Network & Port Scanners — Nmap (Information Gathering)
Published in
19 min readNov 30, 2022
In my previous article, we talked about “Live Host Identification”, today we are going to discuss about “Network & Port Scanners”.
Now that we have figured out a way to check whether the host is alive or dead, it is only fair that we also also figure out a way to check which ports and what services, etc is the host using and running as well.
Network and Port scanning is like going around a house and observing which doors 🚪 and windows are open and who is standing on them.
Here, doors and windows are similar to ports and the person standing on the door can be understood as the services running on the specific ports.
There are various tools and methods to scan a host/server/web-server. Let’s begin going through them one by one.
In the Network ans Port scanner section of Information gathering tab of our Kali Linux, there are mainly two tools in the list.
1. Masscan (I’ve already talked about this in Live Host Recon article)
MASSCAN is TCP port scanner which transmits SYN packets asynchronously and produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicorn scan, and ZMap, using asynchronous transmission. It’s a flexible utility that allows arbitrary address and port ranges.
$ masscan --help
MASSCAN is a fast port scanner. The primary input parameters are the
IP addresses/ranges you want to scan, and the port numbers. An example
is the following, which scans the 10.x.x.x network for web servers:
masscan 10.0.0.0/8 -p80
The program auto-detects network interface/adapter settings. If this
fails, you'll have to set these manually. The following is an
example of all the parameters that are needed:
--adapter-ip 192.168.10.123
--adapter-mac 00-11-22-33-44-55
--router-mac 66-55-44-33-22-11
Parameters can be set either via the command-line or config-file. The
names are the same for both. Thus, the above adapter settings would
appear as follows in a configuration file:
adapter-ip = 192.168.10.123
adapter-mac = 00-11-22-33-44-55
router-mac = 66-55-44-33-22-11
All single-dash parameters have a spelled out double-dash equivalent,
so '-p80' is the same as '--ports 80' (or 'ports = 80' in config file).
To use the config file, type:
masscan -c <filename>
To generate a config-file from the current settings, use the --echo
option. This stops the program from actually running, and just echoes
the current configuration instead. This is a useful way to generate
your first config file, or see a list of parameters you didn't know
about. I suggest you try it now:
masscan -p1234 --echoIf you’ve used nmap, it’s very similar to that. You can easily scan ports and stuff by masscan.
masscan -p<ports you want to scan> <hostname/host_IP>
Here is a one page help sheet for masscan, I’ll suggest you to download it before using masscan.
2. Nmap
Nmap is one of those tools that a pen-tester can’t live without. It has so many modules and modes, that it does everything. It can scan open ports, identify what services is running on the ports, it even has various scripts that can make your life ultra easy while scanning. No matter, how much I exaggerate, nmap always exceeds your expectations. It’s so good that it is even shown in movies with hacking scenes. If you visit Nmap Official Website, you can know more about it’s development and uses in a orderly manner.
It can be used for the following purposes:
- Real time information of a network
- Detailed information of all the IPs activated on your network
- Number of ports open in a network
- Provide the list of live hosts
- Port, OS and Host scanning
Here is the more detailed version of nmap help section:
┌──(scott㉿notebook)-[~]
└─$ nmap -h
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLESThis is the official manual of nmap:
NAME
nmap — Network exploration tool and security / port scanner
SYNOPSIS
nmap [Scan Type…] [Options] {target specification}
DESCRIPTION
Nmap (“Network Mapper”) is an open source tool for network exploration
and security auditing. It was designed to rapidly scan large networks,
although it works fine against single hosts. Nmap uses raw IP packets
in novel ways to determine what hosts are available on the network,
what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of
packet filters/firewalls are in use, and dozens of other
characteristics. While Nmap is commonly used for security audits, many
systems and network administrators find it useful for routine tasks
such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime.
