Nmap

/home/israel/nmap

What is nmap?

Nmap (network mapper) is a free and open source utility for network exploration or security auditing.

Created by Gordon "Fyodor" Lyon, this software is very useful to help us to perform a network enumeration (part of a pentesting methodology) or just to see what hosts and what services are alive in our network (don't forget our "users with initiative").

Most operative systems are supported (there's a port for the iPod Touch and works great) but for my own use, I have it in Windows and GNU/Linux.

You can use either the command prompt (win) / shell (GNU/Linux) or the zenmap gui.

Here I'll show a very useful command, simple but you can gather a lot of useful information:

nmap -P0 -sS -sV -O 192.168.111.0/24 > output.txt
or
nmap -P0 -sS -sV -O 192.168.111.* > output.txt

-P0. This switch tells Nmap not to ping a host before scanning it. As we alluded to when we described ping in Part 2, in some exceptional cases a computer that is active won't respond to ping (for example, when guarded by a firewall). Smart little Nmap can still find these stealth computers without relying on ping.
-sS. This switch tells Nmap to perform a SYN-based port scan. SYN is short for "synchronize," the first packet sent when one computer tries to connect to another using TCP. A SYN-based port scan is the most common method, among many possible methods.
-sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open. For instance, if Nmap learns port 80 is open, it tries to discern which web server runs on that port, as well as what version. Think of these as very educated guesses. Nmap is not always right.
-O. This switch tells Nmap to guess what operating system is running on any computer it scans. This, too, is a very informed estimate, not necessarily rock-solid truth. 

All this information are going to be stored in output.txt. Also this information can be stored in a xml file and can be exported to a html format.

About Zenmap, you can do the same but with a GUI:

Nmap is a very powerful tool, soon a book will be released by "Fyodor" and will be a "must have" in your library.

Gathering information from our network

nmap 192.168.0.*
nmap -p 3389 51.1.0.* -oG rdp.txt
cat rpd.txt | grep open
cat rpd.txt | grep open | cut -d " " -f 2
cat rpd.txt | grep open | cut -d " " -f 2 > openrdp.txt
nmap -O -iL opendrdp.txt