A short tutorial for using NMAP
I hear a lots of questions like, how do we scope assets, or how do I manage my asset inventory. Well the answer is NMAP. Nmap is a quite handy tool, that'll allow you to map ip address with assets, create an asset inventory, or even a small vulnerability scans. Here we'll talk about how to run an nmap full scan, nmap all port scan or nmap specific port scan
For all those newbies out there, I’m just starting from
scratch. As you all know NMAP means network mapping. This is a small tool which
every pentester and network/system administrator must know. Most of my friends
complain that Nmap is so vast; they don’t know how to set or why to set certain
attributes before initiating a scan. To understand the working of Nmap
properly, you need to how a system works in network. I’m not planning to go
into core basics, but we’ll touch whatever is essential.
TCP connect scan
TCP connect scan is the commonly used default TCP scan type.
The Nmap asks the host operating system (Operating system in which Nmap is
installed) to establish a connection with the target machine via port by
issuing the connect system call. This is the same high-level system call which
is used web browsers, P2P clients, ftp, ssh and most other network based applications
use to establish a connection. It is part of a socket programming interface
known as the Berkeley Sockets API. Nmap uses this very same API to obtain
status information of each port on each connection attempt.
-sS (TCP SYN scan)
SYN scan is the most popular scan option for good reasons.
It provides quick scanning of thousands of ports per second on a very fast
network. The probes are not hampered by restrictive firewalls. It is also
relatively unobtrusive, very stealthy, since it never completes a full TCP handshake.
SYN scan will work against any compliant TCP stack rather than depending on any
specific platforms. It also allows clear, reliable differentiation between the
open, closed, and filtered states.
How to Install Nmap
If you don’t have the Nmap installed then,
For windows install pcap first and download the nmap from
official site
linux users simply hit the command
# yum install nmap (for
Red Hat based systems)
$ sudo apt-get install nmap (for
Debian based systems)
An Nmap command typically has 3 parts Scan type, options and
target. But its not always mandatory that we supply the command with scan type
and options. In short these two attributes are optional
.
To do a simple scan, you need simply call Nmap and supply
the target’s hostname/domainname/ipaddress or simply nmap full scan
root@attacker#nmap example.com
root@attacker#nmap 192.168.1.1
Now answer to one of the challenging question by an admin “how do I create
asset inventory”
root@attacker#nmap
-sP 192.168.1.0/24
This command will skip port detection and tries to find out
which machine are alive. Or else you can try
root@attacker#nmap –sS –oN /root/Desktop/asset.txt
192.168.1.0/24
sS stands for stealth scan
oN stands for output followed by the save location
192.168.1.0/24 is my network address with CIDR value.
Which is much deeper scan and provide accurate results.
If you are looking for all machines with a particular
service running like Databases or any other web-services you can use nmap specific port scan
root@attacker#nmap –sS –p22
--open –oN /root/Desktop/service.txt 192.168.1.0/24
This will give a list all machines with ssh (port 22) open
in my network
If there is a case in which you only need to scan few
machine then, simply add the ip address as shown below
root@attacker#nmap –sS–oN /root/Desktop/maptxt 192.168.1.1
192.168.1.2 192.168.1.2
But if the ip addresses are consecutive address then, simply
add the ip address as shown below
root@attacker#nmap –sS–oN /root/Desktop/maptxt
192.168.1.1-125
pentesters can also use –sV and –sC options for service
version fingerprinting and also a basic script scan, just like a vulnerability
scan.
If you already have asset list, and you want Nmap to scan
only those Ip address then,
root@attacker#nmap -iL assetlist.txt
Below I’m pasting a set of Nmap commands which will be handy
for various uses.
Nmap Cheat Sheet
Scan system for OS information and Traceroute
root@attacker#nmap -A
192.168.1.1
OS detection/ OS fingerprinting
root@attacker#nmap -O
192.168.1.1
Nmap Firewall Detection
root@attacker#nmap
-sA 192.168.1.1
Nmap all port scan
root@attacker#nmap -p 1-65535
192.168.1.1
Nmap fast scan
root@attacker#nmap -F
192.168.1.1
Nmap scan by defining protocols,
root@attacker#nmap –p
T:22 192.168.1.1
for TCP port
root@attacker#nmap
-sU 22 192.168.1.1
for UDP port
Nmap scanning if, ICMP is blocked or disabled
root@attacker#nmap -PS
22 192.168.1.1
Uses SYN packet
root@attacker#nmap -PA
22 192.168.1.1
Uses ACK packet
root@attacker#nmap
-sN 22 192.168.1.1
Comments
Post a Comment