Nmap

Nmap Description:

Nmap (“Network Mapper”) is an open-source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.

In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.

A typical Nmap scan is shown below. The only Nmap arguments used in this example are -A, to enable OS and version detection, script scanning, and traceroute; -T4 for faster execution; and then the hostname.

root@kali:~# nmap -A -T4 scanme.nmap.org

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.029s latency).

rDNS record for 74.207.244.221: li86-221.members.linode.com

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)

| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)

|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)

80/tcp open http Apache httpd 2.2.14 ((Ubuntu))

|_http-title: Go ahead and ScanMe!

646/tcp filtered ldp

1720/tcp filtered H.323/Q.931

9929/tcp open nping-echo Nping echo

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6.39

OS details: Linux 2.6.39

Network Distance: 11 hops

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE (using port 53/tcp)

HOP RTT ADDRESS

[Cut first 10 hops for brevity]

11 17.65 ms li86-221.members.linode.com (74.207.244.221)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

Nmap Usage Example:

Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network. While I don't think port scanning other networks is or should be illegal, some network administrators don't appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach.

For testing purposes, you have permission to scan the host scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do not currently exist.

root@kali:~# nmap -O sscoetjalgaon.ac.in

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 12:50 India Standard Time

Nmap scan report for sscoetjalgaon.ac.in (139.59.37.252)

Host is up (0.089s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

80/tcp open http

443/tcp open https

3306/tcp open mysql

8181/tcp open intermapper

8443/tcp open https-alt

Device type: firewall|VoIP adapter|general purpose

Running (JUST GUESSING): Fortinet embedded (90%), Cisco embedded (89%), Linux 2.6.X (89%)

OS CPE: cpe:/h:fortinet:fortigate_100d cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26

Aggressive OS guesses: Fortinet FortiGate 100D firewall (90%), Cisco Unified Communications Manager VoIP adapter (89%), Linux 2.6.26 (PCLinuxOS) (89%)

No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 43.67 seconds

root@kali:~# nmap -T4 -Pn 1-65535 172.16.0.7

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 12:56 India Standard Time

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.

Nmap scan report for 172.16.0.7

Failed to resolve "1-65535".

Host is up.

All 1000 scanned ports on 172.16.0.7 are filtered

Nmap done: 1 IP address (1 host up) scanned in 113.12 seconds