Scribd
Upload
9 views

Nmap

Brief Details of Nmap

Uploaded by

mohammadazemm4761
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

Nmap

Brief Details of Nmap

Uploaded by

mohammadazemm4761
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Nmap

What do we have?

We have the IP/domain name.

We might also have a subnet (an entire range)

Host Discovery
Whenever we want to scan a target we need to ensure whether the target it up or not. No use scanning a system that is
down.
Nmap performs a host discovery before scan, which might not take that long when it is for one IP. However if it is an entire
subnet, that might take a while.
Therefore need to separate host discovery and then do the scanning part.

The flag for host discovery is -sn

Even if you don’t run it in a general command it gets appended.

nmap -sn 192.168.10.12/24

Host discovery scan can be run as

1. Root:

ICMP echo packet.

TCP SYN - 443

TCP ACK - 80

ICMP TimeStamp Req

If if gets response from any of the 4 requests it tells the user that it is active.

2. Local

SYN - 443

ACK - 80

If it gets response from any of the two requests it tells you that it is alive.

If you don’t want to do host discovery and skip straight to scanning then the flag is -Pn

nmap -Pn 192.168.10.12

How to check if port is open?


So TCP handshake goes something like this:

Nmap 1
So if you send a request to a port and it responds with SYN+ACK then you know that port is open.
However if you send a SYN packet and it responds with RST packet that means the port is closed.

Scanning Target
This scans 1000 ports for all the IP range given

# For Single IP
nmap 192.168.10.12

# For a Subnet
nmap 192.168.10.12/24

# For an IP Range
nmap 192.168.10.12-120

# For Selective IPs


nmap 192.168.10.12 192.168.11.2

# To Scan IPs in a text file


nmap -iL IPs.txt

# To Scan a domain
nmap example.com

For scanning specific ports

# Single Port
nmap 192.168.10.12 -p80

# Range of ports
nmap 192.168.10.12 -p10-20

# Selective ports
nmap 192.168.10.12 -p21,22,53,80,8080,443

# Protocol specific
nmap 192.168.10.12 -pT:22,U:53

# For all ports


nmap 192.168.10.12 -p-

# For top ports. E.g. could be 10, 100,1000


nmap 192.168.10.12 --top-ports <NO_OF_PORT>

Task: Scan an entire network and then extract the IP addresses

nmap -sn scanme.nmap.org/24 | tee -a nmapscan.txt

Nmap 2
cat nmapscan.txt | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d" " -f6 | tr -d "(" | tr -d ")" | tee -a ips.txt
nmap -iL ips.txt

Scan Techniques
TCP and UDP port is used to identify a service running on a hosts.

1. Closed port: there is no service listening at this port.

2. Open port: there is some service listening on this port.

Nmap has the following 6 states:

1. Open: indicates that a service is listening on the specified port.

2. Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we
mean that it is reachable and is not blocked by a firewall or other security appliances/programs.

3. Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is
usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the
port; alternatively, the responses are blocked from reaching Nmap’s host.

4. Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is
encountered when using an ACK scan -sA .

5. Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.

6. Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.

To get service and version information for the open ports you can do:

sudo nmap -sV TARGET


# Using -sV will force Nmap to proceed with TCP-3 handshake to establish connection to discover the version.

To get the OS version of the machine you’re trying to map do:

sudo nmap -sS -O TARGET

If you want Nmap to find the routers between you and the target. Nmap traceroute starts with high TTL and keeps decreasing
it:

sudo nmap -sS --traceroute TARGET

We use Nmap to run a SYN scan against MACHINE_IP and execute the default scripts in the console shown below. The
command is sudo nmap -sS -sC MACHINE_IP , where -sC will ensure that Nmap will execute the default scripts following the SYN
scan. The scripts are /usr/share/nmap/scripts

sudo nmap -sS -sC TARGET


sudo nmap -sS -n --script "http-date" MACHINE_IP
sudo nmap -sS -n --script "ftp*" MACHINE_IP

Nmap 3

You might also like