If you plan to study everything that is generalized, it is customary to call information security, then sooner or later (and rather sooner) you will hear or learn about such a utility as Nmap. Someone may say: “Ah, what’s there? Just scan the ports. ” Do not listen to these people. Knowing the capabilities of Nmap commands and the ability to use it, in itself already gives serious opportunities in the practice of pentest. And in this article I will try to show you the basics and give the most necessary recipes for using Nmap, as well as explain how it works.

if you are really into pentesting you should learn How to use nmap

When a software get ported to all those OS it’s a mark for how important that software is,

Whatever you are trying to do as a network Administrator or a Penetration Tester you will need to work with Nmap one day

What is nmap?

Nmap is an abbreviation of “Network Mapper”, a tool for researching the network and checking security. The utility is cross-platform, free, it supports Linux, Windows, FreeBSD, OpenBSD, Solaris, Mac OS X operating systems.

Nmap can scan using various methods – for example, UDP, TCP connect (), TCP SYN (half-open), FTP proxy (break through ftp), Reverse-ident, ICMP (ping), FIN, ACK, SYN and NULL scanning. The choice of the scanning option depends on the specified keys, the nmap call looks like this:

For experiments, we take a special experiment host created by the nmap developers themselves – scanme.nmap.org. Run as root It is

not necessary to specify scan keys – in this case nmap will check the host for open ports and services that listen on these ports.

Run the command:

After a few seconds, we get the result: Nothing unusual, ssh on the standard port and http on 80. Nmap recognizes the following port states: open , filtered

closed , or unfiltered . Open means that the application on the target machine is ready to accept packets on this port. Filtered means that a firewall, filter, or something else on the network is blocking the port, so Nmap cannot determine if the port is open or closed. Closed – are not currently associated with any application, but can be opened at any time. Unfiltered ports respond to Nmap requests, but you cannot determine if they are open or closed.

Hint: If you press the spacebar during a scan, you can see the current scan progress and how many percent it has been completed.

What does nmap do?

Nmap used for rapidly scan large networks, yet it works fine against single hosts.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

With Nmap you can find:

What computers are running on a local network.

What IP addresses are running on a local network.

What is the operating system of your target machine.

What ports are open on the machine that you just scanned. ( port scanner )

Find out if the system is infected with malware or virus.

Search for unauthorized servers or network service on your network.

Find and remove computers which don’t meet the organization’s minimum level of security.

While Nmap is commonly used for security audits, many systems and network administrators, find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

The software provides a number of features for probing computer networks we will try to learn some of the features together

Nmap originally written by Gordon Lyon first release in September 1997 Written in C, C++, Python, Lua

How to use Nmap

The logic of using the utility is quite simple.

By launching the nmap utility, we can immediately set the scan target, with the settings we need. It is important to understand that everything that is not a program’s functionality i.e. options and arguments, nmap will be regarded as a target, which means we can enter several objects as targets, and targets can be network addresses, ip addresses, ranges of ip addresses, networks, subnets, etc.

Also an important point: to perform many types of scans, you need superuser rights, I will try to mark the commands for which this is a prerequisite, but it is better to start working with Nmap immediately with elevated rights, so as not to get nervous every time he asks for root.

By the way, if you think that ports can be open or closed, then you are certainly right, but due to the peculiarities of packet transmission and responses to them by different protocols, to more accurately determine the state of the target under investigation, Nmap identifies six port states, they must be known to understand the results of scanning:

Status What it means 1. open Application accepts packet or connection requests to port closed The port responds, but is not used by any application. filtered Requests do not reach this port, which means it is impossible to determine whether it is open or not. not filtered

unfiltered The port is available, but Nmap cannot determine whether it is closed or open. Using a different scanning method usually helps. open | filtered I can’t determine if the port is open or is being filtered. Occurs if the open port is not responding. Using a different scanning method usually helps. closed | filtered I can’t determine whether the port is closed or is being filtered. Using a different scanning method usually helps.

