Nmap:The Network Mapper

What is Nmap:

Nmap, short for Network Mapper, is a free, open-source tool

for vulnerability scanning and network discovery. Network
administrators use Nmap to identify what devices are running
on their systems, discovering hosts that are available and the
services they offer, finding open ports and detecting security
risks. Nmap can be used to monitor single hosts as well as vast
networks that encompass hundreds of thousands of devices
and multitudes of subnets.
Though Nmap has evolved over the years and is extremely
flexible, at heart it's a port-scan tool, gathering information by
sending raw packets to system ports. It listens for responses
and determines whether ports are open, closed or filtered in
some way by, for example, a firewall. Other terms used for port
scanning include port discovery or enumeration.
 Creator Gordon Lydon

Nmap was written in C++ and first introduced, with source code,
in Phrack Magazine in September 19977. It's been extended with C,
Perl and Python. Creator Gordon Lyon had adopted the pseudonym
Fyodor Vaskovitch, which he picked up after reading Fyodor
Dostoevsky's Notes from Underground, and still uses the handle
Fyodor in his work on Nmap.
Features
Host discovery – Identifying hosts on a network. For
example, listing the hosts that respond to TCP and/or ICMP
requests or have a particular port open.
Port scanning – Enumerating the open ports on target
hosts.
Version detection – Interrogating network services on
remote devices to determine application name and version
number.
TCP/IP stack fingerprinting – Determining the operating
system and hardware characteristics of network devices
based on observations of network activity of said devices.
Scriptable interaction with the target – using Nmap
Scripting Engine (NSE) and Lua programming language.
Nmap can provide further information on targets,
including reverse DNS names, device types, and MAC
addresses.

Typical uses of Nmap:

Auditing the security of a device or firewall by
identifying the network connections which can be made
to, or through it.
Identifying open ports on a target host in preparation
for auditing.
Network inventory, network mapping, maintenance and
asset management.
Auditing the security of a network by identifying new
servers.
Generating traffic to hosts on a network, response
analysis and response time measurement.
Finding and exploiting vulnerabilities in a network.
DNS queries and subdomain search
Nmap Supported Operating Systems

 Linux
 Windows
 Mac OS
Installing Nmap On Linux
To install Nmap on Debian and Debian-based systems Ubuntu, Linux and
Linux mint.
Open the Terminal and type the following command:

$ sudo apt-get install nmap

AP on Linux

run Nmap by typing in the Terminal:

Sudo nmap
Check out the Man Pages of Nmap
on your Linux System

Open the Terminal and type the following command:

$ man nmap

The man pages of Nmap shown in the following image:

Check out the Help Pages of
Nmap on your Linux
Open the Terminal and type the following command:

$ nmap --help
Install NMAP on Windows
1. Head over to the official Nmap download page. Under the
Microsoft Windows Binaries section, click on the latest [stable]
Nmap .exe release.

2. Once the Nmap download is complete, double click on the file to

launch the Nmap installer. When asked if you allow this app to make
changes to your device, click the Yes button.

3. Click the Agree button when asked about the Nmap License
Agreement.

4. On the Choose Components window, select all checkboxes and

click Next.

5. Click Install on the Choose Installation

Location window.

6. You will be asked a second time tocarefully and click the I

Agree button. confirm Npcap’s License Agreement. Please read the
agreement
[Link] the Installation Complete window, click Next, then Finish.

9. Click Next again once prompted. On the Create

Shortcuts windows, select the respective checkbox if you want
a Startup Menu or Desktop Nmap shortcut. Click Next,
and Finish.

10. Test Nmap on Windows

Let’s now test if Nmap and Zenmap were installed correctly on your
Windows machine.
First, open a Command Prompt window [type CMD on Windows
Search box] and Run Nmap as Administrator.
 Nmap Command
Target Specification

Switch Example Description

nmap [Link] Scan a single IP
nmap [Link]
Scan specific IPs
[Link]
nmap [Link]-
Scan a range
254
nmap
Scan a domain
[Link]
nmap Scan using CIDR
[Link]/24 notation
nmap -iL Scan targets from a
-iL
[Link] file
Scan 100 random
-iR nmap -iR 100
hosts
nmap --exclude
--exclude Exclude listed hosts
[Link]
Scan Techniques
Switch Example Description
TCP SYN port scan
-sS nmap [Link] -sS
(Default)
-sT nmap [Link] -sT TCP connect port scan
(Default without root
privilege)
-sU nmap [Link] -sU UDP port scan
-sA nmap [Link] -sA TCP ACK port scan
-sW nmap [Link] -sW TCP Window port scan
-sM nmap [Link] -sM TCP Maimon port scan
 Host Discovery
Switch Example Description
-sL nmap [Link]-3 -sL No Scan. List targets only
Disable port scanning. Host
-sn nmap [Link]/24 -sn discovery only.

Disable host discovery. Port

-Pn nmap [Link]-5 -Pn scan only.

-PS nmap [Link]-5 -PS22- TCP SYN discovery on port x.

