Nmap (Network Mapper) is a powerful and widely used open-source tool for network discovery and security auditing. It can be used to discover hosts, services, operating systems, and other information on a computer network. Nmap is often used for tasks like vulnerability scanning, network inventory, and security auditing.
Basic Syntax
nmap [options]
[target]
Common Nmap
Commands and Options
- Simple Host Discovery To perform
a basic scan to discover live hosts on a network:
nmap
192.168.1.0/24
This scans the entire 192.168.1.0 subnet (with a /24 mask) to discover active hosts.
- Port Scanning (Scan Specific Ports) To scan
specific ports on a target host (e.g., port 80 and 443):
nmap -p 80,443
192.168.1.1
- Scan All Ports To scan all
65535 ports on a target:
nmap -p-
192.168.1.1
- Service Version Detection To detect
the versions of services running on open ports:
nmap -sV
192.168.1.1
- Operating System Detection To attempt
to identify the operating system of a target:
nmap -O
192.168.1.1
- Aggressive Scan An
aggressive scan performs several tasks at once, including host discovery,
port scanning, service version detection, and OS detection:
nmap -A
192.168.1.1
- Stealth Scan (SYN Scan) A SYN scan
is faster and stealthier because it doesn’t complete the TCP handshake:
nmap -sS
192.168.1.1
- -sS: SYN scan (stealth scan).
- TCP Connect Scan A full TCP
connection scan, which is less stealthy but more reliable:
nmap -sT
192.168.1.1
- -sT: Connect scan (opens full connections).
- UDP Scan To scan for open UDP ports (requires
root/administrator privileges):
nmap -sU 192.168.1.1
- -sU: UDP scan.
- Scan a Range of IPs To scan a
range of IP addresses (e.g., from 192.168.1.1 to 192.168.1.100):
nmap
192.168.1.1-100
- Scan a Subnet To scan an
entire subnet:
nmap
192.168.1.0/24
- Scan for Specific Service To scan for
a specific service (e.g., HTTP on port 80):
/nmap -p 80
--open 192.168.1.1
- Save Scan Results to a File To save the
output of a scan to a file in various formats (e.g., XML or plain text):
nmap -oN
scan_results.txt 192.168.1.1
- -oN: Save the output in normal text
format.
- -oX: Save the output in XML format.
- Scan Using a Custom Host Discovery Method To specify the type of host discovery (e.g., skip host discovery or
use ICMP echo requests):
nmap -Pn
192.168.1.1
- -Pn: Treat all hosts as up (no host discovery).
- Scan a Range of Ports To scan a
range of ports, for example, ports 1 to 1000:
nmap -p 1-1000
192.168.1.1
- Scan a Host for Specific Scripts Nmap has a
scripting engine (NSE) that allows you to run various scripts against a
target:
nmap
--script=http-vuln-cve2014-3704 192.168.1.1
- --script: Specify the script to run (e.g., vulnerability scans).
- Scan for Firewall or IDS Evasion To try to
evade detection by a firewall or intrusion detection system (IDS), you can
use packet fragmentation:
nmap -f
192.168.1.1
- Scan for Firewall Rules To
determine if a firewall is blocking certain ports or hosts:
nmap -sA 192.168.1.1
- -sA: TCP ACK scan (used for firewall detection).
- Service and OS Detection with Verbose Output To run a scan with service and OS detection and verbose output:
nmap -A -v
192.168.1.1
- -v: Verbose output.
Nmap Scan Types
and Options Overview
- -sS: SYN scan (stealthy and fast).
- -sT: TCP connect scan (less stealthy).
- -sU: UDP scan.
- -O: OS detection.
- -sV: Version detection.
- -A: Aggressive scan (includes OS detection,
version detection, script scanning, and traceroute).
- -p: Scan specific ports (e.g., -p 80,443 or -p 1-1000).
- -Pn: Skip host discovery (assume all hosts are
up).
- -v: Verbose output.
- -oN: Output in normal format.
- -oX: Output in XML format.
- -oG: Output in grepable format.
- -f: Fragment packets to evade detection.
- -T: Timing template (e.g., -T4 for faster scanning).
Example Use Cases
- Basic Network Discovery: Discover
live hosts on a subnet:
nmap
192.168.1.0/24
- Port Scanning: Scan all
ports on a target:
nmap -p-
192.168.1.1
- Service Version Detection: Identify
services running on a target:
nmap -sV
192.168.1.1
- Operating System Detection: Detect the
operating system of a target:
nmap -O
192.168.1.1
- Aggressive Scan: Perform an
aggressive scan (OS, version, script, and traceroute):
nmap -A
192.168.1.1
- Vulnerability Scanning: Run a
script to check for a specific vulnerability (e.g., Heartbleed):
nmap
--script=ssl-heartbleed 192.168.1.1
Conclusion
Nmap is a highly flexible tool used for network
discovery and security auditing. With its wide range of scanning capabilities,
it’s used by network administrators and security professionals for identifying
hosts, open ports, services, and vulnerabilities in their networks.
0 Comments