Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon . Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and OS detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including Latency and Congestion during a scan. Wikipedia
[email protected]# nmap host
This is a default scan where you are just passing the hostname/ip-address to the to nmap. In this type of the nmap scanning the nmap scans the top 1000 ports.Top thousands doesn’t mean 1-1000. It means the well known top 1000 ports.
If this scan is run by a PRIVILEGED user then this is RAW SYN STEALTH SCAN and if its run by NON-PRIVILEGED user then its a TCP CONNECT SCAN.
Lets perform a simple nmap scan on metasploitable2 machine.
So as you can see from the image nmap listed out the port which are open on metasploitabl2.
Here you can see the state of ports its open. So the nmap scan and find that these ports are open on target host.
There are four different state of ports
- OPEN: Having this as label to the state of the port, means the port is open.
- CLOSED: Having this as label to the state of the port, means the port is closed and not ready to make the connection.
- FILTERED: Having this as label to the state of the port, means that nmap packet were unable to reach the port to check its status either blocked by firewall or by some sort of router access control rule.
- UNFILTERED: Having this as label to the state of the port, means that nmap packet were able to reach the port to check its status but it was not able to determine the state of the port.
There are two other states
OPEN | FILTERED and CLOSED | FILTERED and its is clear by the name what states its represent.
Nmap cannot determine if the target port is open or filtered.
Nmap cannot determine if the target port is close or filtered.
There are different option available with nmap we can use.
- -sn : Tells nmap no to do port scan after discovering the hosts. Its just to check if the hosts are up or not.
[email protected]# nmap 192.168.0.1/24 -sn
What Nmap do, first it check whether the host is up or not and then it performs port scans. But sometimes icmp echo response is disabled onto the target and nmap unable to detect whether the host is alive or not.
So there is another solution where the nmap will scan the host irrespective or its state alive or dead.
How we do that ?
[email protected]# nmap 192.168.0.105-110 -Pn
This -Pn option allow to do the required thing.
Let’s Try on the Local Network.
In the host discovery section there is another option which can be used to perform a specific scan with specified ports.
- PS: Perform TCP SYN scan.
- PA: Perform TCP ACK scan.
- PU: Perfrom UDP scan.
- PY: Perform SCTP scan.
- PE: Perform ICMP echo scan.
- PP: Perform timestamp scan.
- PM: Perform netmask scan.
[email protected]# nmap host -PS22,53,443
There is no space after PS.
Different Scan Techniques
sS/sT/sA/sW/sM : TCP SYN, TCP connect(), TCP ACK, Window, Maimon Scans
- sU : This performs the UDP scan. It sends the UDP packets to check the status of the ports.
UDP scans are slower and time taking.
Sometimes in nmap scans happens a host responds slow and nmap remain busy in checking the status of that host. TO overcome this problem we can use host timeout.
[email protected]# nmap 192.168.54.1/24 -sU –host-timeout 2m
- sN: TCP NULL. In this there is no flag is set into the packet. The flag is set to zero.
- sF: FIN Scan. In this type only the TCP FIN bit is set.
- sX: Xmas Scan. In this scann three flags are set FIN, PSH and URG.
These scans use the different set of flags. You can customize your flags by –scanflags.
- sO: IP protocol scan. This scan helps to determine which protocol(ICMP, UDP, TCP etc) is supported by the host and at which port.
- p: This option is used to specify the range of the port, or specific ports
- [email protected]# nmap host -p 1,13,443,53 Specific ports
- [email protected]# nmap host -p 1-1111 Range of ports
- [email protected]# nmao host -p- All ports
If you want to scan some specific ports of host(s) on UDP and TCP.
[email protected]#nmap 192.168.54.2 U:53,111,137,T:22,80,8080 -sU -sS
Sometimes a situation happens when service are changed or shifted to another ports. So to check on what port particular services are running.
[email protected]# nmap host -p http,https,ftp
Scan port excluding few port
[email protected]# nmap host -v –exclude-port 80,21,443,22-50
Check Which service are running on port and what version it have with nmap.
[email protected]# nmap 192.168.54.2 -v -sV
Within this command nmap 192.168.54.2 -v -sV we can add –version-intensity 1-9. By default its value is 7.
another extension are :
- –version-light (Intensity 2)
- –version-all (Intensity 9)
Operating System Detection
Operating system of the target host can be found with nmap -O extension.
[email protected]# nmap 192.168.52.2 -O -v
The operating system is visible in the result of above command.
To save the time and stop the nmap to stop wasting time on non-promising hosts we can specify –osscan-limit. Non promising hosts are those hosts which do not have any port open or closed.
[email protected]#nmap hosts -O -v –osscan-limit
To make the above command more robust add -Pn. Which means scan every host irrespective its alive or dead and have atleast one port open or closed.
[email protected]# nmap 192.168.54.2 -O -v -Pn –osscan-limit.
When nmap unable to detect a operating system we can use another technique where nmap guess the operating system.
[email protected]# nmap host -O –version-all -v -Pn –osscan-guess -max-retries 1
Here max retries is set to 1 because its by default 5 which is time consuming. For better luck change its value to higher value.
Instead of –osscan-guess there is another option –fuzzy can be also used.
So that’s was all for today.