25,80 Port 80 by default
-PA nmap [Link]-5 -PA22- TCP ACK discovery on port x.
25,80 Port 80 by default
-PU nmap [Link]-5 -PU53 UDP discovery on port x.
Port 40125 by default
-PR nmap [Link]-1/24 -PR ARP discovery on local network

-n nmap [Link] -n Never do DNS resolution

Port Specification
Switch Example Description

-p nmap [Link] -p 21 Port scan for port x

-p nmap [Link] -p 21-100 Port range

-p nmap [Link] -p Port scan multiple TCP and
U:53,T:21-25,80 UDP ports
-p- nmap [Link] -p- Port scan all ports
-p nmap [Link] -p http,https Port scan from service name

-F nmap [Link] -F Fast port scan (100 ports)

nmap [Link] --top-ports Port scan the top x ports
--top-ports
2000
nmap [Link] -p-65535
Leaving off initial port in range
-p-65535
makes the scan start at port 1

-p0- nmap [Link] -p0-

Leaving off end port in range
makes the scan go through to
port 65535
 Service and Version Detection
Switch Example Description

Attempts to determine the version of the service

-sV nmap [Link] -sV
running on port

-sV --version- nmap [Link] -sV --version- Intensity level 0 to 9. Higher number increases
intensity intensity 8 possibility of correctness

-sV --version-light
nmap [Link] -sV --version- Enable light mode. Lower possibility of correctness.
light Faster

-sV --version-all nmap [Link] -sV --version-

all Enable intensity level 9. Higher possibility of
correctness. Slower

-A nmap [Link] -A Enables OS detection, version detection, script

scanning, and traceroute

OS Detection
Switch Example Description
Remote OS detection using
nmap [Link] -
-O TCP/IP
O
stack fingerprinting
If at least one open and one
closed
nmap [Link] -
-O --osscan-limit TCP port are not found it will
O --osscan-limit
not try
OS detection against host
-O --osscan-guess nmap [Link] - Makes Nmap guess more
O --osscan-guess aggressively
-O --max-os-tries nmap [Link] - Set the maximum number x
O --max-os-tries 1 of OS
detection tries against a
target
-A nmap [Link] - Enables OS detection, version
A detection, script scanning,
and traceroute
 Timing and Performance
Switch Example Description
-T0 nmap [Link] -T0 Paranoid (0) Intrusion Detection
System evasion
-T1 nmap [Link] -T1
Sneaky (1) Intrusion Detection System
evasion

-T2 nmap [Link] -T2

Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources

-T3 nmap [Link] -T3

Normal (3) which is default speed

-T4 nmap [Link] -T4 Aggressive (4) speeds scans; assumes

you are on a reasonably fast and
reliable network

-T5 nmap [Link] -T5 Insane (5) speeds scan; assumes you
are on an extraordinarily fast network

NSE Scripts
Switch Example Description
-sC nmap [Link] -sC
Scan with default NSE scripts.
Considered useful for discovery and
safe

--script default nmap [Link] --script default Scan with default NSE scripts.
Considered useful for discovery and
safe

--script nmap [Link] --script=banner Scan with a single script. Example

banner
--script nmap [Link] --script=http* Scan with a wildcard. Example http

--script nmap [Link] --script=http,banner Scan with two scripts. Example http
and banner

--script nmap [Link] --script "not intrusive" Scan default, but remove intrusive
scripts

--script-args nmap --script snmp-sysdescr --script-args NSE script with arguments

snmpcommunity=admin [Link]
 Useful NSE Script Examples
Command Description
nmap -Pn --script=http-sitemap-generator http site map generator
[Link]
nmap -n -Pn -p 80 --open -sV -vvv --script Fast search for random web servers
banner,http-title -iR 1000
nmap -Pn --script=dns-brute [Link] Brute forces DNS hostnames guessing
subdomains
nmap -n -Pn -vv -O -sV --script smb-enum*,smb- Safe SMB scripts to run
ls,smb-mbenum,smb-os-discovery,smb-s*,smb-
vuln*,smbv2* -vv [Link]

nmap --script whois* [Link] Whois query

nmap -p80 --script http-unsafe-output-escaping Detect cross site scripting vulnerabilities

[Link]
nmap -p80 --script http-sql-injection Check for SQL injections
[Link]

Firewall / IDS Evasion and Spoofing

Switch Example Description
-f nmap [Link] -f
Requested scan (including ping scans) use tiny
fragmented IP packets. Harder for packet filters

--mtu nmap [Link] --mtu 32 Set your own offset size

-D nmap -D [Link],[Link], Send scans from spoofed IPs

[Link],[Link] [Link]

-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy- Above example explained

ip3,decoy-ip4 remote-host-ip

-S nmap -S [Link] [Link] Scan Facebook from Microsoft (-e eth0 -Pn may
be required)
-g nmap -g 53 [Link] Use given source port number

--proxies nmap --proxies [Link] Relay connections through HTTP/SOCKS4 proxies

[Link] [Link]

--data-length nmap --data-length 200 [Link] Appends random data to sent packets
 Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D

[Link],[Link],[Link],[Link] 192.168.1.

Output

Switch Example Description

-oN nmap [Link] -oN [Link] Normal output to the file [Link]
-oX nmap [Link] -oX [Link] XML output to the file [Link]
-oG nmap [Link] -oG [Link] Grepable output to the file [Link]
-oA nmap [Link] -oA results Output in the three major formats at once

-oG - nmap [Link] -oG - Grepable output to screen. -oN -, -oX - also usable

--append-output nmap [Link] -oN [Link] --append-output Append a scan to a previous scan file

-v nmap [Link] -v Increase the verbosity level (use -vv or more for
greater effect)

-d nmap [Link] -d Increase debugging level (use -dd or more for greater
effect)

--reason nmap [Link] --reason Display the reason a port is in a particular state, same
output as -vv

--open nmap [Link] --open Only show open (or possibly open) ports

--packet-trace nmap [Link] -T4 --packet-trace Show all packets sent and received
--iflist nmap --iflist Shows the host interfaces and routes

--resume nmap --resume [Link] Resume a scan