The output from Nmap is a list of scanned targets, with supplemental
information on each depending on the options used. Key among that
information is the “interesting ports table”. That table lists the
port number and protocol, service name, and state. The state is either
open, filtered, closed, or unfiltered. Open means that an application
on the target machine is listening for connections/packets on that
port. Filtered means that a firewall, filter, or other network
obstacle is blocking the port so that Nmap cannot tell whether it is
open or closed. Closed ports have no application listening on them,
though they could open up at any time. Ports are classified as
unfiltered when they are responsive to Nmap’s probes, but Nmap cannot
determine whether they are open or closed. Nmap reports the state
combinations open|filtered and closed|filtered when it cannot determine
which of the two states describe a port. The port table may also
include software version details when version detection has been
requested. When an IP protocol scan is requested (-sO), Nmap provides
information on supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further
information on targets, including reverse DNS names, operating system
guesses, device types, and MAC addresses.
A typical Nmap scan is shown in Example 1. The only Nmap arguments used
in this example are -A, to enable OS and version detection, script
scanning, and trace-route; -T4 for faster execution; and then the
hostname.
If you want to read more of it, you can visit here 👉 “Manual”
Moving forward, we should learn some basic commands.
1. Nmap basic scan
You can use either hostname(DNS) or host-IP(preferably ipv4).
nmap <hostname/host_IP>
Nmap basic scan with -v (verbosity)
nmap <hostname/host_IP> -v
You can see the difference between both the output. So, always use -v tag. You can also increase the verbosity level by adding more v like this.
nmap <hostname/host_IP> -vvv
2. Nmap to scan multiple hosts
All you have to do is type the next IPs in your syntax like this.
nmap <hostname1/host_IP1> <hostname2/host_IP2> <hostname3/host_IP3>
3. Nmap to scan the whole subnet.
At the end of the syntax add ‘*’.
nmap 192.53.165.* I did a random subnet scan and just look at the output, I got!
Tip- Don’t forget to add verbosity (-v) tag in your syntax.
┌──(scott㉿notebook)-[~]
└─$ nmap 192.53.165.* -vvv
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-30 08:14 IST
Initiating Ping Scan at 08:14
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 08:14, 4.80s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 203 hosts. at 08:14
Completed Parallel DNS resolution of 203 hosts. at 08:14, 0.67s elapsed
DNS resolution of 203 IPs took 0.67s. Mode: Async [#: 2, OK: 203, NX: 0, DR: 0, SF: 0, TR: 203, CN: 0]
Nmap scan report for 192.53.165.0 [host down, received no-response]
Nmap scan report for 192.53.165.1 [host down, received no-response]
Nmap scan report for 192.53.165.2 [host down, received no-response]
Nmap scan report for 192.53.165.3 [host down, received no-response]
Nmap scan report for 192.53.165.4 [host down, received no-response]
Nmap scan report for 192.53.165.9 [host down, received no-response]
Nmap scan report for 192.53.165.10 [host down, received no-response]
Nmap scan report for 192.53.165.13 [host down, received no-response]
Nmap scan report for 192.53.165.14 [host down, received no-response]
Nmap scan report for 192.53.165.21 [host down, received host-unreach]
Nmap scan report for 192.53.165.22 [host down, received no-response]
Nmap scan report for 192.53.165.23 [host down, received no-response]
