NMAP — The Network Enumerator
Network-Mapper (nmap), is the most famous port scanning tool used by penetration testers. Nmap is also showed in movies or series like The Matrix and Mr. Robot . In this article, we will look at the various features of Nmap along with a few useful commands.
What is Nmap?
Nmap is the short form for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap allows network admins to find out the devices running on their network, discover open ports and services, and detect vulnerabilities.
NMAP Command Syntax
nmap [ <Scan Type> ] [ <Options> ] { <target specification> }I will provide a short breakdown of each field in the format mentioned above but if you like to check it out yourself here’s the command.
man nmapCommon Nmap scan types:
Nmap have various scan types according to your needs. Common ones are SYN scan (-sS),TCP connect scan(-sT), UDP scan(-sU). Note that the SYN scan and TCP scan utilizes the three-way handshake:
- The SYN scan (-sS) identifies a port to be open by sending a “SYN” to the target. If it receives a SYN-ACK or SYN, it marks that port to be open. If it receives a “RST”, it marks the port as filtered.
2. The TCP scan (-sT) identifies a port to be open by waiting the completion of . the three-way handshake.
3. The UDP scan (-sU) is useful for identifying open UDP ports on a target. It s sends specific UDP packets to known UDP ports.
Common Nmap options:
Nmap has tons of options depending what you need for your scan. On a basic level, you should be using the following:
Save your Nmap scan to a file
Nmap can save your scan in 3 formats(normal otput, XML output, and greppable output) using the -oN, -oX, and -oG flags resepctively. If you want to save it in all the formats, use the -oA flag.
we can see we got three nmap scan output files all in different formats.
Utilize timing options
We can use a timing template that suits your purpose by using one of the flags -T0,-T1,-T2,-T3,-T4,-T5 which stands for paranoid,sneaky,polite,normal,aggressive, and insane respectively. These templates determine how aggressive your scan will be and is useful depending on the bandwidth and resources of the network you are in. -T0 and -T1 scans are useful for IDS evasion, but may be too slow. T3 or normal is Nmap’s default behavior when none of these flags are mentioned.
But in all of the above timing options I prefer -T4 as it gives best result .
Common Nmap target specification:
Nmap allows various target specifications, but can simple be divided into 2 parts: port and IP/host.
Port Specification :
+--------+---------------------------+---------------------------+
| Switch | Description | Example |
+--------+---------------------------+---------------------------+
| -p | Port or port range. | nmap -p 22-80 10.10.224.1 |
+--------+---------------------------+---------------------------+
| -p- | Scan all ports. | nmap -p- 10.10.224.145 |
+--------+---------------------------+---------------------------+
| -F | Fast port scan. (top 100) | nmap -F 10.10.224.145 |
+--------+---------------------------+---------------------------+Host Specification :
+--------+---------------------------+---------------------------+
| Description | Example |
+--------+---------------------------+---------------------------+
| Scanning a specific hostname | nmap target.domain.com |
+--------+---------------------------+---------------------------+
| Scanning a specific IP address | nmap 10.10.224.145 |
+--------+---------------------------+---------------------------+
| Scanning a network range | nmap 10.10.224.1-254 |
+--------+---------------------------+---------------------------+Commonly used Scan Combinations
nmap -sC -sV -oA <file_name> <ip or target>
Not only me , there are many hackers who use this combinations for scanning the target . Here , -sC ruuning the nse scripts against the open ports and -sV detecting the versions.
We can see scan is showing the ports open with lots of info about the like ftp has Anonymous Login enabled . We even got title of the web page on port 80.
Nmap Scripting Engine
When we talk about nmap we can’t forget NSE . NSE scripts is the thing that make nmap so powerful . Nmap Scripting Engine (NSE) is an incredibly powerful tool that you can use to write scripts and automate numerous networking features. You can find plenty of scripts distributed across Nmap, or write your own script based on your requirements. You can even modify existing scripts using the Lua programming language.
Zenmap
Zenmap is Graphical user interface for Nmap.
Conclusion
Nmap is a very useful tool not only for security professionals but for IT practitioners because of its versatility and it’s clear like a sky that NMAP is “SWISS ARMY KNIFE” of networking.
References
Thanks Guys for reading the article.
Author : Kshitiz Raj (manitorpotterk)
VIEH Group | www.viehgroup.com
