Let’s Recall : Nmap (Part-1)
What is Nmap ?
Network Mapper (Nmap) is a free and open source utility for network discovery and security auditing.
With Nmap what you can do ?
With Nmap we can determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running.
“Nmap can be used to scan huge networks of literally hundreds of thousands of machines. It Supports TCP/UDP port scanning technique.Most operating systems supports Nmap like Linux,windows,Mac etc.”
Now let’s See Nmap scan commands.
Syntax : nmap <scantype> <options> <target>
Single IP scan :
nmap 192.168.0.1
To scan single ip address.
Host scan :
nmap scanme.nmap.org
When we only know Host name and don’t have IP address then we can directly specify Host name.
Scan IP range :
nmap 192.168.0.1–5
When we want to scan n-numbers of ip at that time we can use this syntax. it will scan 192.168.0.1,192.168.0.2,192.168.0.3,,192.168.0.4,,192.168.0.5 IP addresses.
Scan subnet:
nmap 192.168.0.1/24
When we want to scan subnet at that time we can specify using above syntax we can also use /16 or /8 or /24 according to our need.
Scan Target from text file
nmap -iL target.txt
When we want to scan IP address that are stored in some TEXT file at that time we can use -iL to perform nmap scan.
Scan single port
nmap -p 21 192.168.0.1
Sometimes we are looking for particular port to scan at that time we can specify single port like -p port_number. It will only scan for that particular port on target system.
Scan port range
nmap -p 21–30 192.168.0.1
Sometimes we need to scan some specific ports which are in between some specific range at that time we can use -p start_port_number — end_port_number
Scan all ports
nmap -p- 192.168.0.1
When we want to scan all 65535 ports at that time we can use -p- syntax. it will scan all 65535 ports on target system.
Scan 100 common Port
nmap -F 192.168.0.1
Sometimes we want to do scan for ONLY TOP 100 ports at that time we can use -F. It will scan 100 most popular ports.
Scan top ports
nmap — top-port 1000 192.168.0.1
The –top-ports option lets you specify the number of ports you wish to scan and will pick the most popular ports for you.
Full Scan (TCP full scan) or TCP Connect Scan
nmap -sT 192.168.0.1
In this TCP 3-way handshake will be completed with target system. in this scan, Nmap asks its underlying Operating network to establish a connection with the target server by issuing the “connect” system call. TCP Connect scan establish a full connection with the target.
Half-Scan (SYN Scan)
nmap -sS 192.168.0.1
TCP SYN scan is a most popular and default scan in Nmap. But we need to remember that this Default scan only works if we are logged in as root user otherwise “Full Scan is default”.
Interview question “ Does SYN Scan requires root privileges to perform it” Answer is “ Yes. we need root privileges to perform SYN SCAN”
UDP port Scan
nmap -sU -p 192.168.0.1
UDP scan sends UDP Packets to every ports of the target and waits till it get response. If, it receives error message stating that the ICMP is unreachable, this means that the port is closed. But, if gets any approachable response, then it means the port is open.
No ping Scan (disabled host discovery process)
nmap -Pn 192.168.0.1
The -Pn flag tells nmap that, regardless if it can ping the host or not, it should consider the host as up.
Fast Scan
nmap -F 192.168.0.1
scan just the most popular 100 ports with the -F.
Detect OS and Service
nmap -A 192.168.0.1
With help of -A we can determine Operating System and version detection and also we will get traceroute information.
Only Service detection
nmap -sV 192.168.0.1
-sV can be used to find out service’s versions which are running on target system.
Save output in file
nmap -oN output.txt 192.168.0.1
Requests that normal output be directed to the given filename.
Save result as XML
nmap -oX output.xml 192.168.0.1
Requests that XML output be directed to the given filename.
Save output in all Formates
nmap -oA output 192.168.0.1
To store scan results in normal, XML, and grepable formats at once.
Default Script Scan
nmap -sC 192.168.0.1
Performs a script scan using the default set of scripts.
It is equivalent to — script=default
Find Nmap Cheatsheet from this link: https://github.com/raj1997/cheatsheet/blob/master/Nmap/README.md
We will see more Nmap commands in part-2. like xmas scan, ping scan, FIN scan, ACK scan etc..
