Nmap. Getting started


Below you will find 20 basic examples of using the Nmap command.

You will learn how to use Nmap from command line in Linux to search for active hosts on the network and scan open ports.

You will see how remotely detect the operating system using TCP/IP stack fingerprints and how find out the software version running on a remote server.

I will also show you how to do this using Nmap covert scanning, How define firewall And How change MAC address.

1. Scan a Single Host or IP Address

Scan Separate IP Address:

$nmap 192.168.1.1

Scan server by Host name:

$ nmap server.site

Increase Level of detail scan results:

$ nmap -v server..site

2. Scanning Multiple IP Addresses

Scan Multiple IP Addresses:

$nmap 192.168.1.1 192.168.1.2 192.168.1.3 $namp 192.168.1.1,2,3

Scan Subnet:

$ nmap 192.168.1.0/24 $ nmap 192.168.1.*

Scan IP Address Range (192.168.1.0 — 192.168.1.200):

$nmap 192.168.1.0-200

3. Search for Active Computers on the Network

Useful advice: Scan your network with just one ping command! Find all active computers!

Scan the network for search Active Hosts:

$ nmap -sn 192.168.1.0/24

4. Scan Host List from File

Scanning a list of hosts/networks from File:

$ nmap -iL input.txt

File format:

# Entries can be in any of the formats that Nmap works with # from the command line (IP addresses, hostnames, CIDR, IPv6, or octet # ranges). Entries must be separated by one or more spaces, tabs #, or newlines. $ cat input.txt server.site 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200

5. Excluding IP/Hosts/Networks from Scanning

Exclude Goals from Nmap scan:

$ nmap 192.168.1.0/24 --exclude 192.168.1.1 $ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3

Exclude List hosts taken from the file:

$ nmap 192.168.1.0/24 --excludefile exclude.txt

The file format with excluded hosts is similar to the one above.

6. Scan Specific Ports

Scan One Port:

$ nmap -p 80 192.168.1.1

Scan Multiple Ports:

$ nmap -p 80.443 192.168.1.1

Scan Port Range:

$ nmap -p 80-1000 192.168.1.1

Scan All Ports:

$ nmap -p "*" 192.168.1.1

Scan several of the most Common Ports:

$ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1

7. Determination of Supported IP Protocols

Determine which IP Protocols(TCP, UDP, ICMP, etc.) supports scanned host:

$ nmap -sO 192.168.1.1

8. TCP/UDP Port Scanning

Scan all TCP Ports:

$ nmap -sT 192.168.1.1

Scan specific TCP Ports:

$ nmap -p T:80 192.168.1.1

Scan all UDP Ports:

$ nmap -sU 192.168.1.1

Scan specific UDP Ports:

$ nmap -p U:53 192.168.1.1

Combining scanning of different ports:

$ nmap -p U:53,79,113,T:21-25,80,443,8080 192.168.1.1

9. Quick Scan

Activate Fast Mode scan:

$ nmap -F 192.168.1.1

* Scans fewer ports than with regular scanning.

10. Show Cause of Port Status

Show Reason, by which Nmap believes that the port is in a certain state:

$ nmap --reason 192.168.1.1

11. Show Only Open Ports

Show Only Open Ports(or possibly open):

$ nmap --open 192.168.1.1

12. OS Definition

One of the most famous features of Nmap is its remote detection of the OS based on analysis of the TCP/IP stack.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After running many tests, Nmap compares the results to its database and, if a match is found, displays information about the OS.

Turn on OS Definition:

$ nmap -O 192.168.1.1

13. Determining the Version of Services

Turn on Determining the Version of Services:

$ nmap -sV 192.168.1.1

* Determines the versions of programs running on the remote server.

14. Firewall Detection

Find out if your computer is protected by any Batch Filters or Firewall:

$ nmap -sA 192.168.1.1

15. MAC Address Substitution

Substitute MAC Addresses:

$ nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

Change MAC Address Random MAC:

$ nmap --spoof-mac 0 192.168.1.1

16. Scan Firewall for Vulnerabilities

These three types of scans use a subtle loophole in the TCP RFC to differentiate between open and closed ports.

