NETWORK EXPLORATION TOOL

Name: Abhishek | Date: 14-11-2024

Installation
− Nmap was originally designed for Unix/Linux systems, but now it also works on
Windows and macOS also.

− Most popular Linux distributions provide binary Nmap packages which allow for
simple installation.

Syntax - Command: apt install nmap

Note: If it's already installed, you can either choose to upgrade it or type 'no' to stop
the installation.

− Once Nmap has been successfully installed, you can verify it is working correctly
by executing #nmap localhost on the command line.

PAGE 1
Basic Scanning Overview
This section covers the basics of network scanning with Nmap. Before we begin it is
important to understand the following concepts:

− Firewalls, routers, proxy servers, and other security devices can skew the results of
an Nmap scan.

− Some scanning options require elevated privileges. On Unix and Linux systems you
may be required to login as the root user or to execute Nmap using the sudo
command.

➢ Scan Single Target

− A target can be specified as an IP address or host name which Nmap will try to
resolve.

Syntax: #nmap [target]

E.g.: #nmap 192.168.1.1

➢ Scan Multiple Targets

Nmap can be used to scan multiple hosts at the same time. The easiest way to do
this is to string together the target IP addresses or host names on the command
line (separated by a space).

Syntax –#nmap [target1 target2 etc]

Eg. #nmap 192.168.10.1 192.168.10.100 192.168.10.101

PAGE 2
➢ Scan a Range of IP Addresses

A range of IP addresses can be used for target specification as demonstrated in the

example below.

Syntax: #nmap [Range of IP addresses]

E.g.: #nmap 192.168.1-100

➢ Scan a List of Targets

If you have a large number of systems to scan, you can enter the IP address (or
host names) in a text file and use that file as input for Nmap on the command line.

PAGE 3
 The list.txt file above contains a list of hosts to be scanned. Each entry in the
list.txt file must be separated by a space, tab, or newline. The -iL parameter is used
to instruct Nmap to extract the list of targets from the list.txt file.

➢ Exclude Targets from a Scan

The --exclude option is used with Nmap to exclude hosts from a scan.

syntax: nmap [targets] --exclude [target(s)]

Eg. Nmap 192.168.1.1/24 –exclude 192.168.1.10

PAGE 4
 Note: The --exclude option is useful if you want to exclude specific hosts when
scanning a large number of addresses. In the example above host 192.168.10.100 is
excluded from the range of targets being scanned.

➢ Perform an Aggressive Scan

The -A parameter instructs Nmap to perform an aggressive scan.

Syntax: #nmap -A [target]

E.g.: #nmap -A 192.168.1.1

➢ Scan an IPv6 Target

The -6 parameter is used to perform a scan of an IP version 6 target.

Syntax: #nmap -6 [target]

E.g.: #nmap -6 fe80::29aa:9db9:4164:d80e

PAGE 5
Basic Scanning Functions Commands use in Nmap:
Feature Option
Don’t Ping -PN
Perform a Ping Only Scan -sP
TCP SYN Ping -PS
TCP ACK Ping -PA
UDP Ping -PU
SCTP INIT Ping -PY
ICMP Echo Ping -PE
ICMP Timestamp Ping -PP
ICMP Address Mask Ping -PM
IP Protocol Ping -PO
ARP Ping -PR
Traceroute --traceroute
Force Reverse DNS Resolution -R
Disable Reverse DNS Resolution -n
Alternative DNS Lookup --system-dns
Manually Specify DNS Server(s) --dns-servers
Create a Host List -sL

Advance Scanning Functions Commands use in Nmap:

Feature Option
TCP SYN Scan -sS
TCP Connect Scan -sT
UDP Scan -sU
TCP NULL Scan -sN
TCP FIN Scan -sF
Xmas Scan -sX
TCP ACK Scan -sA
Custom TCP Scan --scanflags
IP Protocol Scan -sO
Send Raw Ethernet Packets --send-eth
Send IP Packets --send-ip
Note: You must login with root/administrator privileges (or use the sudo
command) to execute many of the scans discussed in this section.