At the very beginning of work with a goal, we, as a rule, know very little about it, which means we need to obtain primary data, shorten or expand the list of goals of interest (depends on the task) and determine the further direction of movement. For each specific task, the algorithm of actions can change and there are no recipes guaranteeing success, but there is a basic set of actions that you should know right well, I will try to focus on these and not get into the wilds.

To begin with, we will analyze the basic commands from the help, this is necessary to learn the basics of using Nmap. In some examples, we will use the site scanme.nmap.org as a target for scanning. This site is specially created by Nmap developers to test the capabilities of the program.

Host discovery

host discovery , this concept is quite broad, and consists of the initial discovery of active IP addresses, this stage is also called ping scanning, here you need to understand that you can scan as, with all the usual, ICMP requests, and combining them with TCP, UDP and ARP requests. Upon detecting the host, Nmap will automatically scan its ports if no option is set to cancel this action.

Nmap host discovery options:

-sL Scan to list.

Selecting this option will list the entire range of IP addresses on the network with the names assigned to them (if any). At the end of the list, the total number of IPs found will be displayed. If the domain name is set as the target, then IP and its Reverse DNS will be displayed.

Scan to list. Selecting this option will list the entire range of IP addresses on the network with the names assigned to them (if any). At the end of the list, the total number of IPs found will be displayed. If the domain name is set as the target, then IP and its Reverse DNS will be displayed. -sP ping scan.

This option defines active hosts i.e. those that respond to requests and list them out. If you run this option with root privileges, then ARP requests will also be involved, thanks to which we will find out the mac addresses of working devices on the network.

ping scan. This option defines active hosts i.e. those that respond to requests and list them out. If you run this option with root privileges, then ARP requests will also be involved, thanks to which we will find out the mac addresses of working devices on the network. -Pn Skip ping scan.

Using this option, Nmap will assume that all IPs in the network under study are active and will scan the entire range of IP addresses, including all ports on each IP

Skip ping scan. Using this option, Nmap will assume that all IPs in the network under study are active and will scan the entire range of IP addresses, including all ports on each IP -PS / -PA / -PU

These are commands to get a list of ports. The only difference is the packets that will be sent to the host: PS is TCP SYN, PA is TCP ACK. There is actually no fundamental difference, but if there is a chance that the connection is blocked by the firewall, it is better to use the TCP ACK. Well, and PU (you need root) – this is UDP ping – is used to receive an ICMP packet with an error “port is not reliable”, all other errors, including the lack of an answer, indicate that the host is not working.

In addition to the specified options, you can specify which types of ICMP packets to use, this is done with the -PE options ; -PP ; -PM – this is an echo request, a request for a time stamp and a request for an address mask, respectively, I will not dwell on them because such requests will most likely be blocked by the host or firewall.

These are commands to get a list of ports. The only difference is the packets that will be sent to the host: PS is TCP SYN, PA is TCP ACK. There is actually no fundamental difference, but if there is a chance that the connection is blocked by the firewall, it is better to use the TCP ACK. Well, and PU (you need root) – this is UDP ping – is used to receive an ICMP packet with an error “port is not reliable”, all other errors, including the lack of an answer, indicate that the host is not working. In addition to the specified options, you can specify which types of ICMP packets to use, this is done with the options ; ; – this is an echo request, a request for a time stamp and a request for an address mask, respectively, I will not dwell on them because such requests will most likely be blocked by the host or firewall. -PO

Command to get a list of protocols by pinging using the IP protocol (root is required to run). In this case, answers should be received according to the protocol specified in the request, this means that the protocol is active, if the response comes that the host is not reachable, it makes it clear that the protocol is not supported.

