

Introduction To Nmap

Nmap Basics

Basic Target Scans

Advanced Nmap Commands for Scanning

Performance Optimization

Nmap Script Engine

Additional Resourses So in this post, I will be covering these

Contents [hide]



What is Nmap?

How To Install Nmap

Uses of Nmap

Tip:

In This Tutorial, we are using Nmap in Linux,

Although Port Scanning Is Not Crime as per Shodan,

to avoid Headache in this post we are going to use the host https://scanme.nmap.org for scanning, which is permitted by Official Nmap.

Overview Of Nmap Commands

Nmap Default Scan

nmap scanme.nmap.org

nmap -iL targets.txt

Service Version Scanning

nmap -sV scanme.nmap.org

Note:

However 65,535 ports can be open or closed but remember Nmap will scan only the top 1000 common ports only, for that we will be covering some advanced scanning techniques, so keep reading.

Logging Scans

nmap scanme.nmap.org -oA logfilename





Specific Scan Ranges



However we did a small recap on Nmap but it takes time to be a master of Nmap,

If you still looking for Nmap commands then check out the Nmap manual by typing man Nmap on the command line or you can read it online here Note:However we did a small recap on Nmap but it takes time to be a master of Nmap,If you still looking for Nmap commands then check out the Nmap manual by typingon the command line or you can

Nmap Advanced Scanning

Nmap Scan Types

Host detection methods

nmap -sn scanme.nmap.org

nmap -Pn -n scanme.nmap.org

Scanning UDP services





sudo nmap -sU scanme.nmap.org

Special TCP Scans

Operating system detection

sudo nmap -O scanme.nmap.org

Verbose Scanning

Packet tracing

sudo nmap scanme.nmap.org --packet-trace

Performance Optimization

Nmap timing optimization

nmap -T5 scanme.nmap.org

Customized host group sizes

Increasing and decreasing parallelism

Dealing with stuck hosts

Delaying and increasing probe rates

nmap scanme.nmap.org --scan-delay 5s





Nmap Scripting Engine

Finding Nmap Scripts

Auth: These scripts attempt to authenticate to services, and can verify found credentials

These scripts attempt to authenticate to services, and can verify found credentials Broadcast: These scripts broadcast certain protocols to find out whether or not they are listening

These scripts broadcast certain protocols to find out whether or not they are listening Brute: These scripts attempt brute force or dictionary-based attacks against network services

These scripts attempt brute force or dictionary-based attacks against network services Default: This is the default category of scripts that may run when a scan is initiated

This is the default category of scripts that may run when a scan is initiated Discovery: These scripts attempt to enumerate sensitive information from hosts and network services

These scripts attempt to enumerate sensitive information from hosts and network services Denial of Service (DoS): These scripts may cause disruption to the service that is being scanned

These scripts may cause disruption to the service that is being scanned Exploit: These scripts attempt to execute an exploit that exploits a given vulnerability

These scripts attempt to execute an exploit that exploits a given vulnerability External: These scripts query third-party databases, such as DNS blacklists, to gather additional information about targets

These scripts query third-party databases, such as DNS blacklists, to gather additional information about targets Fuzzer: These scripts send random "garbage" information to services to attempt to find flaws in the software

These scripts send random "garbage" information to services to attempt to find flaws in the software Intrusive: These scripts are an umbrella category for any script that may cause damage or be intrusive to the service itself

These scripts are an umbrella category for any script that may cause damage or be intrusive to the service itself Malware: These scripts attempt to find instances of the known malware.

These scripts attempt to find instances of the known malware. Safe: These scripts are verified to not cause harm to servers

These scripts are verified to not cause harm to servers Version: These scripts attempt to identify specific versions as well as information disclosures from specific services in a more in-depth way than normal service version detection

These scripts attempt to identify specific versions as well as information disclosures from specific services in a more in-depth way than normal service version detection Vuln: These scripts identify the known vulnerabilities in services

Running Nmap Scripts

sudo nmap --script-update-db

sudo nmap scanme.nmap.org --script "http-*"

