Nse scripts. Nmap Help Guide (Man Page)

nmap [ <Тип сканирования> ...] [ <Опции> ] { <цель сканирования> }

Description

Nmap(" Network Mapper") is an open source network exploration and security testing utility. It was designed for quickly scanning large networks, although it also works well with single targets. Nmap uses raw IP packets in an ingenious way to determine what hosts are available on the network, what services (application name and version) they offer, what operating systems (and OS versions) they use, what types of packet filters/firewalls they use, and much more. other characteristics. While Nmap is typically used for security testing, many system administrators find it useful for common tasks such as monitoring network structure, managing service startup schedules, and keeping track of host or service uptime.

The output of Nmap is a list of scanned targets with additional information for each depending on the options specified. The key information is « table of important ports» . This table contains the port number, protocol, service name, and status. The status can be open, filtered, closed, or unfiltered. Open means that the application on the target machine is ready to establish a connection/receive packets on that port. Filtered means that a firewall, network filter, or some other network clutter is blocking the port, and Nmap cannot determine whether the port is open or closed. Closed ports are not associated with any application, but can be opened at any time. Ports are considered unfiltered when they respond to Nmap requests, but Nmap cannot determine whether they are open or closed. Nmap issues open|filtered and closed|filtered when it cannot determine which of these two states describes a port. This table can also provide details about the software version if requested. When performing an IP protocol scan (-sO), Nmap provides information about supported protocols rather than open ports.

In addition to the table of important ports, Nmap can provide further information about targets: resolved DNS names, guesses about the operating system being used, device types, and MAC addresses.

A typical scan using Nmap is shown in Example 1. The only arguments used in this example are -A , for OS version detection, script scanning, and tracing; -T4 for faster execution; then two target hosts.

Example 1: Typical scanning example with Nmap

# nmap -A -T4 scanme..org) Interesting ports on scanme.site (64.13.134.52): (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X| 2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground..168.0.40): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows , Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

The latest version of Nmap can be downloaded from

Discovery of services and their versions

OS Definition

Time and productivity management options

Various options

Interaction at runtime

Examples

Information on Nmap scripts (in English):

Hidden from guests

Latest version of Nmap documentation (in English):

Hidden from guests

The official book on Nmap from the creators of Nmap (in English):

Hidden from guests

Preamble

nmap - Network exploration utility and port scanner

Nmap (“Network Mapper”) is an open source network exploration and security testing utility. It was designed for quickly scanning large networks, although it also works well with single targets. Nmap uses raw IP packets in ingenious ways to determine what hosts are available on the network, what services (application name and version) they offer, what operating systems (and OS versions) they use, what types of packet filters/firewalls they use, and dozens of other characteristics. . While Nmap is typically used for security testing, many network and system administrators find it useful for common tasks such as monitoring network structure, managing service startup schedules, and keeping track of host or service uptime.

The output of Nmap is a list of scanned targets with additional information for each depending on the options specified. The key information is the “important ports table”. This table contains the port number, protocol, service name, and status. The status can be open, filtered, closed, or unfiltered. Open means that the application on the target machine is ready to establish a connection/receive packets on that port. Filtered means that a firewall, network filter, or some other network interference is blocking the port, and Nmap cannot determine whether the port is open or closed. Closed ports are not associated with any application, so they can be opened at any time. Ports are considered unfiltered when they respond to Nmap requests, but Nmap cannot determine whether they are open or closed. Nmap issues open|filtered and closed|filtered when it cannot determine which of these two states describes a port. This table can also provide details about the software version if requested. When performing an IP protocol scan (-sO), Nmap provides information about supported IP protocols rather than open ports.

In addition to the table of important ports, Nmap can provide further information about targets: resolved DNS names, guesses about the operating system being used, device types, and MAC addresses.

A typical scan using Nmap is shown in Example 1. The only arguments used in this example are -A, to determine the OS version, script scan, and trace; -T4 for faster execution; then two target hosts.