Command to get a list of protocols by pinging using the IP protocol (root is required to run). In this case, answers should be received according to the protocol specified in the request, this means that the protocol is active, if the response comes that the host is not reachable, it makes it clear that the protocol is not supported. -PR

This is ARP ping. The most optimal scanning method that allows you to determine the active hosts, services and ports they use (root is required to start).

This is ARP ping. The most optimal scanning method that allows you to determine the active hosts, services and ports they use (root is required to start). –Traceroute

Option that allows you to perform tracing ie track the path to the host, it is used together with any type of scan and works on the basis of data received as a result of it (root is required to run)

Scanning Techniques

We come to the section on port scanning techniques. Almost all the options listed in this section require root to run, this must be taken into account. You can also use only one method at a time (exception UDP scan (-sU), it can be combined with any type of TCP scan.

-sS

TCP SYN scan. This is the most popular and rather inconspicuous type of scan. when using it, the TCP connection is never established to the end. It works like this: Nmap sends a SYN packet, for the host it looks like they want to establish a real connection with it. If the response comes SYN / ACK, then the port is open, and if RST is closed, if the response does not come or an ICMP error message is received, then the port is filtered.

TCP SYN scan. This is the most popular and rather inconspicuous type of scan. when using it, the TCP connection is never established to the end. It works like this: Nmap sends a SYN packet, for the host it looks like they want to establish a real connection with it. If the response comes SYN / ACK, then the port is open, and if RST is closed, if the response does not come or an ICMP error message is received, then the port is filtered. -sU

UDP scan. Allows you to scan ports used by UDP services, can be combined with TCP scanning (for example: -sS -sU). It works by sending an empty UDP header to the appropriate ports. If the error “port is unreachable” arrives, then depending on the type of error, Nmap determines whether the port is closed or filtered, if UDP received a reply, the packet means the port is open, and if there is no answer, it will be given the status open | filtered, in this situation, to clarify data can use the versioning option (-sV). UDP scanning works extremely slowly, because to speed up the process, it makes sense to specify a list of ports of interest (for example, -p U: 53)

UDP scan. Allows you to scan ports used by UDP services, can be combined with TCP scanning (for example: -sS -sU). It works by sending an empty UDP header to the appropriate ports. If the error “port is unreachable” arrives, then depending on the type of error, Nmap determines whether the port is closed or filtered, if UDP received a reply, the packet means the port is open, and if there is no answer, it will be given the status open | filtered, in this situation, to clarify data can use the versioning option (-sV). UDP scanning works extremely slowly, because to speed up the process, it makes sense to specify a list of ports of interest (for example, -p U: 53) -sA

TCP ACK scan which is used to determine the firewall rules and the ports they filter.

TCP ACK scan which is used to determine the firewall rules and the ports they filter. -sO

Scan IP protocol, this way you can determine which IP protocols are supported by the target. Upon receipt of any response via any protocol, such a port is marked as open, if an ICMP error is received, the “protocol is unreachable” error, it will be marked as closed, and sometimes filtered, if the response does not arrive, it is “open | filtered”.

Nmap port scan

Port Definition and Scan Order Sometimes it becomes necessary to scan a specific port or range of ports, and if you immediately know which ports are the target, it’s better to do so, this can seriously reduce time and leave fewer traces. If you do not specify the ports that we want to scan, then Nmap, by default, will scan all ports up to and including 1024 and all ports specified in the * /nmap/ nmap-services file for the protocol that will be scanned.

In order to manually select the ports or port range for scanning, the option:

-p

means that we want to scan only certain ports. We must first specify the type of scan, and then the ports that we want to scan, you can also specify the TCP protocol (option T 🙂 or UDP (option U 🙂 (if you do not specify both), do not forget that UDP scanning must be applied the -sU option is used, and the -sS option (or similar) is used for TCP scanning, for example:

Note

There are also slightly less common methods for determining target ports. If we specify the -F parameter, then the 100 most common ports will be scanned, and if -p- , then all 65535.

more about nmap port scaning : nmap port scan example

Defining services, their versions, and operating system

As can be seen from the screenshots shown above, Nmap determines not only the port number and status, but also the service that is running on this port, of course, in most cases this is reliable information, but there are tricky system administrators who run services on non-standard ports. Fortunately, Nmap makes it possible to determine whether such a service really works on the found port, and also to obtain additional information, such as host name, application name, version number, device type and OS family.

