NMAP
"Nmap" is an essential tool for any security professional. Its versatility and reliability make it a go-to solution for network exploration and security auditing." -Kevin Mitnick
What is the purpose of Nmap?
Nmap (Network Mapper) is an open-source tool used for network discovery, host discovery and security scanning.
Here are the primary uses of Nmap:
- Network Discovery: Nmap scans a network to identify which devices are connected to target system and determine their IP addresses.
- Port Scanning: Nmap can scan a device for open ports. This serves to inform the user of the tool which services are running and which ports are open.
- Service Discovery: Nmap can determine which services (e.g. web server, email server) are running on open ports on the target system.
- Operating System Detection: Nmap can determines the operating system of a target device.
- Security Audits: Nmap can be used to scan for vulnerabilities and identify security weaknesses on the target device.
- Script Support: Nmap includes a script engine that can be used to customize and automate their network scans by the Nmap users.
Core Features
- Network Discovery
- Port Scanning
- Service and Version Detection
- Operating System Detection
- Scriptable Interaction with Network Services
- Host and Network Mapping
- Firewall and IDS Evasion Techniques
- Customizable Output Formats
- Performance and Scalability
Data sources
- Network Services Information
- Port Scanning Results
- Service and Version Signatures
- Operating System Fingerprints
- Nmap Scripting Engine (NSE) Scripts
- Public Vulnerability Databases
- Network Configuration Data
- Historical Scan Results
Common NMAP Commands
1. Basic Scan
- This command performs a basic scan of the specified IP address to check its connectivity status on the system. It determines open ports on the target machine.
nmap <target_IP_adress>
2. Port Scanning
- This command performs to the scan a specific port on the given IP address. By determining the state of the port, it helps assess whether essential services are operational.
nmap -p <port_number> <target_IP_adress>
- This command has the purpose of obtaining information about the status of the different ranges of ports against an IP address on the target system. It reveals which of the ports are open, closed, or filtered.
nmap -p <source_port>-<destination_port> <target_IP_adress>
3.Service and Version Detection
- This command detects the services running on open ports and identifies their versions of target machine. Knowing the service details is important for interpreting potential vulnerabilities in the target system.
nmap -sV <target_IP_adress>
4.Operating System Detection
- This command tries to determine the OS of the victim based on its responses.
nmap -O <target_IP_adress>
5.Scanning All Devices on a Network
- It performs a ping scan over a given range of IP addresses to discover connected devices, thus listing all the active hosts in the network segment.
nmap -sP <network_IP_range>
6.Verbose Output
- This command provides a more detailed output of the scanning process.
nmap -v <target_IP_adress>
7.TCP Syn Scan (Stealth Scan)
- This command performs a stealth scan by sending SYN packets to determines open ports without unfinished the TCP handshake. This approach decreases the possibility of getting detected by the target system.
nmap -sS <target_IP_adress>
8.UDP Scan
- This command enables UDP scanning.UDP scanning works by sending a UDP packet to each port on the targeted IP address. For most ports this packet will be empty (no payload), but for a few more common ports a protocol-specific data will be sent.
nmap -sU <target_IP_adress>
9.Executing a Specific Script
- This command line option followed by the name of the script you want to execute or the name of the entire category of scripts you want to execute. Nmap will then load the script and execute it (or them) against the target IP adress that you define.
nmap --script <script_name> <target_IP_adress>
10.Saving Output to a File
- This command saves the scan results in a normal text format to a designated file. It is way to output report findings for future analysis.
nmap -oN <file_name> <target_IP_adress>
- This command outputs the scan results in XML format, which is useful for integration with other tools.
nmap -oX <file_name> <target_IP_adress>
11. Help and Usage Information
- This command displays the help menu and usage information for Nmap.