Example 1: Typical example of scanning with Nmap:

# nmap -A -T4 scanme.nmap.org playground Starting Nmap (https://nmap.org/) Interesting ports on scanme.nmap.org (64.13.134.52): (The 1663 ports scanned but not shown below are in state : filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground.nmap.org (192.168.0.40 ): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows , Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

Options Summary

Usage:
nmap [Scan Type(s)] [Options] (specified_targets)

DETERMINING THE TARGET OF THE SCAN:

Can work with hostnames, IP addresses, networks, etc.
For example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL<ввести_имя_файла>: Import from host/network list
-iR<количество хостов>: Select random targets
–exclude : Exclude hosts/networks
–excludefile<файл_с_исключениями>: Exclude list from file

HOST DETECTION:

SL: Scanning to make a list - simply make a list of targets to scan
-sn: Ping scan - simply determine if the host is running
-Pn: Treat all hosts as up - skip host detection
-PS/PA/PU/PY[port_list]: TCP SYN/ACK, UDP or SCTP ping specified hosts
-PE/PP/PM: Pinging using ICMP echo requests, timestamp and netmask requests
-PO[protocol_list]: Pinging using IP protocol
-n/-R: Never resolve DNS/Always resolve [default: sometimes]
–dns-servers<сервер1[,сервер2],…>: Set your own DNS servers
–system-dns: Use system DNS resolver
–traceroute: Trace (trace the path) to each host

DIFFERENT SCANNING TECHNIQUES:

SS/sT/sA/sW/sM: TCP SYN/using system call Connect()/ACK/Window/Maimon scan
-sU: UDP scan
-sN/sF/sX: TCP Null, FIN and Xmas scans
–scanflags<флаги>: Set your own TCP flags
-sI<зомби_хост[:порт]>: Idle scanning
-sY/sZ: SCTP INIT/COOKIE-ECHO scan
-sO: IP protocol scan
-b : FTP bounce scanning

DEFINITION OF PORTS AND SCAN ORDER:

P<диапазон_портов>: Scan only specific ports
Example: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast Scan – Scan a limited number of ports
-r: Scan ports sequentially - do not randomize ports
–top-ports<количество_портов>: Scan<количество_портов>most common ports
–port-ratio<рейтинг>: Scan ports with a rating greater than<рейтинг>

DEFINITION OF SERVICES AND THEIR VERSIONS:

SV: Explore open ports to determine service/version information
–version-intensity<уровень>: Set from 0 (easy) to 9 (try all requests)
–version-light: Limit to the lightest queries (intensity 2)
–version-all: Use every single request (intensity 9)
–version-trace: Print detailed information about the scanning process (for debugging)

SCAN USING SCRIPTS:

SC: equivalent to –script=default option
–script= : this is a comma separated list of directories, script files, or script categories
–script-args=<имя1=значение1,[имя2=значение2,…]>: Passing arguments to scripts
–script-args-file=filename: Pass file arguments to NSE scripts
–script-trace: Print all received and sent data
–script-updatedb: Update script database
–script-help= : Show help about scripts. A comma-separated list of scripts or a list of script categories.

OS DEFINITION:

O: Activate OS detection function
–osscan-limit: Use OS detection function only for "promising" hosts
–osscan-guess: Guess OS detection results

TIME AND PRODUCTIVITY MANAGEMENT OPTIONS:

Options that take an argument<время>, are given in milliseconds until you add "s" (seconds), "m" (minutes), or "h" (hours) to the value (eg 30m).
-T<0-5>: Set time management settings template (more is faster)
–min-hostgroup/max-hostgroup<кол_хостов>: Set group size for parallel scanning
–min-parallelism/max-parallelism<кол_хостов>: Regulates parallelization of requests
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout<время>: Adjusts the time it takes to wait for a response to a request.
–max-retries<количество_попыток>: Sets the maximum number of request retransmissions
–host-timeout<время>: Stops scanning slow targets
–scan-delay/–max-scan-delay<время>: Adjusts the delay between requests
–min-rate<число>: Send requests with an intensity no less than<число>per second
–max-rate<число>: Send requests with an intensity of no more than<число>per second

BYPASSING FIREWALLS/IDS:

F; –mtu<значение>: Fragment packets (optional with specified MTU value)
-D<фикт_хост1,фикт_хост2[,ME],…>: Masking scans using dummy hosts
-S : Change source address
-e<интерфейс>: Use specific interface
-g/–source-port<номер_порта>: Use the specified port number
–proxies : Relay connections via HTTP/SOCKS4 proxy
–data-length<число>: Add arbitrary data to sent packets
–ip-options<опции>: Send a packet with the specified ip options
–ttl<значение>: Set the IP field time-to-live (lifetime)
–spoof-mac : Set your own MAC address
–badsum: Send packets with bogus TCP/UDP/SCTP checksums