-sV Versioning

Having discovered the port, Nmap starts sending appropriate requests to it in order to determine which service this port is using, for this, information from the nmap-service-probes database (located in the nmap folder) is used, where the requests are contained and the types of responses to them are listed, to recognize the corresponding services.

–Version-intensity

The option setting the intensity determines which queries will be used during scanning. You can set the value from 1 to 9. The lower the value, the faster the scan will go, the higher – the slower, but more likely to correctly determine the service. If the option is not specified, the default value is 7, which is sufficient in most cases. If you want to use the maximum intensity, use the –version-all parameter , this ensures that every single request will be directed to each port (and be patient, this may take some time)

-O

Enable OS detection mode. When this option is enabled, Nmap sends several TCP and UDP packets to the host, and the results are compared with the data from the nmap-os-db file (located in the Nmap folder) and if it finds a match, it shows the answer for which OS and which version its typical behavior. Using the same matches, Nmap will try to determine the type of device and its manufacturer.

Note:

I talked about the options for determining versions and OS because you need to know about them for completeness of review, but in practice, in most cases, it’s better to use the -A option instead , which immediately includes the definition of OS, versions, tracing scanning using scripts.

Nmap Script Engine

One of the key features of Nmap is the use of scripts when scanning. A huge number of scripts are supplied, they are about 600 and they are in * /nmap/ scripts, the scripts database in the script.db file is in the same directory. For ease of use, all scripts are divided into categories. The trick is that you can run scripts immediately in categories (one or several), this eliminates the need to remember the names of individual scripts, although some scripts should be remembered (but more on that later). It is also important to remember that some scripts leave many traces on the target system, and therefore it is worth using them carefully and remembering the means of anonymization.

A complete list of scripts and their description can be found here: https://nmap.org/nsedoc/index.html

auth

Category of scripts that works with authentication credentials on the system under study

Category of scripts that works with authentication credentials on the system under study broadcast

These scripts are needed to detect hosts not listed on the command line by broadcasting on the local network. When using the newtargets argument, found hosts will be automatically added to the scan queue

These scripts are needed to detect hosts not listed on the command line by broadcasting on the local network. When using the newtargets argument, found hosts will be automatically added to the scan queue brute

Scripts for brute force attacks to obtain authentication credentials.

Scripts for brute force attacks to obtain authentication credentials. default A

basic set of scripts defined by developers as “default scripts” to extend the functionality of Nmap. They are started by the command -sC or -A

basic set of scripts defined by developers as “default scripts” to extend the functionality of Nmap. They are started by the command -sC or -A discovery

Scripts of this category collect accounting, registration and statistical data about the investigated system.

Scripts of this category collect accounting, registration and statistical data about the investigated system. dos

These scripts test the system under investigation for vulnerabilities to denial of service attacks

These scripts test the system under investigation for vulnerabilities to denial of service attacks exploit

Nmap will try to exploit some known vulnerabilities

Nmap will try to exploit some known vulnerabilities external

These scripts send information to third-party databases or resources, for example: whois, virus total, robtex, geoplugin, ipinfo, etc. for more information about the target understudy

These scripts send information to third-party databases or resources, for example: whois, virus total, robtex, geoplugin, ipinfo, etc. for more information about the target understudy fuzzier

Scripts to send unexpected or randomized fields in each packet to the server software. Typically used to identify vulnerabilities or configuration errors. These are quite aggressive scripts, the use of which can lead to server failures

