Nmap:The Network Mapper

What is Nmap:

Nmap, short for Network Mapper, is a free, open-source tool

for vulnerability scanning and network discovery. Network
administrators use Nmap to identify what devices are running
on their systems, discovering hosts that are available and the
services they offer, finding open ports and detecting security
risks. Nmap can be used to monitor single hosts as well as vast
networks that encompass hundreds of thousands of devices
and multitudes of subnets.
Though Nmap has evolved over the years and is extremely
flexible, at heart it's a port-scan tool, gathering information by
sending raw packets to system ports. It listens for responses
and determines whether ports are open, closed or filtered in
some way by, for example, a firewall. Other terms used for port
scanning include port discovery or enumeration.
 Creator Gordon Lydon

Nmap was written in C++ and first introduced, with source code,
in Phrack Magazine in September 19977. It's been extended with C,
Perl and Python. Creator Gordon Lyon had adopted the pseudonym
Fyodor Vaskovitch, which he picked up after reading Fyodor
Dostoevsky's Notes from Underground, and still uses the handle
Fyodor in his work on Nmap.
Features
Host discovery – Identifying hosts on a network. For
example, listing the hosts that respond to TCP and/or ICMP
requests or have a particular port open.
Port scanning – Enumerating the open ports on target
hosts.
Version detection – Interrogating network services on
remote devices to determine application name and version
number.
TCP/IP stack fingerprinting – Determining the operating
system and hardware characteristics of network devices
based on observations of network activity of said devices.
Scriptable interaction with the target – using Nmap
Scripting Engine (NSE) and Lua programming language.
Nmap can provide further information on targets,
including reverse DNS names, device types, and MAC
addresses.

Typical uses of Nmap:

Auditing the security of a device or firewall by
identifying the network connections which can be made
to, or through it.
Identifying open ports on a target host in preparation
for auditing.
Network inventory, network mapping, maintenance and
asset management.
Auditing the security of a network by identifying new
servers.
Generating traffic to hosts on a network, response
analysis and response time measurement.
Finding and exploiting vulnerabilities in a network.
DNS queries and subdomain search
Nmap Supported Operating Systems

 Linux
 Windows
 Mac OS
Installing Nmap On Linux
To install Nmap on Debian and Debian-based systems Ubuntu, Linux and
Linux mint.
Open the Terminal and type the following command:

$ sudo apt-get install nmap

AP on Linux

run Nmap by typing in the Terminal:

Sudo nmap
Check out the Man Pages of Nmap
on your Linux System

Open the Terminal and type the following command:

$ man nmap

The man pages of Nmap shown in the following image:

Check out the Help Pages of
Nmap on your Linux
Open the Terminal and type the following command:

$ nmap --help
Install NMAP on Windows
1. Head over to the official Nmap download page. Under the
Microsoft Windows Binaries section, click on the latest [stable]
Nmap .exe release.

2. Once the Nmap download is complete, double click on the file to

launch the Nmap installer. When asked if you allow this app to make
changes to your device, click the Yes button.

3. Click the Agree button when asked about the Nmap License
Agreement.

4. On the Choose Components window, select all checkboxes and

click Next.

5. Click Install on the Choose Installation

Location window.

6. You will be asked a second time tocarefully and click the I

Agree button. confirm Npcap’s License Agreement. Please read the
agreement
8.On the Installation Complete window, click Next, then Finish.

9. Click Next again once prompted. On the Create

Shortcuts windows, select the respective checkbox if you want
a Startup Menu or Desktop Nmap shortcut. Click Next,
and Finish.