When scanning an RFC-compliant system, any packet that does not have the SYN, RST, or ACK bit set will result in an RST response if the port is closed, or no response if the port is open.

Because none of these bits are set, then any combination of the remaining three (FIN, PSH and URG) will be correct.

TCP Null scanning:

$ nmap -sN 192.168.1.1

* No bits are set (Flags in TCP header 0).

TCP Fin scanning:

$ nmap -sF 192.168.1.1

* Only the TCP FIN bit is set.

TCP Xmas scanning:

$ nmap -sX 192.168.1.1

* The FIN, PSH and URG flags are set (the package lights up like a Christmas tree).

17. Covert Scan

Useful advice: Stay anonymous while scanning ports! Use Nmap + Tor + ProxyChains! Safe and easy penetration testing!

TCP SYN scanning:

$ nmap -sS 192.168.0.1

* Known as half-open scanning because it does not open full TCP connections.

18. Disabling Host Discovery (No Ping)

Do not ping hosts before scanning:

$ nmap -Pn 192.168.1.1

19. Disabling DNS Use

Useful advice: Need to tighten up your Linux security? Encrypt DNS traffic to protect against spoofing!

Never reverse DNS name resolution for every active IP address discovered.

Are you concerned about the security of your or any other network? Protecting your router from unwanted connections is key to keeping your network secure. One simple method is Nmap or Network Mapper. This is a scanning program that checks which ports are open and which are closed, as well as other details. Security professionals use this program to test network security. To learn how to use this program, see Step 1.

Steps

Using Zenmap

    Download the Nmap installer. You can find the installer on the developers website and download it for free. It is recommended to download from the developers' website to avoid the risk of downloading viruses or spoofed files. By downloading Nmap you also get Zenmap, a graphical interface for Nmap that makes the program easy to use for beginners when performing scans without knowing the commands.

    • Zenmap is available for Windows, Linux, and Mac OS X operating systems. You can find installers on the official Nmap website.

  1. Launch the “Nmap – Zenmap” GUI program. If during installation you left all the items untouched, then the program icon should appear on your desktop. If not, look in the start menu and launch Zenmap.

    Enter the purpose of your scan. Zenmap makes network scanning a very simple process. First of all, select the scanning target. You can enter the domain (example.com), IP address (127.0.0.1), network (192.168.1.0/24), or a combination of these.

    • Depending on your download and the purpose of your scan, using Nmap may violate your ISP's user policies. Always check local user rules when using Nmap when scanning outside of your own network.

  2. Select your profile. Profiles are a group of modifications that change the scanning structure. Profiles allow you to quickly select different types of scans without having to make modifications on the command line. Choose the best profile for your needs:

    • Intense scan- extensive scanning. Includes operating system, version, script recognition, tracing, and has an aggressive scan time.
    • Ping scan- This scan determines the online status of the target of your scan, and does not scan ports.
    • Quick scan- scans faster than a regular scan with aggressive scanning time and port sampling.
    • Regular scan- this is a standard Nmap scan without any modifications. The result includes ping and open ports.

  3. Click Scan to start scanning. Active scan results will be displayed in the Nmap Output tab. Scanning time will depend on the selected profile, physical distance to the target, and network configuration.

    See your results. After the scan is completed, you will see the message “Nmap is done” at the bottom of the Nmap Output tab. You can now check your results, depending on the type of scan you selected. All results are collected in the Output tab, but by selecting other tabs, you can study the resulting result in more detail.

    • Ports/Hosts- This tab will show port scans, including services running on those ports.
    • Topology- Shows the trace for the scan performed. You can see how many “hops” it takes for your data to reach the desired goal.
    • Host Details- Shows complete information about the target, number of ports, IP addresses, host names, operating systems, and more.
    • Scans- this tab records the history of your previous scans. This way you can quickly restart a scan done in the past with a specific set of parameters.