Nmap scan report for 192.53.165.25 [host down, received no-response]
Nmap scan report for 192.53.165.26 [host down, received no-response]
Nmap scan report for 192.53.165.36 [host down, received no-response]
Nmap scan report for 192.53.165.37 [host down, received no-response]
Nmap scan report for 192.53.165.40 [host down, received no-response]
Nmap scan report for 192.53.165.48 [host down, received no-response]
Nmap scan report for 192.53.165.50 [host down, received no-response]
Nmap scan report for 192.53.165.53 [host down, received no-response]
Nmap scan report for 192.53.165.55 [host down, received no-response]
Nmap scan report for 192.53.165.70 [host down, received no-response]
Nmap scan report for 192.53.165.75 [host down, received no-response]
Nmap scan report for 192.53.165.86 [host down, received no-response]
Initiating Connect Scan at 08:14
Scanning 64 hosts [1000 ports/host]
Discovered open port 5900/tcp on 192.53.165.27
Discovered open port 80/tcp on 192.53.165.62
Discovered open port 80/tcp on 192.53.165.60
Discovered open port 80/tcp on 192.53.165.6
Discovered open port 80/tcp on 192.53.165.11
Discovered open port 80/tcp on 192.53.165.33
Discovered open port 80/tcp on 192.53.165.34
Discovered open port 80/tcp on 192.53.165.43
Discovered open port 80/tcp on 192.53.165.74
Discovered open port 80/tcp on 192.53.165.64
Discovered open port 80/tcp on 192.53.165.24
Discovered open port 80/tcp on 192.53.165.17
Discovered open port 80/tcp on 192.53.165.79
Discovered open port 80/tcp on 192.53.165.85
Discovered open port 80/tcp on 192.53.165.18
Discovered open port 80/tcp on 192.53.165.76
Discovered open port 80/tcp on 192.53.165.61
Discovered open port 80/tcp on 192.53.165.51
Discovered open port 80/tcp on 192.53.165.12
Discovered open port 3389/tcp on 192.53.165.7
Discovered open port 80/tcp on 192.53.165.45
Discovered open port 80/tcp on 192.53.165.80
Discovered open port 80/tcp on 192.53.165.35
Discovered open port 80/tcp on 192.53.165.46
Discovered open port 80/tcp on 192.53.165.71
Discovered open port 111/tcp on 192.53.165.69
Discovered open port 80/tcp on 192.53.165.83
Discovered open port 80/tcp on 192.53.165.27
Discovered open port 80/tcp on 192.53.165.59
Discovered open port 80/tcp on 192.53.165.39
Discovered open port 80/tcp on 192.53.165.72
Discovered open port 80/tcp on 192.53.165.49
Discovered open port 80/tcp on 192.53.165.73
Discovered open port 80/tcp on 192.53.165.5
Discovered open port 80/tcp on 192.53.165.32
Discovered open port 80/tcp on 192.53.165.68
Discovered open port 80/tcp on 192.53.165.84
Discovered open port 80/tcp on 192.53.165.67
Discovered open port 80/tcp on 192.53.165.28
Discovered open port 80/tcp on 192.53.165.20
Discovered open port 22/tcp on 192.53.165.69
Discovered open port 80/tcp on 192.53.165.65
Discovered open port 143/tcp on 192.53.165.24
Discovered open port 80/tcp on 192.53.165.87
Discovered open port 80/tcp on 192.53.165.66
Discovered open port 3306/tcp on 192.53.165.24
Discovered open port 995/tcp on 192.53.165.24
Discovered open port 22/tcp on 192.53.165.74
Discovered open port 554/tcp on 192.53.165.27
Discovered open port 80/tcp on 192.53.165.16
Discovered open port 143/tcp on 192.53.165.17
Discovered open port 80/tcp on 192.53.165.52
Discovered open port 80/tcp on 192.53.165.56
Discovered open port 143/tcp on 192.53.165.27
Discovered open port 143/tcp on 192.53.165.11
Discovered open port 22/tcp on 192.53.165.71
Discovered open port 22/tcp on 192.53.165.34
Discovered open port 80/tcp on 192.53.165.63
Discovered open port 80/tcp on 192.53.165.82
Discovered open port 22/tcp on 192.53.165.61
Discovered open port 111/tcp on 192.53.165.47