10. Test Nmap on Windows

Let’s now test if Nmap and Zenmap were installed correctly on your
Windows machine.
First, open a Command Prompt window [type CMD on Windows
Search box] and Run Nmap as Administrator.
 Nmap Command
Target Specification

Switch Example Description

nmap 192.168.1.1 Scan a single IP
nmap 192.168.1.1
Scan specific IPs
192.168.2.1
nmap 192.168.1.1-
Scan a range
254
nmap
Scan a domain
scanme.nmap.org
nmap Scan using CIDR
192.168.1.0/24 notation
nmap -iL Scan targets from a
-iL
targets.txt file
Scan 100 random
-iR nmap -iR 100
hosts
nmap --exclude
--exclude Exclude listed hosts
192.168.1.1
Scan Techniques
Switch Example Description
TCP SYN port scan
-sS nmap 192.168.1.1 -sS
(Default)
-sT nmap 192.168.1.1 -sT TCP connect port scan
(Default without root
privilege)
-sU nmap 192.168.1.1 -sU UDP port scan
-sA nmap 192.168.1.1 -sA TCP ACK port scan
-sW nmap 192.168.1.1 -sW TCP Window port scan
-sM nmap 192.168.1.1 -sM TCP Maimon port scan
 Host Discovery
Switch Example Description
-sL nmap 192.168.1.1-3 -sL No Scan. List targets only
Disable port scanning. Host
-sn nmap 192.168.1.1/24 -sn discovery only.

Disable host discovery. Port

-Pn nmap 192.168.1.1-5 -Pn scan only.

-PS nmap 192.168.1.1-5 -PS22- TCP SYN discovery on port x.

25,80 Port 80 by default
-PA nmap 192.168.1.1-5 -PA22- TCP ACK discovery on port x.
25,80 Port 80 by default
-PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x.
Port 40125 by default
-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network

-n nmap 192.168.1.1 -n Never do DNS resolution

Port Specification
Switch Example Description

-p nmap 192.168.1.1 -p 21 Port scan for port x

-p nmap 192.168.1.1 -p 21-100 Port range

-p nmap 192.168.1.1 -p Port scan multiple TCP and
U:53,T:21-25,80 UDP ports
-p- nmap 192.168.1.1 -p- Port scan all ports
-p nmap 192.168.1.1 -p http,https Port scan from service name

-F nmap 192.168.1.1 -F Fast port scan (100 ports)

nmap 192.168.1.1 --top-ports Port scan the top x ports
--top-ports
2000
nmap 192.168.1.1 -p-65535
Leaving off initial port in range
-p-65535
makes the scan start at port 1

-p0- nmap 192.168.1.1 -p0-

Leaving off end port in range
makes the scan go through to
port 65535
 Service and Version Detection
Switch Example Description

Attempts to determine the version of the service

-sV nmap 192.168.1.1 -sV
running on port

-sV --version- nmap 192.168.1.1 -sV --version- Intensity level 0 to 9. Higher number increases
intensity intensity 8 possibility of correctness

-sV --version-light
nmap 192.168.1.1 -sV --version- Enable light mode. Lower possibility of correctness.
light Faster

-sV --version-all nmap 192.168.1.1 -sV --version-

all Enable intensity level 9. Higher possibility of
correctness. Slower

-A nmap 192.168.1.1 -A Enables OS detection, version detection, script

scanning, and traceroute

OS Detection
Switch Example Description
Remote OS detection using
nmap 192.168.1.1 -
-O TCP/IP
O
stack fingerprinting
If at least one open and one
closed
nmap 192.168.1.1 -
-O --osscan-limit TCP port are not found it will
O --osscan-limit
not try
OS detection against host
-O --osscan-guess nmap 192.168.1.1 - Makes Nmap guess more
O --osscan-guess aggressively
-O --max-os-tries nmap 192.168.1.1 - Set the maximum number x
O --max-os-tries 1 of OS
detection tries against a
target
-A nmap 192.168.1.1 - Enables OS detection, version
A detection, script scanning,
and traceroute
 Timing and Performance
Switch Example Description
-T0 nmap 192.168.1.1 -T0 Paranoid (0) Intrusion Detection
System evasion
-T1 nmap 192.168.1.1 -T1
Sneaky (1) Intrusion Detection System
evasion