Using the command line

  1. Install Nmap. Nmap is a small and free program. You can download the program on the developer's website. Follow the instructions based on your operating system:

    Open your command prompt. Nmap commands work from the command line and show the results right below the command. You can use the options to change the scan structure. You can run scans from anywhere specified in your command line.

  2. Scan the ports you need. To start a simple scan, write nmap . This will begin pinging the selected target and scanning ports. This scan is very easy to recognize. The results will be visible on your screen. You may have to scroll to the top to see the full results.

    • Depending on the download and the purpose of your scan, using Nmap may be against your ISP's rules. Always check local user rules when using Nmap when scanning outside of your own network.

  3. Perform a modified scan. You can use command variables to change scan parameters, resulting in a more or less extensive scan. You can add multiple variables by leaving a space between each one. Variables are placed before the target: nmap

    • -sS- This is a covert SYN scan. This scan is more difficult to detect than a regular scan but may take longer to complete. Most newer firewalls can detect –sS scanning.
    • -sn- This is a ping scan. This scan does not use port detection, and only checks the online status of the target.
    • -O- This scan determines the type of operating system of the target.
    • -A- This variable includes detection of more extensive information: operating system, version, scripts, and trace.
    • -F- enables fast scanning and reduces the number of scanned ports.
    • -v- this variable shows more of your scan results, making them more readable.

  4. Output the results of your scan to an XML file. You can configure the output of your scan results to an XML file and, subsequently, easily open them in any web browser. To do this use a variable -oX with the name of the file to output data. The complete command looks like this: nmap –oX ScanResults.xml .

    • Your XML file will be saved in the current directory of your command line.
  • Wondering how the scan goes? Press Spacebar or any button while the scan is running to view Nmap's progress.
  • Target not responding? Try adding the variable “-P0” to your scan. As a result, Nmap's scan will begin its work even if the program "thinks" the target does not exist. This can be useful when the computer is protected by a firewall.
  • If your scan takes a long time (more than 20 minutes), try adding the “-F” variable so that the Nmap scan will only affect recently used ports.

Today, almost any user can answer the question of what an IP network scanner is. This is a special sniffer program that identifies a specific computer terminal on a local network or when establishing an Internet connection. How this system works is anyone's guess. What is a network scanner? Conventionally, all commands or programs of this type can be divided into several classes depending on the parameters being defined. It should be clear that a software network scanner must operate in several modes, including determining external and internal IP addresses of connected devices, recognizing wireless networks, launching a diagnostic system and having access to resources based on the HTTP and FTP protocols.

Windows operating system tools for scanning

In operating systems of the Windows family, there is a special tool for determining IP addresses that is already built into the operating system. IP addresses, as a rule, are automatically set by providers during their current use. In the network settings, you just need to set this setting - Obtain IPad dress automatically. In the same mode, the gateway and subnet mask are set. The primary and alternative DNS servers are not used in this case. In some cases, their addresses must be entered manually, especially if the setup is carried out through Google services. However, you can recognize any internal address by using the simplest ping command, which must be entered from the appropriate console indicating the internal address of the local computer or terminal that connects to the corporate network. To view all addresses of devices that are currently connected to one of the network protocols, you must use the ipconfig command. Many users underestimate the command line. But it is here that, when specifying an addition to the main command in the form of renew or release6, you can apply automatic IPv6 protocol settings or even update the configuration with DHCP server settings.

External request based on ping command

As for external requests received via the ping command, they are made for the most part only by the network administrator or provider. The disadvantage of this method is to determine the external address of the IP device connected to the Internet. In this case, the internal address can be hidden or assigned automatically. When checking virtual WLAN networks, only pinging of the ADSL modem or router is performed. Its address does not correspond in any way to the address of the local computer terminal.

Wi-Fi Network Scanner

Let’s move on directly to the consideration of software products. It’s probably not worth mentioning that in the same Google Play you can download a free utility that can recognize virtual networks that are located near the user. If you search the Internet well, you can find not just a network scanner, but an entire software package that allows you to crack a password and even act as an anonymizer. This is a bit like using virtual proxies and access protocols. The essence of the question comes down to identifying an unused address or connecting to it. Thus, any scanner of IP addresses on the network determines them based on those allocated by the provider. The service itself, provided it uses a virtual proxy server, can only guess about this.