Additional Resources

Conclusion

Nmap is the most used tool for all type of hackers, especially the White Hat and System Administrators,Nmap comes with many built-in scripts for various scans, that's why it became one of the popular hacking tools for hackers,In thisam going to tell you a short but effective tutorial on how to useand tell you the advanced Scanning Techniques that are not even told by many other Hackers.😇Before we start you must have basic knowledge of IP/Networking and Nmap, if not then no need to worry I will try my best to explain more aboutIn simple words, Nmap is a Network Mapper, a free and open-source tool that comes with GUI and Command-line interface, and mostly used by IT Professionals to scan enterprise networks, so Nmap helps look for live hosts, specific services, or operating systems.The Installation of Nmap is depended on your Operating System, in Linux it can be installed with a simple command,however we are skipping the installation guide as the installation process can be found on the official Nmap documentation the interesting thing is you can install Nmap in Android too, we have already published in our blog, you can read it here As I told you at the beginning of this tutorial, Nmap is a Network Mapper which helps us to scan a network/host and detect its open ports, closed ports, to check a host is up or not and finally detecting the operating system the host is running and so on.Before we start using Nmap, you must have basic knowledge of Networking,Before we do Port Scanning, you must be clear about what is a port,a port is basically a way to connecting to a computer, there are over 65353 ports that can be open, closed and filteredif a port is open that means the computer is listening for a connection.if a port is close that means the computer is no longer looking for a connection in that port.if the port is filtered then it is likely to be open or close and the system administrator hiding some sort of information.Different Ports are used for different connections, such as the commonport is, andport isand so on, a port can be easily identified as it comes after a colon eg:whereis the port.these are most commonly used protocols over a network. However these are used for listening for a connection, they play different rolesasIt is a Connection-oriented protocol, in simple words it is used for connections that need things to be ordered specifically, for example, loading a web page.UDP Protocols are Connectionless protocol that doesn't assure the delivery of packets at the end, the most commonly used for Live Video Transforming.Here is a quick overview of various types of ProtocolsNow Let's use some Nmap commands for Port Scanning.Before Performing Scanning through Nmap, you have to know the Different Scannings types.Since we are using Nmap In a Linux Command Line Interface, so we just have to know theyou can get a list of commands with its uses by typing Nmap -hIt will print the help menu so that you can easily understand TheNow let's See How We can perform Different types of scanning Techniques using Nmap Commands,For Running The Default scan the command is so easy thatNmap hosteg:after executing the command you will see the results in real-time, it will show us the open ports, closed ports, filtered and even more.To scan targets from a list then below command is usedWhere targets.txt contains the targetsSometimes we have to face a situation that we cannot determine which software is running on which version of the software.for that we have to do a service version scanning, it can be done very simply by adding a flagit will output all the info regarding to the software versions along with ports,Sometimes Logging the Nmap scans is extremely useful when you're scanning a large network, it can be done by using the flag -oA logfile-nameNmap usually supports three types of logging usually (.nmap, .gnmap, .xml)The log files can be accessible in command line also, just type ls and you will see the list of log files andtypeto read itNmap command for logging scansAs we told you in the beginning that Nmap will scan only top 1000 ports in a normal scan, we can set a range of scan or scan a specific port.To Scan a Single port then it can be done by using the flag -pCommand: NmapIt will scan only the FTP port and shows the port state.Command:It will scan ports between the range 1-100It will scan for the most common ports fast.While there might be several commands To Scan all the ports on the target below command is very easy to useis used to scan the subnetwe will discuss more in advanced scanning section.Now its time to go with advanced scanning techniques, where you will find everything interesting.This is the default scan by Nmap, in this type of scan Nmap Sends TCP SYN packet to each possible port. If it gets an SYN ACK packet back, then Nmap knows there is a service running there else it shows the port is closed.it works the same as SYN scan but it makes a full TCP connection, sometimes its results are more accurate than SYN scan.This is a simple scan that Pings all the addresses to see which are responding to ICMP packets, however, this scan is not so accurate if the target machine is configured not to respond to a ping request.This scan is quite slow, and used to check whether any UPD ports are listening for a connection,It is just like an SYN scan but it sends a TCP FIN packet,This Scan Sets the TCP headers to null, this scan is helpful when the target is a non-Windows server and Protected by a firewall.This Scan is Similar To Null Scan but it turns on the TCP Headers,This scan is used on FTP server to check if the target is Connected to LAN for breaching the FTP server