Scribd
Upload
147 views

Nmap

Nmap is an open source network exploration tool that can be used for network scanning, security auditing, and more. It works by sending packets to target machines in novel ways to determine open ports, operating systems, firewalls, and other characteristics. The document provides 20 examples of nmap commands that can be used to scan single hosts or networks, detect operating systems, find open ports, check for firewalls, and more. The examples help introduce users to both offensive and defensive uses of nmap.

Uploaded by

ayeshashafeeq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
147 views

Nmap

Nmap is an open source network exploration tool that can be used for network scanning, security auditing, and more. It works by sending packets to target machines in novel ways to determine open ports, operating systems, firewalls, and other characteristics. The document provides 20 examples of nmap commands that can be used to scan single hosts or networks, detect operating systems, find open ports, check for firewalls, and more. The examples help introduce users to both offensive and defensive uses of nmap.

Uploaded by

ayeshashafeeq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

2014-Ag-8684

map is short for Network Mapper. It is an open source security tool for network
exploration, security scanning and auditing. However, nmap command comes with lots of options that can
make the utility more robust and difficult to follow for new users.
Introduction:

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or
network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for
offensive and defensive purposes.

More about nmap


From the man page:
Nmap ("Network Mapper") is an open source tool for network exploration and security
auditing. It was designed to rapidly scan large networks, although it works fine against single
hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the
network, what services (application name and version) those hosts are offering, what operating
systems (and OS versions) they are running, what type of packet filters/firewalls are in use,
and dozens of other characteristics. While Nmap is commonly used for security audits, many
systems and network administrators find it useful for routine task.
such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
It was originally written by Gordon Lyon and it can answer the following questions easily:
1.
2.
3.
4.
5.
6.
7.

What computers did you find running on the local network?


What IP addresses did you find running on the local network?
What is the operating system of your target machine?
Find out what ports are open on the machine that you just scanned?
Find out if the system is infected with malware or virus.
Search for unauthorized servers or network service on your network.
Find and remove computers which don't meet the organization's minimum level of security.

Sample setup (LAB)


Port scanning may be illegal in some jurisdictions. So setup a lab as follows:
+
---------+
+--------- +
| Network |
| server1 |-----------+ swtich
+--------+--------- +
| (sw0)
|
+---- +---- +
|
|
+--------+---------+
| wks01 Linux/OSX
|
+-------------------+

+-------- +
|server2 |
+-------- +

2014-Ag-8684
Where,
wks01 is your computer either running Linux/OS X or Unix like operating system. It is
used for scanning your local network. The nmap command must be installed on this
computer.
server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an
unpatched server. Feel free to install a few services such as a web-server, file server and so
on.
server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully
patched server with
firewall [2]. Again, feel free to install few services such as a web-server, file
server and so on. All three systems are connected via switch.
How do I install nmap?
Downoad from File hippo.com.
Instal it and check thfirst look thats looks like this:

First we check a single IPv4 address.


Scan a single host or an IP address (IPv4)
192.168.1.1
Sample outputs

Scan a Host name:

2014-Ag-8684
To Check the active ports:

Sample Output

Topology

This can also be done at cmd as:

2014-Ag-8684

#2: Scan multiple IP address or subnet (IPv4)


For 192.168.100-120

Topology View

For 192.168.1.*

2014-Ag-8684

For 192.168.1.1/24

#3:

2014-Ag-8684
Read list of hosts/networks from a file (IPv4)
The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number
of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:
server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3 localhost
The syntax is:
nmap -iL /tmp/test.txt

#4: Excluding hosts/networks (IPv4)


When scanning a large number of hosts/networks you can exclude hosts from a scan:

#5: Turn on OS and version detection scanning script (IPv4)


nmap -A 192.168.1.254 nmap -v -A
192.168.1.1
nmap -A -iL /tmp/scanlist.txt

2014-Ag-8684
#6: Find out if a host/network is protected by a firewall
nmap -sA 192.168.1.101

#7: Scan a host when protected by the firewall

#8: Scan an IPv6 host/address


The -6 option enable IPv6 scanning. The syntax is:
nmap -6 IPv6-Address-Here nmap -6
server1.cyberciti.biz nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

2014-Ag-8684

#9: Scan a network and find out which servers and devices are up and running
This is known as host discovery or ping scan
nmap -sP 192.168.1.0/24
Sample outputs

#10: How do I perform a fast scan?


Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:06 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.015s latency).
Not shown: 96 filtered ports
PORT

STATE SERVICE

135/tcp open msrpc


139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 18.52 seconds

#11: Only show open (or possibly open) ports


Nmap open 192.168.1.100

2014-Ag-8684

12: Show all packets sent and received


192.168.1.100

13#: Show host interfaces and routes


nmap --iflist
Sample outputs

2014-Ag-8684

#14: How do I scan specific ports?


nmap -p 80 192.168.1.100

#15: How do I detect remote operating system?


nmap -O -v --fuzzy --osscan-guess 192.168.1.1 nmap O

2014-Ag-8684

#16: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
nmap -PS 192.168.1.100
Sample Output:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:28 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.022s latency).
Not shown: 996 filtered ports
PORT

STATE SERVICE

135/tcp open msrpc


139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)

Nmap done: 1 IP address (1 host up) scanned in 24.77 seconds

#17: Scan a host using IP protocol ping


nmap -PO 192.168.1.100
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:29 Pakistan Standard Time
Nmap scan report for 192.168.1.100

2014-Ag-8684
Host is up (0.031s latency).
Not shown: 996 filtered ports
PORT

STATE SERVICE

135/tcp open msrpc


139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 32.56 seconds

#18: Scan for IP protocol


This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

nmap -sO 192.168.1.100


Sample output:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:32 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.011s latency).
Not shown: 255 open|filtered protocols
PROTOCOL STATE SERVICE
1

open icmp

MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)

Nmap done: 1 IP address (1 host up) scanned in 26.51 seconds

#19: Scan a firewall for security weakness


The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

nmap -sN 192.168.1.100


Sample Output:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-01 16:34 Pakistan Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.0090s latency).
All 1000 scanned ports on 192.168.1.100 are open|filtered
MAC Address: 00:1E:10:1F:00:00 (ShenZhen Huawei Communication Technologies Co.)

2014-Ag-8684

Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds

To view overall Scanning done

You might also like