Discovered open port 22/tcp on 192.53.165.85
Discovered open port 111/tcp on 192.53.165.80
Discovered open port 993/tcp on 192.53.165.24
Discovered open port 111/tcp on 192.53.165.19
Discovered open port 3306/tcp on 192.53.165.51
Discovered open port 22/tcp on 192.53.165.64
Discovered open port 22/tcp on 192.53.165.60
Discovered open port 22/tcp on 192.53.165.65
Discovered open port 21/tcp on 192.53.165.24
Discovered open port 22/tcp on 192.53.165.29
Discovered open port 3306/tcp on 192.53.165.11
Discovered open port 22/tcp on 192.53.165.62
Discovered open port 3306/tcp on 192.53.165.87
Discovered open port 22/tcp on 192.53.165.77
Discovered open port 995/tcp on 192.53.165.11
Discovered open port 22/tcp on 192.53.165.46
Discovered open port 22/tcp on 192.53.165.20
Discovered open port 22/tcp on 192.53.165.51
Discovered open port 22/tcp on 192.53.165.11
Discovered open port 22/tcp on 192.53.165.12
Discovered open port 22/tcp on 192.53.165.81
Discovered open port 22/tcp on 192.53.165.73
Discovered open port 111/tcp on 192.53.165.78
Discovered open port 443/tcp on 192.53.165.74
Discovered open port 22/tcp on 192.53.165.52
Discovered open port 22/tcp on 192.53.165.56
Discovered open port 22/tcp on 192.53.165.19
Discovered open port 22/tcp on 192.53.165.31
Discovered open port 22/tcp on 192.53.165.57
Discovered open port 22/tcp on 192.53.165.87
Discovered open port 22/tcp on 192.53.165.68
Discovered open port 22/tcp on 192.53.165.39
Discovered open port 995/tcp on 192.53.165.27
Discovered open port 554/tcp on 192.53.165.33
Discovered open port 1025/tcp on 192.53.165.8
Discovered open port 22/tcp on 192.53.165.15
Discovered open port 22/tcp on 192.53.165.58
Discovered open port 22/tcp on 192.53.165.80
Discovered open port 22/tcp on 192.53.165.84
Discovered open port 22/tcp on 192.53.165.5
Discovered open port 22/tcp on 192.53.165.18
Discovered open port 587/tcp on 192.53.165.24
Discovered open port 22/tcp on 192.53.165.32
Discovered open port 3306/tcp on 192.53.165.83
Discovered open port 111/tcp on 192.53.165.38
Discovered open port 22/tcp on 192.53.165.47
Discovered open port 111/tcp on 192.53.165.44
Discovered open port 22/tcp on 192.53.165.49
Discovered open port 22/tcp on 192.53.165.59
Discovered open port 22/tcp on 192.53.165.67
Discovered open port 22/tcp on 192.53.165.42
Discovered open port 22/tcp on 192.53.165.45
Discovered open port 110/tcp on 192.53.165.24
Discovered open port 443/tcp on 192.53.165.24
Discovered open port 22/tcp on 192.53.165.54
Discovered open port 22/tcp on 192.53.165.78
Discovered open port 22/tcp on 192.53.165.72
Discovered open port 22/tcp on 192.53.165.83
Discovered open port 8080/tcp on 192.53.165.60
Discovered open port 22/tcp on 192.53.165.30
Discovered open port 993/tcp on 192.53.165.27
Discovered open port 22/tcp on 192.53.165.16
Discovered open port 995/tcp on 192.53.165.17
Discovered open port 22/tcp on 192.53.165.28
Discovered open port 443/tcp on 192.53.165.60
Discovered open port 22/tcp on 192.53.165.33
Discovered open port 22/tcp on 192.53.165.17
Discovered open port 443/tcp on 192.53.165.71
Discovered open port 993/tcp on 192.53.165.11
Discovered open port 22/tcp on 192.53.165.44
Discovered open port 22/tcp on 192.53.165.38
Discovered open port 53/tcp on 192.53.165.24
Discovered open port 443/tcp on 192.53.165.29
Discovered open port 443/tcp on 192.53.165.6
Discovered open port 443/tcp on 192.53.165.66
Discovered open port 443/tcp on 192.53.165.32
Discovered open port 443/tcp on 192.53.165.46
Discovered open port 22/tcp on 192.53.165.82
Discovered open port 443/tcp on 192.53.165.34
Discovered open port 443/tcp on 192.53.165.85