Scripts to send unexpected or randomized fields in each packet to the server software. Typically used to identify vulnerabilities or configuration errors. These are quite aggressive scripts, the use of which can lead to server failures intrusive

This category contains the most aggressive scripts aimed at identifying many common vulnerabilities, both services and password auditing. Using scripts of this category leaves a lot of traces in the target system and, as a rule, will be regarded by administrators as an attempt of unauthorized interference

This category contains the most aggressive scripts aimed at identifying many common vulnerabilities, both services and password auditing. Using scripts of this category leaves a lot of traces in the target system and, as a rule, will be regarded by administrators as an attempt of unauthorized interference malware

These scripts scan the target system for malware infection and backdoors.

These scripts scan the target system for malware infection and backdoors. safe

Scripts from this category are designed to collect general information and research the network; they do not perform active actions aimed at identifying or exploiting vulnerabilities; they do not imply negative consequences for the operability of the target system

Scripts from this category are designed to collect general information and research the network; they do not perform active actions aimed at identifying or exploiting vulnerabilities; they do not imply negative consequences for the operability of the target system version

These are scripts for expanding the functionality of the versioning option, they cannot be run separately, they work as needed when selecting the versioning option (-sV)

These are scripts for expanding the functionality of the versioning option, they cannot be run separately, they work as needed when selecting the versioning option (-sV) vuln

Scripts checking for known vulnerabilities, the results will be shown only if they are detected

Using Nmap Scripts

Despite the huge number of available scripts, the logic of their use is quite simple and understandable. Moreover, in most cases, it is worth running a script-based scan along with port scanning, because some scripts work depending on a particular port state.

-sC

Script based scanning. The same as script = default, i.e. launches a scan using a set of scripts from the default category (as I wrote above, it is better to use the option – A )

–Script-help

Script or category information. If you select this option, you can specify a specific script or category, and the description of the script (category) and a link to the help page for it will be displayed on the screen.

–Script

category of scripts, file

Using this option, you can specify a specific script, or several scripts to run, separated by a comma, you can also specify a category (or several), or run a script from the specified file, for example:

sudo nmap –script whois- domain scanme.nmap.org

will run only the whois-domain script, and

sudo nmap –script default, safe, whois-domain scanme.nmap.org

will run all the scripts from the default and safe categories and the whois-domain script.

In general, the point is that you can combine categories and scripts as you need, there are no restrictions here, even if you’re something Wrong Nmap will tell you where the error is.

–Script-args name1 = value1, name2 = value2

This option allows you to pass arguments to scripts, for more fine-tuning. You can specify several arguments at once, listing them separated by commas; as a value, you can specify either fixed values ​​or values ​​from a file. For instance:

A similar command will check the settings of the MySQL database server in comparison with the CIS standards Oracle MySQL Benchmarks, while user names will be enumerated from the list from the usernames.lst file, and passwords will be sorted through the passwords.lst dictionary (both dictionaries are standard Nmap dictionaries , you can specify your dictionaries or separately specify the desired values).

Note:

Please note that I did not put spaces after commas, this is necessary so that Nmap understands which arguments belong to which option, this happens because the shell interprets each element separately. You can put spaces, but then you need to enclose the argument groups in quotation marks so that the interpreter interprets it as a single object, for example:

–script-args “ mysql-audit.username = ‘nselib/data/usernames.lst’, mysql-audit.password = ‘nselib/data/passwords.lst’, mysql-audit.filename = ‘nselib/data/mysql-cis.audit’ “

Time and Performance Management Options

Some types of scans take a lot of time, this can be due to a large number of tests or, for example, due to the settings of the firewall of the target. And, although, Nmap is trying to optimize the scan, but this process, to some extent, can be controlled. We will not consider manual time management, because it is too precise and quite complex element. We will deal with the use of time management settings templates. The template is set by the parameter:

