Nmap basic scanning techniques
Nmap basic scanning techniques
What is Nmap
Nmap stands for Network Mapper.NMAP is a free open source network mapping tool.It is written in c,cpp,python and lua.
Nmap is one of most common tools used by security professionals.It offers many features.
Features of NMAP:
- Nmap discovers hosts and services offered by the hosts on a network.Services like ftp,ssh,smtp,mysql and http etc.
- Host Discovery,port Scanning, Operating System detection.
- Nmap can bypass firewalls and find vulnerabilities on a network.
- NMAP provides useful information of your targets, like reverse DNS names, operating system guesses, device types, and MAC addresses.
For more information about NMAP go to the officialwebsite
Now let's explore it's feature practically so fire up your terminal.
Scan a single host
root@seven:~# nmap linuxxcomputing.com Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 06:24 EST Nmap scan report for linuxxcomputing.com (107.180.0.245) Host is up (0.032s latency). rDNS record for 107.180.0.245: ip-107-180-0-245.ip.secureserver.net Not shown: 986 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http
When scan is complete you see three columns PORT displays the port number.STATE displays it's state it will be either open ,closed or filtered.The above command scans for basic services running on the server.
OPEN POTS
Open ports means it is active and open.It is ready to accept connection.It is most common vulnerability. From the above scan result you can see that i have ftp port open.Hackers exploit this vulnerability by bruteforcing usernames and passwords.
Close PORT
If port state is close then it means that most likely it does not have any services running.
Filtered PORTS
It means that port is protected by the firewall.
Scan Host with an ip address
root@seven:~# nmap 107.180.0.245
Scan multiple hosts
Nmap scans multiple hosts just supply multiple host names for best results scan one host at a time.
root@seven:~# nmap linuxxcomputing.com google.com
Detailed Scan
A detailed scan gives you detailed information about your target.It tries to guess operating system and version. It returns ports and servcies.It also returns traceroute. Traceroute shows all the routers you used to reach there.Check each line of scan carefully you will find plenty of info.
root@seven:~# nmap -A linuxxcomputing.com Nmap scan report for linuxxcomputing.com (107.180.0.245) Host is up (0.0054s latency). rDNS record for 107.180.0.245: ip-107-180-0-245.ip.secureserver.net Not shown: 999 filtered ports PORT STATE SERVICE VERSION 3306/tcp open tcpwrapped | mysql-info: | Protocol: 53 | Version: .5.45-cll-lve | Thread ID: 2344927 | Capabilities flags: 63487 | Some Capabilities: LongPassword, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, SupportsTransactions, ConnectWithDatabase, IgnoreSigpipes, Support41Auth, Speaks41ProtocolOld, FoundRows, Speaks41ProtocolNew, SupportsLoadDataLocal, InteractiveClient, SupportsCompression, LongColumnFlag, ODBCClient | Status: Autocommit Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port RACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.06 ms 192.168.150.2 2 0.11 ms ip-107-180-0-245.ip.secureserver.net (107.180.0.245) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.33 seconds
Detect Operating System
You must supply -O option to detect OS of your target.
root@seven:~# nmap -O linuxxcomputing.com
PORT Scanning with nmap
Before scanning ports there is one thing you must know about ports that there are 65535 ports available on your server. When you scan ports by default it only scans 1000 most popular ports.Reason for this is if it scans all the 65535 ports then it will take a lot of time.Only 40 or may be more ports are used.
root@seven:~# nmap -F linuxxcomputing.com Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 08:04 EST Nmap scan report for linuxxcomputing.com (107.180.0.245) Host is up (0.17s latency). rDNS record for 107.180.0.245: ip-107-180-0-245.ip.secureserver.net Not shown: 93 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 3306/tcp open mysql
The above command uses -F flag for fast scan and returns ports and services offered by the server.
Scan for specific port
If you want to scan a specific port then you must give port number along with -p option.
root@seven:~# nmap -p 21 linuxxcomputing.com Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 08:13 EST Nmap scan report for linuxxcomputing.com (107.180.0.245) Host is up (0.00036s latency). rDNS record for 107.180.0.245: ip-107-180-0-245.ip.secureserver.net PORT STATE SERVICE 21/tcp filtered ftp
Scan ports with specific range
You can specify a certain range to scan ports.Below scan will scan ports between 20-44.
root@seven:~# root@seven:~# nmap -p 20-443 linuxxcomputing.com Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 08:19 EST Nmap scan report for linuxxcomputing.com (107.180.0.245) Host is up (0.036s latency). rDNS record for 107.180.0.245: ip-107-180-0-245.ip.secureserver.net Not shown: 419 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 110/tcp open pop3 143/tcp open imap
Scan only open ports
With --open option we can scan the open ports.
nmap --open 107.180.0.245
Save scan result to a file
If you are doing a detailed scan then it's always good idea to save it's results into a file.
root@seven:~# nmap -A -oN /root/Desktop/result.txt linuxxcomputing.com
-o is for output file and N for a new text file.You can use X for saving to XML file.
Scan for live hosts
The below command will scan all the 256(Usable 254) hosts and finds the live hosts on your network.
root@seven:~# root@seven:~# nmap 192.168.0.1/24
These are some basic scanning technique that you must know.I hope it helped you share it among your friends thanks.
Post a Comment
Post a Comment