Discovered open port 443/tcp on 192.53.165.45
Discovered open port 587/tcp on 192.53.165.27
Discovered open port 443/tcp on 192.53.165.56
Discovered open port 110/tcp on 192.53.165.27
Discovered open port 443/tcp on 192.53.165.64
Discovered open port 443/tcp on 192.53.165.77
Discovered open port 22/tcp on 192.53.165.63
Discovered open port 443/tcp on 192.53.165.52
Discovered open port 443/tcp on 192.53.165.20
Discovered open port 443/tcp on 192.53.165.12
Discovered open port 443/tcp on 192.53.165.51
Discovered open port 993/tcp on 192.53.165.17
Discovered open port 443/tcp on 192.53.165.27
Discovered open port 443/tcp on 192.53.165.8
Discovered open port 443/tcp on 192.53.165.65
Discovered open port 587/tcp on 192.53.165.11
Discovered open port 443/tcp on 192.53.165.62
Discovered open port 443/tcp on 192.53.165.39
Discovered open port 443/tcp on 192.53.165.84
Discovered open port 110/tcp on 192.53.165.11
Discovered open port 443/tcp on 192.53.165.79
Discovered open port 443/tcp on 192.53.165.11
Discovered open port 443/tcp on 192.53.165.28
Discovered open port 443/tcp on 192.53.165.15
Discovered open port 443/tcp on 192.53.165.80
Discovered open port 443/tcp on 192.53.165.82
Discovered open port 443/tcp on 192.53.165.59
Discovered open port 53/tcp on 192.53.165.11
Discovered open port 587/tcp on 192.53.165.17
Discovered open port 587/tcp on 192.53.165.35
Discovered open port 443/tcp on 192.53.165.49
Connect Scan Timing: About 3.11% done; ETC: 08:30 (0:16:06 remaining)
Discovered open port 443/tcp on 192.53.165.68
Discovered open port 110/tcp on 192.53.165.17
Discovered open port 443/tcp on 192.53.165.72
Discovered open port 443/tcp on 192.53.165.5
Discovered open port 443/tcp on 192.53.165.41
Discovered open port 443/tcp on 192.53.165.83
Discovered open port 443/tcp on 192.53.165.17
Discovered open port 8080/tcp on 192.53.165.634. Using Nmap to scan firewall settings of a host.
Use ‘-sA’ tag in the syntax, and you will need the root* privileges to do this type of scan.
sudo nmap -sA 103.76.228.244
5. To scan from a file
Use ‘-iL’ in your syntax.
nmap -iL <filename.txt>
6. Nmap Aggressive Scan
Here -A indicates aggressive, it will give us extra information, like OS detection (-O), version detection, script scanning (-sC), and traceroute (–traceroute). It even provides a lot of valuable information about the host.
nmap -A <Domain_Name/DNS/Host_IP>
Here is the final output. If you have any queries or questions, ask me in the comment.
┌──(scott㉿notebook)-[~]
└─$ nmap -A -iL ip.txt -vvv
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-30 08:32 IST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
Initiating Ping Scan at 08:32
Scanning 162.159.137.232 [2 ports]
Completed Ping Scan at 08:32, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:32
Completed Parallel DNS resolution of 1 host. at 08:32, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 08:32
Scanning 162.159.137.232 [1000 ports]
Discovered open port 80/tcp on 162.159.137.232
Discovered open port 8080/tcp on 162.159.137.232
Discovered open port 443/tcp on 162.159.137.232
Discovered open port 8443/tcp on 162.159.137.232
Completed Connect Scan at 08:32, 8.72s elapsed (1000 total ports)
Initiating Service scan at 08:32
Scanning 4 services on 162.159.137.232
Completed Service scan at 08:32, 12.46s elapsed (4 services on 1 host)
NSE: Script scanning 162.159.137.232.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 5.16s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 1.69s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
Nmap scan report for 162.159.137.232
Host is up, received syn-ack (0.065s latency).
