What is Nmap?
Nmap is short for Network Mapper, it is an open-source Linux command tool that is used to scan IP addresses and ports in a network and the services running in the ports.
Nmap is used to find which devices are running on the network, discover open ports and services, and detect Vulnerabilities.
Features of Nmap:
- It quickly recognizes all the devices including servers, routers, switches, and mobile devices
- It identifies the services that are running on a system including Web servers, DNS servers
- It detects application versions with reasonable accuracy to help detect existing vulnerabilities.
- Nmap can find information about Operating System running on the device it provides the OS version also which makes it easier to plan additional approaches during penetration testing.
- Nmap has a graphical user interface called Zenmap. It helps you develop visual mappings of a network for better usability and reporting.
How to Install Nmap:
To install Nmap on Ubuntu or Debian Distribution:
sudo apt-get install nmap
To install Nmap on CentOs/RHEL
sudo yum install nmap
How to Use Nmap:
Ping scan — Scans the list of devices up and running on a given subnet.
nmap -sp 192.168.1.1/24
Scan a single host — Scans a single host for 1000 well-known ports. These ports are the ones used by popular services like SQL, SNTP, apache, HTTP, and others.
Stealth scan — Stealth scanning is performed by sending an SYN packet and analyzing the response. If SYN/ACK is received, it means the port is open, and you can open a TCP connection.
However, a stealth scan never completes the 3-way handshake, which makes it hard for the target to determine the scanning system.
nmap -sS scanme.nmap.org
Version scanning — Finding application versions is a crucial part of penetration testing. It makes your life easier since you can find an existing vulnerability from the Common Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can then use it to attack a machine using an exploitation tool like Metasploit.
nmap -sV scanme.nmap.org
Aggressive Scanning — Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and traceroute. You can use the -A argument to perform an aggressive scan.
Aggressive scans provide far better information than regular scans. However, an aggressive scan also sends out more probes, and it is more likely to be detected during security audits.
nmap -A scanme.nmap.org
OS Scanning — in addition to the services and their versions, Nmap can provide information about the underlying operating system using TCP/IP fingerprinting. Nmap will also try to find the system uptime during an OS scan.
nmap -O scanme.nmap.org
Scanning Multiple Hosts — Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real handy when you are managing vast network infrastructure.
You can scan multiple hosts through numerous approaches:
- Write all the IP addresses in a single row to scan all of the hosts at the same time.
nmap 126.96.36.199 188.8.131.52 184.108.40.206
- Use the asterisk (*) to scan all of the subnets at once.
- Add commas to separate the address’s endings instead of typing the entire domains.
- Use a hyphen to specify a range of IP addresses
Port Scanning —Port scanning is one of the most fundamental features of Nmap. You can scan for ports in several ways.
- Using the -p param to scan for a single port
nmap -p 973 220.127.116.11
- If you specify the type of port, you can scan for information about a particular type of connection, for example for a TCP connection.
nmap -p T:7777, 973 18.104.22.168
- A range of ports can be scanned by separating them with a hyphen.
nmap -p 76–973 22.214.171.124
- You can also use the -top-ports flag to specify the top n ports to scan.
nmap --top-ports 10 scanme.nmap.org
Scanning from a File If you want to scan a large list of IP addresses, you can do it by importing a file with the list of IP addresses.
nmap -iL /input_ips.txt
Nmap Help Nmap has a built-in help command that lists all the flags and options you can use. It is often handy given the number of command-line arguments Nmap comes with.
Nmap Scripting Nmap Scripting has many inbuilt scripting which will make our work easily while pentesting the device
We can find about the scripts by entering the help command
nmap --script-help "*"