-T2 nmap 192.168.1.1 -T2

Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources

-T3 nmap 192.168.1.1 -T3

Normal (3) which is default speed

-T4 nmap 192.168.1.1 -T4 Aggressive (4) speeds scans; assumes

you are on a reasonably fast and
reliable network

-T5 nmap 192.168.1.1 -T5 Insane (5) speeds scan; assumes you
are on an extraordinarily fast network

NSE Scripts
Switch Example Description
-sC nmap 192.168.1.1 -sC
Scan with default NSE scripts.
Considered useful for discovery and
safe

--script default nmap 192.168.1.1 --script default Scan with default NSE scripts.
Considered useful for discovery and
safe

--script nmap 192.168.1.1 --script=banner Scan with a single script. Example

banner
--script nmap 192.168.1.1 --script=http* Scan with a wildcard. Example http

--script nmap 192.168.1.1 --script=http,banner Scan with two scripts. Example http
and banner

--script nmap 192.168.1.1 --script "not intrusive" Scan default, but remove intrusive
scripts

--script-args nmap --script snmp-sysdescr --script-args NSE script with arguments

snmpcommunity=admin 192.168.1.1
 Useful NSE Script Examples
Command Description
nmap -Pn --script=http-sitemap-generator http site map generator
scanme.nmap.org
nmap -n -Pn -p 80 --open -sV -vvv --script Fast search for random web servers
banner,http-title -iR 1000
nmap -Pn --script=dns-brute domain.com Brute forces DNS hostnames guessing
subdomains
nmap -n -Pn -vv -O -sV --script smb-enum*,smb- Safe SMB scripts to run
ls,smb-mbenum,smb-os-discovery,smb-s*,smb-
vuln*,smbv2* -vv 192.168.1.1

nmap --script whois* domain.com Whois query

nmap -p80 --script http-unsafe-output-escaping Detect cross site scripting vulnerabilities

scanme.nmap.org
nmap -p80 --script http-sql-injection Check for SQL injections
scanme.nmap.org

Firewall / IDS Evasion and Spoofing

Switch Example Description
-f nmap 192.168.1.1 -f
Requested scan (including ping scans) use tiny
fragmented IP packets. Harder for packet filters

--mtu nmap 192.168.1.1 --mtu 32 Set your own offset size

-D nmap -D 192.168.1.101,192.168.1.102, Send scans from spoofed IPs

192.168.1.103,192.168.1.23 192.168.1.1

-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy- Above example explained

ip3,decoy-ip4 remote-host-ip

-S nmap -S www.microsoft.com www.facebook.com Scan Facebook from Microsoft (-e eth0 -Pn may
be required)
-g nmap -g 53 192.168.1.1 Use given source port number

--proxies nmap --proxies http://192.168.1.1:8080, Relay connections through HTTP/SOCKS4 proxies

http://192.168.1.2:8080 192.168.1.1

--data-length nmap --data-length 200 192.168.1.1 Appends random data to sent packets
 Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D

192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.

Output

Switch Example Description

-oN nmap 192.168.1.1 -oN normal.file Normal output to the file normal.file
-oX nmap 192.168.1.1 -oX xml.file XML output to the file xml.file
-oG nmap 192.168.1.1 -oG grep.file Grepable output to the file grep.file
-oA nmap 192.168.1.1 -oA results Output in the three major formats at once

-oG - nmap 192.168.1.1 -oG - Grepable output to screen. -oN -, -oX - also usable

--append-output nmap 192.168.1.1 -oN file.file --append-output Append a scan to a previous scan file

-v nmap 192.168.1.1 -v Increase the verbosity level (use -vv or more for
greater effect)

-d nmap 192.168.1.1 -d Increase debugging level (use -dd or more for greater
effect)

--reason nmap 192.168.1.1 --reason Display the reason a port is in a particular state, same
output as -vv

--open nmap 192.168.1.1 --open Only show open (or possibly open) ports

--packet-trace nmap 192.168.1.1 -T4 --packet-trace Show all packets sent and received
--iflist nmap --iflist Shows the host interfaces and routes

--resume nmap --resume results.file Resume a scan