Do not scan a device or a network or a system that is not yours or you do not have a permission to scan.
Use at your own risk.
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.
Nmap in a nutshell:
- Host discovery
- Port discovery / enumeration
- Service discovery
- Operating system version detection
- Hardware (MAC) address detection
- Service version detection
- Vulnerability / exploit detection, using Nmap scripts (NSE)
The Nmap utility is a common tool used for port scans. A port scan is the process of attempting to connect to every port on a computer — ports 1 through 65535 — and seeing if they’re open. Why? An attacker might port-scan a system to find vulnerable services or, you might port scan your own computer to ensure that there are no vulnerable services listening to the network. Nmap displays exposed services on a target machine along with other useful information such as the version and OS detection.
By default, Nmap scans perform a SYN Scan.
The tool was written and maintained by Fyodor (AKA Gordon Lyon). Nmap 7.12 is now available [change log | download] as of 6/29/2016.
Click here for supporting documentation for Nmap.
For good tutorials on Nmap, see these Udemy videos which you can view if you purchase their excellent “The Complete Ethical Hacking Course: Beginner to Advance” course:
https://www.udemy.com/draft/437490/learn/v4/t/lecture/2641556
https://www.udemy.com/draft/437490/learn/v4/t/lecture/2641558
https://www.udemy.com/draft/437490/learn/v4/t/lecture/2641564
For another basic tutorial from TechTarget, see this:
http://searchsecurity.techtarget.com/video/How-to-use-Nmap-to-scan-a-network
Here is a SUBSET of nmap options. This is NOT a complete list:
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan – simply list targets to scan
-sn: Ping Scan – disable port scan
-Pn: Treat all hosts as online — skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
–traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags : Customize TCP scan flags
-sI : Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
–exclude-ports : Exclude the specified ports from scanning
-F: Fast mode – Scan fewer ports than the default scan
-r: Scan ports consecutively – don’t randomize
–top-ports : Scan most common ports
–port-ratio : Scan ports more common than
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
–version-intensity : Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to –script=default
–script=: is a comma separated list of
directories, script-files or script-categories
–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
–script-args-file=filename: provide NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=: Show help about scripts.
is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take
Basic Nmap scanning examples, often used at the first stage of enumeration, with a hat tip to https://highon.coffee/blog/nmap-cheat-sheet/
Command | Description |
---|---|
nmap -sP 10.0.0.0/24 | Ping scans the network, listing machines that respond to ping. |
nmap -p 1-65535 -sV -sS -T4 target | Full TCP port scan using with service version detection – usually first scan. T4 more accurate than T5 and still “pretty quick”. |
nmap -v -sS -A -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services. |
nmap -v -sS -A -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services. |
nmap -v -sV -O -sS -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection. |
nmap -v -p 1-65535 -sV -O -sS -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan. |
nmap -v -p 1-65535 -sV -O -sS -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan. |
Here
Nmap Netbios Examples
Command | Description |
---|---|
nmap -sV -v -p 139,445 10.0.0.1/24 | Find all Netbios servers on subnet |
nmap -sU –script nbstat.nse -p 137 target | Nmap display Netbios name |
nmap –script-args=unsafe=1 –script smb-check-vulns.nse -p 445 target |
Nmap check if Netbios servers are vulnerable to MS08-067 |
Be careful when running this command.
Command | Description |
---|---|
nmap -p80 10.0.1.0/24 -oG – | nikto.pl -h – | Scans for http servers on port 80 and pipes into Nikto for scanning. |
nmap -p80,443 10.0.1.0/24 -oG – | nikto.pl -h – | Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning. |