Port Scanning Options

Feature Option
Perform a Fast Scan -F
Scan Specific Ports -p [port]

PAGE 6
Scan Ports by Name -p [name]
Scan Ports by Protocol -p U:[UDP ports],T:[TCP ports]
Scan All Ports -p “*”
Scan Top Ports --top-ports [number]
Perform a Sequential Port Scan -r

Operating System and Service Detection

Feature Option
Operating System Detection -O
Attempt to Guess an Unknown OS --osscan-guess
Service Version Detection -sV
Perform a RPC Scan --version-trace
Troubleshooting Version Scans -sR

Timing Options
Feature Option
Timing Templates -T[0-5]
Set the Packet TTL --ttl
Minimum # of Parallel Operations --min-parallelism
Maximum # of Parallel Operations --max-parallelism
Minimum Host Group Size --min-hostgroup
Maximum Host Group Size --max-hostgroup
Maximum RTT Timeout --max-rtt-timeout
Initial RTT Timeout --initial-rtt-timeout
Maximum Retries --max-retries
Host Timeout --host-timeout
Minimum Scan Delay --scan-delay
Maximum Scan Delay --max-scan-delay
Minimum Packet Rate --min-rate
Maximum Packet Rate --max-rate
Defeat Reset Rate Limits --defeat-rst-ratelimit

➢ Timing Templates

The -T parameter is used to specify a timing template for an Nmap scan.

Usage syntax: nmap -T[0-5] [target]

E.g.: #nmap -t4 192.168.1.1

PAGE 7
Template Name Notes
-T0 paranoid Extremely slow
-T1 sneaky Useful for avoiding intrusion detection systems
-T2 polite Unlikely to interfere with the target system
-T3 normal This is the default timing template
-T4 aggressive Produces faster results on local networks
-T5 insane Very fast and aggressive scan

Firewall Evasion Techniques Overview

Firewalls and intrusion prevention systems are designed to prevent tools like
Nmap from getting an accurate picture of the systems they are protecting.
Nmap includes a number of features designed to circumvent these defences.
This section discusses the various evasion techniques built into Nmap.

Feature Option
Fragment Packets -f
Specify a Specific MTU --mtu
Use a Decoy -D
Idle Zombie Scan -sI
Manually Specify a Source Port --source-port
Append Random Data --data-length
Randomize Target Scan Order --randomize-hosts
Spoof MAC Address --spoof-mac
Send Bad Checksums --badsum

Output Options Overview

Feature Option
Save Output to a Text File -oN
Save Output to a XML File -oX
Grepable Output -oG
Output All Supported File Types -oA
Periodically Display Statistics --stats-every
133t Output -oS

Troubleshooting and Debugging

Technical problems are an inherent part of using computers. Nmap is no
exception. Occasionally a scan may not produce the output you expected, you
may receive an error – or you may not receive any output at all. Nmap offers

PAGE 8
 several options for tracing and debugging a scan which can help identify why
this happens. The following section describes these troubleshooting and
debugging features in detail.

Feature Option
Getting Help -h
Display Nmap Version -V
Verbose Output -v
Debugging -d
Display Port State Reason --reason
Only Display Open Ports --open
Trace Packets --packet-trace
Display Host Networking --iflist
Specify a Network Interface -e

Conclusion
Nmap is a versatile and powerful network scanning tool, widely used in
cybersecurity for discovering hosts, services, and vulnerabilities. Its extensive
features and support for scripting make it an essential tool for network
administrators and penetration testers. However, while it performs best on
Unix/Linux systems, users may encounter minor issues on other platforms.

We can also use the tools like: -

➢ Angry Ip scanner
➢ Nessus
➢ Port scan
➢ zenmap
➢ masscan
➢ Netcat, etc.

