From this it is possible to identify:
port: the port number
state: the current state of the port
service: the service name
version: the service details, including the version number.
Identifying the operating system
nmap is also capable of identifying the operative system on the target machine.
nmap -O 192.168.8.142 (tries to identify the OS on the target)
Produces the following results:
Running scripts with nmap
Another functionality of nmap is the possibility of executing scripts on a target. nmap is composed of hundred of scripts, and through the NSE - Nmap Scripting Engine - is capable of executing several scripts.
Usually, you may find those scripts on the following directory:
/usr/share/nmap/scripts
These scripts are organized according to a set of categories:
auth
broadcast
default
discovery
dos
exploit
external
fuzzer
intrusive
malware
safe
version
vuln
We may select to run a specific script on a target:
nmap --script ftp-vsftpd-backdoor 192.168.8.142
Or we may run all the scripts of a given category on a target:
nmap --script vuln 192.168.8.142
That results in the identification of multiple vulnerabilities on the target platform.
Additional Information
Last updated