The simplest programs

Among all the variety that can be found on the Internet today, the most popular are the following software products:

— scanner of public wireless networks Free WiFi Detector;

— local port and IP address scanner Net Scan;

— a tool for wireless networks InSSiDer;

— a system for checking free addresses that are not involved in local connections - Angry IP Scanner.

All network scanners of the type mentioned above work on the same principle. This is the determination of the external IP address of the connected device, no matter whether you are using a mobile device, a laptop or a desktop computer. All applications that belong to the category of “Windows 7 Network Scanner” programs use a hidden ping command, which the user may not even be aware of. In this case, the external request is carried out not in the form of an operation performed by Windows, but based on its own developments, taking into account the protocol used and the DHCP server. In this case, failures may occur in the proxy server connection option. To change these settings, you must use the network or network adapter settings. They must be set to prohibit the use of proxies for local addresses. These are at least the IPv4 protocol settings. At the same time, mobile applications are quite popular. In the simplest version, the following example can be given. Let's say a user comes to a cafe and urgently needs to send an email or write a message. He does not know the password to access the virtual network. If you have the appropriate application installed on your tablet or smartphone, the network scanner will work automatically. It will detect the nearest wireless circuit. Depending on the software product, there may also be the possibility of passwordless access to the network. However, this option is illegal. There is probably no need to remind once again that today there are a huge number of hackers, which sometimes include applications of this type. At the same time, no one understands that a network IP address scanner only determines the source through which the Internet connection and network access are made.

Conclusion

The worst thing is that not a single program of this type, when scanning external and internal addresses, can bypass the hosts configuration file, which stores information about calls to standard addresses. Its contents may sometimes have entries that block certain resources. Access to these settings in operating systems of the Windows family has a very high priority, even in relation to proxy and DNS servers. Therefore, when installing a network scanner, you need to think about the advisability of using this software product. Unfortunately, scanner applications that are not controlled by the Windows operating system can cause conflicts at the system level. For example, the work of some dynamic libraries that are necessary for the correct functioning of Windows and device drivers may be blocked. You should also pay attention to the legality of penetrating certain virtual networks, not to mention installing software taken from unofficial sources.

12/09/2016

SoftPerfect Network Scanner is a program designed primarily for system administrators. The program allows you to scan your computer for sharing and also check whether open ports are listening. The program shows all shared resources, including system ones, which is very helpful in troubleshooting network problems. In addition, the program can install one or more such resources, for example, a network driver. There is a function for auto-port detection, scanning for vulnerabilities and determining the range of user IP addresses. Network Scanner can use various protocols for scanning. In and...

24/12/2015

PortExpert is a small but very useful program that will help you track all applications connected to the Internet. The application displays detailed information about all active processes found. Checking with PortExpert will help identify all threats and unwanted elements in the system that slow down its operation. Monitoring of all active applications is carried out using TCP/UDP. With PortExpert you can quickly determine the location of remote servers and see all hidden processes. The program allows you to search for the necessary information and automatically identify all related services.

30/10/2015

Nmap is a program for testing various networks to detect open ports or other network security threats. I must say that this program is one of the simplest in its class and has many different methods that help detect open ports or other threats. The main interface of the program is a regular command line and a notification window. You can enter various data on the command line, for example, you can specify checking only certain ports or addresses. Please note that to work with the program, it is advisable to have knowledge about the device...

26/03/2015

Advanced IP Scanner is a useful utility that performs instant and high-quality scanning of networks of dozens of computers. It checks and provides accurate information on IP, MAC addresses, helps to obtain data about connected devices, and even determines machine names. The application checks ports and finds folders that are accessible; it will help you find out the manufacturers of routers and network cards. The scanner works perfectly with all machines running the Radmin server. To connect to these machines, it is recommended to install Radmin Viewer. Another useful and important feature is the ability to remotely turn off the machine...

