Network mapper is the powerful yet simple tool which can be used to scan surroundings. In simple terms command nmap can be used to scan connected devices in the network.
Why Learn about Nmap ?
For beginners Nmap command can be used to trouble shoot the network. Otherwise if you are planning to become the security expert, ethical hacker or penetration tester having knowledge about how to use Namp command is must and should. It would be the great tool in your arsenal
Features of Tool Nmap
Features and usage of Nmap is
- Scan Hosts
- Scan Open Ports
- Unveil Vulnerabilities
- Gather Information
Scan the ports on the remote server(machine) specific IP
sudo nmap <ip address>
To scan single IP and host
sudo nmap 192.168.1.1
Scan the IP range by specifying the last octet
sudo nmap 192.168.1.1-10
Above command scans the IP address of range 192.168.1.1 to 192.168.1.10
Scan the specific port on selected target
sudo nmap -p 80 192.168.4.1
Above command scans the specified port 80 on target 192.168.4.1
Nmap ping Scan
Nmap ping scan is used to identify hosts in any given or targeted network. It is the quite strait forward and easiest way to identify hosts in the network. downside of the ping scan which is based on ICMP protocol is that some networks or targeted hosts sometimes block the IP based or ICMP based ping packets.
nmap -sp 192.168.5.0/24
Scan Multiple Hosts
Simple way to scan multiple hosts, where each host separated by space. Following command without any options will list all open ports on mentioned hosts
nmap google.com 8.8.8.8
Output would look like as follows having list of open ports on targeted hosts
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-31 06:57 UTC
Nmap scan report for googe.com (162.243.10.151)
Host is up (0.0076s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5000/tcp closed upnp
8000/tcp closed http-alt
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.0011s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https
Nmap done: 2 IP addresses (2 hosts up) scanned in 7.09 seconds
Scan the consecutive IP Addresses
nmap 192.168.4.1,2,3,4
Above command would scan IP addresses, such as 192.168.4.1, 192.168.4.2, 192.168.4.3 and 192.168.4.4
Port Scanning
Namp command can be used to scan specific ports, or range of ports on desired host
nmap -p <port number> <ip>
Scan the port 80 on the host 192.168.4.5
nmap -p 80 192.168.4.5
For example scan the range of port from 20 to 2024
nmap -p 20-2024 192.168.4.5
Scan Significan Ports
Scan the most significant or popular ports using the command line option –top-ports
nmap --top-ports 25 192.168.4.5
Above command scans the top 25 ports on the host 192.168.4.5
Scan Using TCP/UDP
One of the super power of nmap is that making use of TCP and UDP to scan. This is helpful to gain more insights as compared to traditional ICMP based scans
Typical scan using TCP
nmap -sT 192.168.4.1
Typical scan using UDP
nmap -sU 192.168.4.1
Perform the SYN Scan using -sS flag. In this case namp only performs the half TCP handshake
nmap -sS 192.168.4.1
Scan Port Range
Scan range of ports on selected host
nmap -p 2024-4048 192.168.4.5
Also, it is possible to scan specific port(s)
nmap -p 80,8080,800,443 192.168.4.5
Port Scan to Probe Service
Using the flag -sV will detect the services by probing and provides the meaning information such as version of program running, operating system etc
nmap -sV 192.168.4.1
Scan IP Range
Nmap command can be used to scan range of IP address to check what ports are open.
Scan range of IP addresses by providing the block using CIDR notation
nmap 192.168.4.0/22
According the above command, given that the CIDR IP range 192.168.4.0/22 encodes Netmask 255.255.252.0. and IP range 192.168.4.0 to 192.168.7.255 which makes up of total 1024 IP address that namp scans.
Another way is to specify the range using hyphen (-) for the last octet of IP address
nmap 192.168.4.1-25
Above command scan the IP addresses from 192.168.4.1 to 192.168.4.25 inclusive
If you want to scan the All Ip addresses in single octet, us the wildcard as follows
nmap 192.168.4.*
You wanted to scan all addresses in the given range but wanted to exclude few hosts. In such a case you use the command line option –exclude
nmap -p 192.168.4.*. --exclude 192.168.4.1
Host Discovery
If you are looking to identify number of hosts that are up in the network instead of scanning of ports on each host. Use the command line option -sn
nmap -sn 192.168.4.0/22
Above command lists all hosts that are up along with MAC address
We can also perform the List scan (-sL) in which nmap does not send any packets instead it lists all IP addresses in the range and reports total number of IP addresses at the end. But, it still does the reverse DNS resolution. This command will be helpful to perform the sanity check and run preliminary scan on the targeted network without sending packets such that we can be sure that we are targeting right network or company only.
nmap -sL 192.168.40/22
Type | Syntax | Example |
---|---|---|
Perform a Ping Only Scan | nmap -sP [target] | nmap -sP 192.168.4.5 |
Don’t Ping | nmap -PN [target] | nmap -PN 192.168.4.5 |
TCP SYN Ping | nmap -PS [target] | nmap -PS 192.168.4.5 |
TCP ACK Ping | nmap -PA [target] | nmap -PA 192.168.4.5 |
UDP Ping | nmap -PU [target] | nmap -PU 192.168.4.5 |
SCTP INIT Ping | nmap -PY [target] | nmap -PY 192.168.4.5 |
ICMP Echo Ping | nmap -PE [target] | nmap -PE 192.168.4.5 |
ICMP Timestamp Ping | nmap -PP [target] | nmap -PP 192.168.4.5 |
CMP Address Mask Ping | nmap -PM [target] | nmap -PM 192.168.4.5 |
IP Protocol Ping | nmap -PO [target] | nmap -PO 192.168.4.5 |
Disable Name Resolution
Sometimes name resolution amount to tremendous time, to speed up the process you can disable the DNS name resolution using the option -n command line parameter
nmap -p 53 -n 8.8.8.8
Dump scan results to file
To save the results to text file instead of standard output
nmap -oN output.txt example.com
It is also possible to export results in XML format
nmap -oX output.xml getkt.com
Scanning for Malware
Capabilities of Nmap never ends, it is most potent tool capable of detecting the malware and backdoors by scanning common services like SMPT, SMB, IRC, Ldentd and Vsftpd. It can perform the proliferate scan by linking to updated VirusTota and Google Safe browsing DBs
nmap -sV --script=http-malware-host 192.168.4.5
perform the scan by linking to Google Malware database to check signatures
nmap -p80 --script http-google-malware example.com
OS & Service Detection
Following command enables you to detect OS and Services on remote host
nmap -A -T4 8.8.8.8
Attacks Using Nmap
To launch simple DoS attack using slowloris vulnerability using NSE known as “Nmap Scripting Engine” .
nmap 192.168.4.5 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
Strait forward simple FTP brute force attack
nmap --script ftp-brute -p 21 192.168.4.5
Brute force attack on MySQL
nmap -p 3036 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=passwds.txt 192.168.4.5
Brute force attack on wordpress
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.4.5
Leave a Reply