Scanned at 2022-11-30 08:32:12 IST for 28s
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Cloudflare http proxy
|_http-title: Site doesn't have a title (text/plain; charset=UTF-8).
|_http-server-header: cloudflare
443/tcp open ssl/http syn-ack Cloudflare http proxy
| tls-nextprotoneg:
| h2
|_ http/1.1
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US/localityName=San Francisco
| Subject Alternative Name: DNS:discord.com, DNS:*.discord.com, DNS:sni.cloudflaressl.com
| Issuer: commonName=Cloudflare Inc ECC CA-3/organizationName=Cloudflare, Inc./countryName=US
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2022-11-19T00:00:00
| Not valid after: 2023-11-19T23:59:59
| MD5: 26d99efd06d1fe09aac998d6e008d57d
| SHA-1: a3ea271a3de88c055e1cc81d590ed2f2a1764d2e
| -----BEGIN CERTIFICATE-----
| MIIFMzCCBNqgAwIBAgIQA3dcl4czgOpyESx05xx+6DAKBggqhkjOPQQDAjBKMQsw
| CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
| Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjIxMTE5MDAwMDAwWhcNMjMxMTE5
| MjM1OTU5WjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
| A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEe
| MBwGA1UEAxMVc25pLmNsb3VkZmxhcmVzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZI
| zj0DAQcDQgAEsLZJgJfUHnIQfNbT1boYoFuZ4MJ4XX1IpPxqOfe9q0sW41J3WBL2
| M9WMo75T8Ejk7dFMhYWZdP19R7PwuOaLoqOCA3UwggNxMB8GA1UdIwQYMBaAFKXO
| N+rrsHUOlGeItEX62SQQh5YfMB0GA1UdDgQWBBQkgM4KpQQq2L1DxTlKvz93NrSN
| PTA8BgNVHREENTAzggtkaXNjb3JkLmNvbYINKi5kaXNjb3JkLmNvbYIVc25pLmNs
| b3VkZmxhcmVzc2wuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
| BQcDAQYIKwYBBQUHAwIwewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGln
| aWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA3oDWgM4YxaHR0cDov
| L2NybDQuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA+BgNV
| HSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lj
| ZXJ0LmNvbS9DUFMwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8v
| b2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRp
| Z2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcnQwDAYDVR0TAQH/BAIw
| ADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYA6D7Q2j71BjUy51covIlryQPT
| y9ERa+zraeF3fW0GvW4AAAGEjaRSiwAABAMARzBFAiEA9ddVLdHU3Cd668Hm0eMv
| Ky1gWU0x2NLxfRZ4/Tv6a2gCIGrrj7E29M1VPrcyslztZgWDlXVpslLzUk3NjKHN
| Pi6TAHYAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGEjaRTAQAA
| BAMARzBFAiB17MqTugDRIMpedQosvG1UNCX5WhxEaj3+9AWjJ7FgaAIhAIe9uVsR
| ASBVx/CvdzuDkwlNTJeKAunqkBnsuVUzKOLlAHUAtz77JN+cTbp18jnFulj0bF38
| Qs96nzXEnh0JgSXttJkAAAGEjaRSvQAABAMARjBEAiApIevfVwMuIi+TiCkGtgdl
| D0LeKEG6C5mt5HgqitjJ0wIgEwVgxQxs78mIsycyxoQ9RAkZP2FNyEG+gxxBmkSi
| dzIwCgYIKoZIzj0EAwIDRwAwRAIgMBpArKy3ky2W47OeMdB9vcum16sApbiA4qXY
| YzD/kTMCIEXWD8mrPuN/+/F/RlSqCldA5MS4VW5r/qlQOKM3TL37
|_-----END CERTIFICATE-----
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: cloudflare
|_ssl-date: TLS randomness does not represent time
8080/tcp open http syn-ack Cloudflare http proxy
|_http-title: Site doesn't have a title (text/plain; charset=UTF-8).