-T pattern

There are 6 templates themselves, you can choose them just by specifying a number from 0 to 6:

paranoid (paranoid) (0) – used to bypass IDS i.e. intrusion detection systems; sneaky (sly) (1) – similar to the previous one; polite (polite) (2) – reduces the scanning intensity in order to reduce the consumption of bandwidth and machine resources; normal (3) – the mode used by default; aggressive (aggressive) (4) – mode of increased scanning intensity, demanding on speed and reliability of the connection; insane (5) – the fastest and most inaccurate mode

Nmap Firewall Bypass

The issue of bypassing protection and filtering is very extensive and controversial. All intrusion detection systems are constantly evolving and improving, so you should understand that there is no kind of magic recipe or a single algorithm for bypassing the firewall or other means of protection, each new situation is somewhat unique, and therefore, the directness of hands to a greater extent solves it, and even more experience and skills, but this article is not about this, but about Nmap. The developers took care of us and included in the program components that allow you to fool the means of protection:

-f Packet fragmentation. When this option is enabled, Nmap will use small fragmented IP packets for all types of scans. This means that the TCP header will be split into parts, and these parts will be sent to the target in various packets, in such a situation there is a possibility that the filter simply does not understand what we want to do, and therefore will not respond. By default, Nmap breaks packets into 8-byte portions. This value can be set manually using the –mtu option (size must be a multiple of 8)

Packet fragmentation. When this option is enabled, Nmap will use small fragmented IP packets for all types of scans. This means that the TCP header will be split into parts, and these parts will be sent to the target in various packets, in such a situation there is a possibility that the filter simply does not understand what we want to do, and therefore will not respond. By default, Nmap breaks packets into 8-byte portions. This value can be set manually using the –mtu option (size must be a multiple of 8) -D dummy_host1, dummy_host2, dummy_host3, ME, dummy_host5

Scan using dummy hosts. For the purpose, it will look like it is scanned by all the hosts listed by you, while it will be quite difficult to understand where the real scan came from. Fictitious hosts must be specified with a comma, without spaces. You can set the ME parameter to what your real address will be in the list if this parameter is not specified, Nmap will put it randomly

dummy_host1, dummy_host2, dummy_host3, ME, dummy_host5 Scan using dummy hosts. For the purpose, it will look like it is scanned by all the hosts listed by you, while it will be quite difficult to understand where the real scan came from. Fictitious hosts must be specified with a comma, without spaces. You can set the ME parameter to what your real address will be in the list if this parameter is not specified, Nmap will put it randomly –Data-length number

This option adds the specified number of bytes to the packet. Sometimes confusing filter systems

number This option adds the specified number of bytes to the packet. Sometimes confusing filter systems –Spoof-mac MAC Address

Substitute mac address. You can specify the desired mac address as a value, if you specify 0, a random mac will be generated, you can also specify a prefix or manufacturer name (a list of manufacturer prefixes is in the nmap-mac-prefixes file in the program package) then Nmap will use the prefix for the first part mac addresses and random value for second

Nmap Output Results

If you do not specify any parameters for outputting results, Nmap will exit the received data in the terminal. This is quite acceptable for scanning a single target, but it is not always convenient (or rather, always not convenient) for the analysis of large amounts of data. For our convenience, the developers made it possible to save the results immediately to a file, and there are several options:

-oN file_name

Standard output. Scan data will be saved to the specified file in the form in which we see it in the terminal

file_name Standard output. Scan data will be saved to the specified file in the form in which we see it in the terminal -oX filename

XML output. The format is convenient for subsequent processing of results by third-party parsers or ZenMap

filename XML output. The format is convenient for subsequent processing of results by third-party parsers or ZenMap -oG file_name

Grepable output. With this output, the data of each host will be displayed on one line, it is needed if there is a need to use the lines grep, cut, etc. to process the utility with the command.

file_name Grepable output. With this output, the data of each host will be displayed on one line, it is needed if there is a need to use the lines grep, cut, etc. to process the utility with the command. –Resume file_name