and See the Connected Machines.This Scan Looks for machines that respond to Remote Commands,This type of scan is performed on Operating Systems if the ports supposed to be filtered.This scan is performed if there the packets to the host is bounced off to an IP that you don't have control of it, this scan often used for malicious attacks,Before we start scanning the network we have to know whether the host is up or not. Nmap has several ways to detectSo let's see how to detectPinging is the most common method for detecting a host is up or not,However, Nmap has a feature to do ping sweep against a host, below command is used to perform ping sweep host detection.The flag -sn is used for ping sweep host detection.When a system hides a host from ping sweep then ping agnostic scan is usedThe -Pn flag is used for a ping agnostic scan, sometimes the flag -sL list scan is extremely useful for DNS PTR record lookupsAnother thing is if you're scanning an SSL supported host then the flagis extremely useful for host detection.As we told you earlier thatare connectionless, and it takes a little bit longer time to scan,While scanning for UDP forts the flagis used, moreover, it requires Root Privileges so sudo is a mustAs we have mentioned in different scan types the TCP connectscans (-sT), the SYN stealth scan (-sS), FIN(-sF), Xmas Tree(-sX), and Null scan(-sN) Are extremely useful scanning techniquesThe concept behind running these scans is that a closed port will attemptto reset the connection by issuing an RST (reset) packet,Note that FIN, Xmas,and NULL scans are known to not work against Microsoft Windows hosts.Sometimes we have to know which operating system the machine is running on, targets often run on multiple operating systems, however, Nmap can easily identify them.the flagis used to detect Target OsBy executing the command we will see the Operating System, MAC address(if we scan a LAN network), & OS CPEVerbose Scanning is used to retrieve information quickly while a scan is running, there are different levels of verbose scanning,Flag is Used For Verbose Scanning, andFlag is the second level of verbose scanning and the final isFlag For High level verbose,you can also use theflag to reduce verbosityThis Technique is used to understand the network hops that occur between hosts and to see the actual network traffic passing through.This is also possible by using the flagsandbut it is time-consuming.so the flagis used for Packet TracingWe have already learnt how to scan using various techniques, but most of the times Nmap takes a longer time to scan, to reduce the scanning time lets learn how to use the advanced flags.To Make Scans Faster Nmap has some Flags -T1 to -T5, T1 is slower and T5 is higher, while the default is -T3Timing Optimization is useful for quickly scanning a large network.Nmap uses Group of hosts to scan the hosts efficiently,flags are used for customizing host groups, note that it hosts group specification doesn't work at host discoveryYou have to know how to customize host group size, however, there are flags used to increase or decrease parallelism in full scans, it helps Nmap to finish the scanning effectively.The Flagmakes Nmap scan even faster by reducing some of the risks,similarly, the flagmakes Nmap scans slower.Commonly, sometimes hosts will be stuck while scanning a large enterprise, it happens if there was any security restrictions or something else that was stopping and slowing the scan.to resolve thatflag is used, 1 minute is enough but for a large enterprise 10 minute time out is betterNmap scanme.nmap.org --host-timeout 1mYou can directly increase or decrease scan by using the flagit is a useful time-saving techniqueSo Far... We have Learnt How To Use Nmap for Port Scanning along With AdvancedIn This Section, let's see how we can use The Nmap Script Engine to conduct reconnaissance scans.Before We Start Using Nmap Script Engine, Let me explain more about Nmap Script Engine,Nmap Script Engine is Basically a Framework that runs in the programming language Lua, and other hands Nmap script engine is a collection of scripts that are specifically coded for a purpose, to use the scripts we have to use theflag.Although The Scripts are Prepacked on your system the problem is you don't know which scripts to use,We strongly recommend you to read the Official NSE Doc By Nmap The Nmap Scripts are basically categorised into the followingRunning Nmap Scripts are very easy but before running them we have to check whether the Nmap script database is up to date or notfor that type this commandonce the scripts database is updated then its time to use themto use Nmap scriptscommand is used,Now its easier to run categorised Nmap scripts at once, below is a simple command for default scan with Nmap scriptssudo nmap scanme.nmap.org --script defautIf you want to scans by category or categories is too much, you can select scans by their specific name, or use wildcards. For example, if I wanted to scan a web server and load all the HTTP modules in the default scan repository, I would scan with the--script "http-*" flageg:😔 The Nmap Script Repository is quiet though, so it's better to do a little bit of practice, moreover, some security researchers develop their own scripts so keep updated with their scripts.And therefore Nmap also can be integrated with Metasploit, Ncrack and many other Popular Framework,Although this is a Beginner Nmap Tutorial, we tried our best to explain still if you feel anything missed out then feel free to comment, so that in our next update we will include that,Thanks For Reading, Share this tutorial with your friends or forums and tell them that you learnt something better.