PAGE 9
 Nmap Cheat Sheet
Basic Scanning Techniques
Scan a Single Target nmap [target]
Scan Multiple Targets nmap [target1, target2, etc]
Scan a List of Targets nmap -iL [list.txt]
Scan a Range of Hosts nmap [range of ip addresses]
Scan an Entire Subnet nmap [ip address/cdir]
Scan Random Hosts nmap -iR [number]
Excluding Targets from a Scan nmap [targets] --exclude [targets]
Excluding Targets Using a List nmap [targets] --excludefile [list.txt]
Perform an Aggressive Scan nmap -A [target]
Scan an IPv6 Target nmap -6 [target]
Discovery Options
Perform a Ping Only Scan nmap -sP [target]
Don’t Ping nmap -PN [target]
TCP SYN Ping nmap -PS [target]
TCP ACK Ping nmap -PA [target]
UDP Ping nmap -PU [target]
SCTP INIT Ping nmap -PY [target]
ICMP Echo Ping nmap -PE [target]
ICMP Timestamp Ping nmap -PP [target]
ICMP Address Mask Ping nmap -PM [target]
IP Protocol Ping nmap -PO [target]
ARP Ping nmap -PR [target]
Traceroute nmap --traceroute [target]
Force Reverse DNS Resolution nmap -R [target]
Disable Reverse DNS Resolution nmap -n [target]
Alternative DNS Lookup nmap --system-dns [target]
Manually Specify DNS Server(s) nmap --dns-servers [servers] [target]
Create a Host List nmap -sL [targets]
Advanced Scanning Functions
TCP SYN Scan nmap -sS [target]
TCP Connect Scan nmap -sT [target]
UDP Scan nmap -sU [target]
TCP NULL Scan nmap -sN [target]
TCP FIN Scan nmap -sF [target]
Xmas Scan nmap -sX [target]
TCP ACK Scan nmap -sA [target]
Custom TCP Scan nmap --scanflags [flags] [target]
IP Protocol Scan nmap -sO [target]
Send Raw Ethernet Packets nmap --send-eth [target]
Send IP Packets nmap --send-ip [target]
Port Scanning Options
Perform a Fast Scan nmap -F [target]
Scan Specific Ports nmap -p [port(s)] [target]
Scan Ports by Name nmap -p [port name(s)] [target]
Scan Ports by Protocol nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports nmap -p "*" [target]
Scan Top Ports nmap --top-ports [number] [target]
Perform a Sequential Port Scan nmap -r [target]
Version Detection
Operating System Detection nmap -O [target]
Submit TCP/IP Fingerprints www.nmap.org/submit/
Attempt to Guess an Unknown nmap -O --osscan-guess [target]
Service Version Detection nmap -sV [target]
Troubleshooting Version Scans nmap -sV --version-trace [target]
Perform a RPC Scan nmap -sR [target]
Timing Options

PAGE 10
Timing Templates nmap -T[0-5] [target]
Set the Packet TTL nmap --ttl [time] [target]
Minimum # of Parallel Operations nmap --min-parallelism [number] [target]
Maximum # of Parallel Operations nmap --max-parallelism [number] [target]
Minimum Host Group Size nmap --min-hostgroup [number] [targets]
Maximum Host Group Size nmap --max-hostgroup [number] [targets]
Maximum RTT Timeout nmap --initial-rtt-timeout [time] [target]
Initial RTT Timeout nmap --max-rtt-timeout [TTL] [target]
Maximum Retries nmap --max-retries [number] [target]
Host Timeout nmap --host-timeout [time] [target]
Minimum Scan Delay nmap --scan-delay [time] [target]
Maximum Scan Delay nmap --max-scan-delay [time] [target]
Minimum Packet Rate nmap --min-rate [number] [target]
Maximum Packet Rate nmap --max-rate [number] [target]
Defeat Reset Rate Limits nmap --defeat-rst-ratelimit [target]
Firewall Evasion Techniques
Fragment Packets nmap -f [target]
Specify a Specific MTU nmap --mtu [MTU] [target]
Use a Decoy nmap -D RND:[number] [target]
Idle Zombie Scan nmap -sI [zombie] [target]
Manually Specify a Source Port nmap --source-port [port] [target]
Append Random Data nmap --data-length [size] [target]
Randomize Target Scan Order nmap --randomize-hosts [target]
Spoof MAC Address nmap --spoof-mac [MAC|0|vendor] [target]
Send Bad Checksums nmap --badsum [target]

PAGE 11