Continue the interrupted scan. If the scan, for whatever reason, was not completed, but its results were saved to a file (only -oN or -oG), you can continue it from the moment you finish with the command: nmap –resume file_name. Other options do not need to be set, scanning continues with the same options with which it was originally started

Various Nmap Options

-6

Enable IPv6 scanning. With this scan, the same options are used as with the usual one, with the difference that the IP address must be specified in IPv6 format

Enable IPv6 scanning. With this scan, the same options are used as with the usual one, with the difference that the IP address must be specified in IPv6 format -A

Aggressive scan options. As I mentioned earlier, it runs OS detection (-O), scan with target, version detection (-sV), script scan (-sC) and trace (–traceroute)

Aggressive scan options. As I mentioned earlier, it runs OS detection (-O), scan with target, version detection (-sV), script scan (-sC) and trace (–traceroute) -v

Increase verbal level. When this option is enabled, more information will be displayed on the screen (and in the results) i.e. it will be more detailed. With a long scan, the approximate completion time will be shown, and the results will be displayed as they are received, and not after the scan is completed.

Nmap command examples

Nmap Scan a single host or an IP address (IPv4)

The output will show you some interesting open port and the MAC Address

Scan multiple IP address or subnet (IPv4)

Read lists of hosts/networks from a file (IPv4)

The option allows you to read the list of target systems using a text file.

This is use of the -iL ul to scan a large number of hosts/networks.

Create a text file as follows:

Your Text file should look like this ( Test.txt )

Lets say the text file is in tmp here is your commend

Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:

OR exclude list from a file called /tmp/exclude.txt

Turn on OS and version detection scanning script (IPv4)

The results of a scan might determine that a machine is listening on port 80, without knowing its corresponding OS and Web Server version makes the task of attempted compromise a “shot in the dark” methodology.

NMap solve this dilemma by using OS and Version detection. The following commands:

Check if a host/network is protected by a firewall

Scan a host when protected by the firewall

Scan an IPv6 host/address

The -6 option enables IPv6 scanning. The syntax is:

Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan: nmap host discovery

Display the reason a port is in a particular state:

Only show open (or possibly open) ports :

Show all packets sent and received

Show host interfaces and routes

This is useful for debugging (IP command or route command or netstat command like output using Nmap)

Sample outputs:

nmap port scan example

Scan specific ports

Sample outputs:

Scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24

nmap os detection example

You can identify a remote host apps and OS using the -O option:

detect remote services (server/daemon) version numbers:

Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:

Scan a host using IP protocol ping

Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

Find out the most commonly used TCP ports using TCP SYN Scan

Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

Output:

Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

Scan a firewall for packets fragments:

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over

several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

Scan a firewall for MAC address spoofing:

How to save output to a text file

The syntax is:

Vulnerability Scan Using Nmap and Vulscan

Nmap can quite successfully be used as a vulnerability scanner. To do this, you need to download the Vulscan script ( https://github.com/scipag/vulscan ) which will greatly expand the standard capabilities of Nmap.

Vulnerability databases are already integrated into the script:

This script is launched just like any other script, the only thing to remember is that it needs to be combined with the versioning command (-sV):

Additionally, for the Vulscan script, the –script-args command can pass additional arguments:

vulscandb = database

Use the specified database (from the list above), by default all existing databases will be used

= database Use the specified database (from the list above), by default all existing databases will be used –Script-args vulscaninteractive = 1

Enable interactive mode

Based on the results of the work of this script, Nmap will show a list of vulnerabilities, i.e. which vulnerability is found and where it is detected, but what to do next is already a question of this article.

On this, our general acquaintance with Nmap can be considered finished, perhaps at first it will seem to you that it is a little difficult, but practice using different options and arguments of this utility and you will see that it is simple, but as efficient as possible and do not forget to return to us to find out very much more a lot of new.