nmap -h
- Alternative usage:
nmap --help
Output Examples of NMAP Commands
| Command | Example Usage | Function | Output Example |
|---|---|---|---|
| Basic Scan | nmap 192.168.1.1 | Performs a basic scan of the specified IP address. | 80/tcp open http |
| Port Scanning | nmap -p 22 192.168.1.1 | Scans a specific port on the given IP address. | 22/tcp closed ssh |
| Port-Range Scanning | nmap -p 20-23 192.168.1.1 | Scans a range of ports on the given IP address. | 21/tcp open, ftp 22/tcp closed, ssh 23/tcp closed telnet |
| TCP Syn Scan | nmap -sS 192.168.1.1 | Performs a stealth scan, detecting open ports without completing the TCP handshake. | 22/tcp open ssh, 80/tcp open http |
| UDP Scan | nmap -sU 192.168.1.1 | Scans UDP ports on the specified IP address. | 53/udp open domain, 123/udp open ntp, 161/udp open & filtered snmp |
| Service Detection | nmap -sV 192.168.1.1 | Identifies services and their versions running on open ports. | 22/tcp open ssh OpenSSH 7.2 (protocol 2.0) |
| O.S Detection | nmap -O 192.168.1.1 | Attempts to determine the operating system of the target device. | 80/tcp open http, OS details: Linux 3.2 - 4.9 |
| Script Execution | nmap --script http-enum 192.168.1.1 | Runs a specified script against the target IP address. | 80/tcp open http, _http-enum: /icons/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' |
| Aggressive Scan | nmap -A 192.168.1.1 | Performs a comprehensive scan that includes OS detection, version detection, script scanning, and traceroute. | Nmap scan report for 192.168.1.1 |
| Network Scan | nmap -sP 192.168.1.0/24 | Performs a ping scan to discover all devices within the specified IP range. | Nmap scan report for 192.168.1.1, Nmap scan report for 192.168.1.2 |
| Scan Multiple Hosts | nmap 192.168.1.1 192.168.1.2 | Scans multiple IP addresses in a single command. | Nmap scan report for 192.168.1.1, Nmap scan report for 192.168.1.2 |
| Scan a Subnet | nmap 192.168.1.0/24 | Scans all devices within the specified subnet. | Nmap scan report for 192.168.1.1, Nmap scan report for 192.168.1.2 |
| Verbose Output | nmap -v 192.168.1.1 | Provides a more detailed output of the scan process. | Scanning 192.168.1.1 [1000 ports]. Discovered open port 80/tcp on 192.168.1.1 |
| Saving Output(.txt) | nmap -oN output.txt 192.168.1.1 | Saves the scan results to a TXT file format. | output sent to 'output.txt' |
| Saving Output(.xml) | nmap -oX output.xml 192.168.1.1 | Saves the scan results to an XML format. | output sent to 'output.xml' |
| Timing Template | nmap -T4 192.168.1.1 | Sets the timing template to control the speed of the scan. | Timing template set to aggressive |
| Randomized Scan Order | nmap --randomize-hosts 192.168.1.0/24 | Scans hosts in a random order to avoid detection. | Scanning in random order |
| Bypass Firewall | nmap -Pn 192.168.1.1 | Skips host discovery to assume the host is up. | Scanning 192.168.1.1 |
| Exclude Hosts | nmap -exclude 192.168.1.1 192.168.1.0/24 | Excludes specified hosts from the scan. | Scanning network 192.168.1.0/24 excluding 192.168.1.1 |
| Packet Tracing | nmap --traceroute 192.168.1.1 | Displays the route packets take to the target IP. | Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds |
| Operating System Fingerprinting | nmap -O -sV 192.168.1.1 | Combines OS detection with service version detection. | OS details: Linux 3.2 - 4.9 |
| DNS Enumeration | nmap -sL 192.168.1.0/24 | Lists hosts in the specified range without scanning. | Nmap scan report for 192.168.1.1 |
| Service Version Detection | nmap -sV --version-all 192.168.1.1 | Attempts to detect all possible services on the open ports. | 80/tcp open http Apache/2.4.18 (Ubuntu) |