|_http-server-header: cloudflare
8443/tcp open ssl/http syn-ack Cloudflare http proxy
|_http-title: 403 Forbidden
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US/localityName=San Francisco
| Subject Alternative Name: DNS:discord.com, DNS:*.discord.com, DNS:sni.cloudflaressl.com
| Issuer: commonName=Cloudflare Inc ECC CA-3/organizationName=Cloudflare, Inc./countryName=US
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2022-11-19T00:00:00
| Not valid after: 2023-11-19T23:59:59
| MD5: 26d99efd06d1fe09aac998d6e008d57d
| SHA-1: a3ea271a3de88c055e1cc81d590ed2f2a1764d2e
| -----BEGIN CERTIFICATE-----
| MIIFMzCCBNqgAwIBAgIQA3dcl4czgOpyESx05xx+6DAKBggqhkjOPQQDAjBKMQsw
| CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
| Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjIxMTE5MDAwMDAwWhcNMjMxMTE5
| MjM1OTU5WjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
| A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEe
| MBwGA1UEAxMVc25pLmNsb3VkZmxhcmVzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZI
| zj0DAQcDQgAEsLZJgJfUHnIQfNbT1boYoFuZ4MJ4XX1IpPxqOfe9q0sW41J3WBL2
| M9WMo75T8Ejk7dFMhYWZdP19R7PwuOaLoqOCA3UwggNxMB8GA1UdIwQYMBaAFKXO
| N+rrsHUOlGeItEX62SQQh5YfMB0GA1UdDgQWBBQkgM4KpQQq2L1DxTlKvz93NrSN
| PTA8BgNVHREENTAzggtkaXNjb3JkLmNvbYINKi5kaXNjb3JkLmNvbYIVc25pLmNs
| b3VkZmxhcmVzc2wuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
| BQcDAQYIKwYBBQUHAwIwewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGln
| aWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA3oDWgM4YxaHR0cDov
| L2NybDQuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA+BgNV
| HSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lj
| ZXJ0LmNvbS9DUFMwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8v
| b2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRp
| Z2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcnQwDAYDVR0TAQH/BAIw
| ADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYA6D7Q2j71BjUy51covIlryQPT
| y9ERa+zraeF3fW0GvW4AAAGEjaRSiwAABAMARzBFAiEA9ddVLdHU3Cd668Hm0eMv
| Ky1gWU0x2NLxfRZ4/Tv6a2gCIGrrj7E29M1VPrcyslztZgWDlXVpslLzUk3NjKHN
| Pi6TAHYAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGEjaRTAQAA
| BAMARzBFAiB17MqTugDRIMpedQosvG1UNCX5WhxEaj3+9AWjJ7FgaAIhAIe9uVsR
| ASBVx/CvdzuDkwlNTJeKAunqkBnsuVUzKOLlAHUAtz77JN+cTbp18jnFulj0bF38
| Qs96nzXEnh0JgSXttJkAAAGEjaRSvQAABAMARjBEAiApIevfVwMuIi+TiCkGtgdl
| D0LeKEG6C5mt5HgqitjJ0wIgEwVgxQxs78mIsycyxoQ9RAkZP2FNyEG+gxxBmkSi
| dzIwCgYIKoZIzj0EAwIDRwAwRAIgMBpArKy3ky2W47OeMdB9vcum16sApbiA4qXY
| YzD/kTMCIEXWD8mrPuN/+/F/RlSqCldA5MS4VW5r/qlQOKM3TL37
|_-----END CERTIFICATE-----
|_http-server-header: cloudflare
| tls-nextprotoneg:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.74 secondsNmap is clearly a major part of the “Swiss Army Knife” of networking, thanks to its inventory of versatile commands. It lets you quickly scan and discover essential information about your network, hosts, ports, firewalls, and operating systems. Nmap has numerous settings, flags, and preferences that help system administrators analyze a network in detail.
If you want to learn more about nmap and how it works and it;s various uses with scripts, check out their official website “Nmap: the Network Mapper — Free Security Scanner”.
With this article, we have finished our “Network and port scanner” section of our Information gathering section, In my next article we will discuss about “OSINT Analysis” and we will discuss about the infamous spiderfoot in detail and some other resources too, that can be used in day to day life.
And like always, I’ll leave you with this…
Be safe, be secure and happy hacking :)
