Introduction

map (Network Mapper) is an open-source tool that specializes in network exploration and security auditing. Nmap is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Website:Download Nmap

Installation Of Nmap

Nmap has great support for different environments.

Windows

Download Install Nmap from the official site.

Official site: Download

For Windows, both GUI and command line options are available. The GUI option for Nmap is Zenmap.

Linux (Ubuntu and Debian):

Fire the command in the Linux terminal

apt-get install nmap

For Red Hat and Fedora based systems:

yum install nmap

For Gentoo Linux based systems:

emerge nmap

Basic Scanning Techniques

Scan a single target

nmap [target]

Scan multiple targets

nmap [target1,target2,etc]

Scan a list of targets

nmap -iL [list.txt]

Scan a range of hosts

nmap [range of IP addresses]

Scan an entire subnet

nmap [IP address/cdir]

Scan random hosts

nmap -iR [number]

Excluding targets from a scan

nmap [targets] –exclude [targets]

Excluding targets using a list

nmap [targets] –excludefile [list.txt]

Perform an aggressive scan

nmap -A [target]

Scan an IPv6 target

nmap -6 [target]

Nmap Port Selection

Scan a single port

nmap -p [ports no] [target]

Scan a range of ports

nmap -p [ports range] [target]

Scan 100 most common ports (Fast)

nmap -F [target]

Scan all 65535 ports

nmap -p-[target]

Nmap Port Scan types

Scan using TCP connect

nmap -sT [target]

Scan using TCP SYN scan (default)

nmap -sS [target]

Scan UDP ports

nmap -sU -p [port1, port2, …] [target]

Scan selected ports – ignore discovery

nmap -Pn -F [target]

Discovery Options

Perform a ping scan only

nmap -sP [target]

Don’t ping

nmap -PN [target]

TCP SYN Ping

nmap -PS [target]

TCP ACK ping

nmap -PA [target]

UDP ping

nmap -PU [target]

SCTP Init Ping

nmap -PY [target]

ICMP echo ping

nmap -PE [target]

ICMP Timestamp ping

nmap -PP [target]

ICMP address mask ping

nmap -PM [target]

IP protocol ping

nmap -PO [target]

ARP ping

nmap -PR [target]

Traceroute

nmap –traceroute [target]

Force reverse DNS resolution

nmap -R [target]

Disable reverse DNS resolution

nmap -n [target]

Alternative DNS lookup

nmap –system-dns [target]

Manually specify DNS servers

nmap –dns-servers [servers] [target]

Create a host list

nmap -sL [targets]

Firewall Evasion Techniques

Fragment packets

nmap -f [target]

Specify a specific MTU

nmap –mtu [MTU] [target]

Use a decoy

nmap -D RND: [number] [target]

Idle zombie scan

nmap -sI [zombie] [target]

Manually specify a source port

nmap –source-port [port] [target]

Append random data

nmap –data-length [size] [target]

Randomize target scan order

nmap –randomize-hosts [target]

Spoof MAC Address

nmap –spoof-mac [MAC|0|vendor] [target]

Send bad checksums

nmap –badsum [target]

Version Detection

Operating system detection

nmap -O [target]

Attempt to guess an unknown

nmap -O –osscan-guess [target]

Service version detection

nmap -sV [target]

Troubleshooting version scans

nmap -sV –version-trace [target]

Perform a RPC scan

nmap -sR [target]

Output Options

Save output to a text file

nmap -oN [scan.txt] [target]

Save output to a xml file

nmap -oX [scan.xml] [target]

Grepable output

nmap -oG [scan.txt] [target]

Output all supported file types

nmap -oA [path/filename] [target]

Periodically display statistics

nmap –stats-every [time] [target]

133t output

nmap -oS [scan.txt] [target]

Ndiff

Comparison using Ndiff

ndiff [scan1.xml] [scan2.xml]

Ndiff verbose mode

ndiff -v [scan1.xml] [scan2.xml]

XML output mode

ndiff –xml [scan1.xml] [scan2.xml]

Nmap Scripting Engine

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Basically these scripts are written in Lua programming language.

Script categories

auth

Use to test whether you can bypass authentication mechanism.

broadcast

Use to find other hosts on the network and automatically add them to scanning que.

brute

Use for brute password guessing.

discovery

Use to discover more about the network.

dos

Use to test whether a target is vulnerable to DoS.

exploit

Use to actively exploit a vulnerability.

fuzzer

Use to test how server responds to unexpected or randomized fields in packets and determine other potential vulnerabilities.

intrusive

Use to perform more intense scans that pose a much higher risk of being detected by admins.

malware

Use to test target for presence of malware.

safe

Use to perform general network security scan that's less likely to alarm remote administrators.

vuln

Use to find vulnerabilities on the target.

Nmap Scripting Engine Example

Execute individual scripts

nmap –script [script.nse] [target]

Execute multiple scripts

nmap –script [expression] [target]

Execute scripts by category

nmap –script [cat] [target]

Execute multiple scripts categories

nmap –script [cat1,cat2, etc]

Troubleshoot scripts

nmap –script [script] –script-trace [target]

Update the script database

nmap –script-updatedb