13/03/2015

Wireless Network Watcher is a useful utility that scans all wireless networks and shows all devices and machines that will be connected at a given time. For each device or machine found, the program provides IP, MAC addresses and the name of the network card, the name of the device or computer. The user can customize the format of the displayed MAC address. You can scan in the background and also place an icon in the Windows taskbar for instant access. You can set a specific sound to detect new connected devices. Moreover, it gives users the opportunity to choose the...

One of Nmap's most well-known features is remote OS detection based on analysis of the TCP/IP stack. Nmap sends a series of TCP and UDP packets to the remote host and examines virtually every bit in the responses. After running a dozen tests such as TCP ISN sampling, TCP option support, IP ID sampling, and initialization time analysis, Nmap compares the results with its nmap-os-db database, consisting of more than a thousand known sets of typical results for various operating systems and , when a match is found, displays information about the OS. Each set contains a free text description of the OS and a classification that includes the manufacturer name (eg Sun), OS name (eg Solaris), OS generation (eg 10), and device type (). OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (for general purposes, router, switch, game console, etc. .).

If Nmap can't detect the OS, but there are good reasons to do so (for example, at least one open and one closed port was found), then Nmap will provide a URL where, if you know exactly what OS is being used, you can provide a set its characteristics. By doing this, you will contribute to Nmap's database of known OSes, making it more useful to everyone else.

The OS detection option also activates some other tests that allow you to take advantage of the information collected during operation. One of them is the TCP Sequence Predictability Classification. This allows you to roughly determine how difficult it is to establish a false TCP connection with a remote host. This can be useful for hacking and exploiting trust-based programs (rlogin, firewall filters, etc.) or for hiding the source of an attack. This type of spoofing is rarely used anymore, but many machines are still vulnerable to this type of attack. The difficulty number is based on statistical sampling and may fluctuate. It is usually better to classify using English phrases like « worthy challenge» or « trivial joke» . This information will only be displayed when verbal mode is enabled (-v). When verbal mode is activated with the -O option, information about the generation of the IP ID sequence is also output. Most cars are in class « incremental» , which means they increment the ID field in the IP header for each packet sent. This makes them vulnerable to spoofing attacks and advanced information gathering attacks.

Also, during OS detection, an attempt is made to find out the operating time of the target machine. Using TCP timestamps (RFC 1323), Nmap tries to guess when the machine was last rebooted. The information may not be accurate because... The timestamp counter was not reset, was overflowed, or was hidden in some way. Information is displayed only verbally.

Paper documentation on the operation, use and configuration of the OS detection option is located on.

The OS detection feature is enabled and controlled using the following options:

O (Enable OS detection)

Enables the OS detection function, the operation of which is described above. You can also use the -A option, which enables OS detection among other functions.

--osscan-limit (Use the OS detection function only for "promising" hosts)

The OS detection feature is much more effective if at least one open and one closed TCP port is detected. Set this option and Nmap will not even attempt to detect the OS of hosts that do not meet this criterion. This can save a lot of time, especially when -PN scanning many hosts. This option will only have effect if you enable the OS feature by specifying the -O or -A options.

--osscan-guess ; --fuzzy (Guess the OS detection results)

When Nmap is unable to determine an exact match, it will sometimes provide closest matches to the scan results. For Nmap to do this by default, the matches must be very close. Either of these (equal) options causes Nmap to analyze the results more aggressively. Nmap will still report when a non-perfect match is found, and will also display the percentage of match for each set of characteristics.

--max-os-tries (Sets the maximum number of attempts to detect the OS)

When Nmap tries to determine the OS on a target host and cannot find a perfect match, it will usually try again. By default, Nmap makes five attempts if favorable conditions exist to detect the OS, and twice otherwise. Setting --max-os-tries to a lower value (eg 1) speeds up Nmap, but you miss some entries that could possibly be used to identify the OS. A large value can be set to allow more attempts under favorable conditions. This is rarely done, except when it is necessary to generate a more detailed set of OS characteristics for inclusion in the Nmap database.


2024 gtavrl.ru.