OUTPUT OF RESULTS:

ON/-oX/-oS/-oG Output results of normal, XML, s| -oA<базовове_имя_файла>: Use three main output formats at once
-v: Increase verbal level (set twice or more to increase effect)
-d: Increase or set debug level (up to 9)
–reason: Show the reason for the port being in a certain state
–open: Show only open (or possibly open) ports
–packet-trace: Trace received and transmitted packets
–iflist: List interfaces and routers (for debugging)
–log-errors: Log errors/warnings to normal mode output file
–append-output: Append to, rather than overwrite, output files
–resume<имя_файла>: Continue interrupted scanning
–stylesheet<путь/URL>: Sets up an XSL stylesheet for converting XML output to HTML
–webxml: Loads a stylesheet from Nmap.Org
–no-stylesheet: Remove XSL stylesheet declaration from XML

VARIOUS OPTIONS:

6: Enable IPv6 scanning
-A: Enable OS and version detection, scripted scanning, and tracing features
–datadir<имя_директории>: Determines the location of Nmap files
–send-eth/–send-ip: Use raw ethernet/IP layer
–privileged: Assume that the user has all privileges
–unprivileged: Imply that the user does not have privileges to use raw sockets
-V: Print version number
-h: Display this help page

INTERACTIVE COMMANDS:

HELP: Will not work with “sudo nmap”, so use “sudo –i”
While running, you can query nmap with the following keys:
? Show this information
v/V increase/decrease verbality
d/D increase/decrease debug
p/P enable/disable packet tracing
and other keys that will be printed in the status

EXAMPLES:
Determining the Scan Target

On the Nmap command line, anything that is not an option (or an option argument) is treated as a scan target. In the simplest case, the IP address or network name of the target machine is used for scanning.

Sometimes it is necessary to scan an entire network. To achieve this, Nmap supports CIDR addressing. You can add /<кол-во бит>to an IP address or network name and Nmap will scan each IP address for which the first<кол-во бит>the same as those of the specified host. For example, 192.168.10.0/24 will scan 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000 0 0001010 11111111) inclusive. 192.168.10.40/24 will do exactly the same thing. Knowing that the IP address of scanme.nmap.org is 64.13.134.52, a record like scanme.nmap.org/16 will scan 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest acceptable value is /0, at which the entire Internet will be scanned. The highest value is /32, at which only the specified host or IP address will be scanned, because all address bits are disabled.

CIDR notation is short, but not always flexible enough. For example, you want to scan 192.168.0.0/16, but skip all IPs ending in .0 or .255, because These are usually broadcast addresses. Nmap can perform this scanning by specifying ranges in octets. Instead of specifying a regular IP address, you can define for each octet either a comma-separated list of numbers or a range. For example, 192.168.0-255.1-254 will pass all addresses in the range ending in .0 and .255. Ranges do not have to be specified only in the last octets: writing 0-255.0-255.13.37 will scan all Internet addresses ending in 13.37. This type of scanning can be useful for browsing the Internet and various studies.

IPv6 addresses can only be specified in a form that fully corresponds to the correct form of writing IPv6 addresses. CIDR and the use of ranges in octets are not applicable to IPv6 addresses, because they are rarely used.

You can pass different target definitions on the Nmap command line, not necessarily the same type. Team nmap scanme.nmap.org 192.168.0.0/16 10.0.0,1,3-7.0-255 will do what you expect.

Scan targets are usually specified on the command line, and there are various options to control target selection:

IL<имя_файла>(Input from list)

Reads targets from<имя_файла>. While submitting a large list of hosts for scanning is common, it is not convenient. For example, your DHCP server gives you a list of 10,000 addresses it currently uses, and you want to scan it. Or perhaps you want to scan all IP addresses except those assigned to them to detect unauthorized use of static IP addresses. Simply generate a list of hosts to scan and pass the filename to Nmap as an argument to the -iL option. Entries in the file can be in any form acceptable to Nmap (IP addresses, network names, CIDR, IPv6, or octet ranges). Each entry must be separated by a space or more, tab characters, or newline characters. You can pass a hyphen(-) as a filename argument if you want Nmap to read the list of hosts from standard input rather than from a file.

IR<кол-во хостов>(Selects random targets)

For web-wide scanning or any research, you may need to select targets randomly. Argument<кол-во хостов>determines how many IP addresses need to be generated. Inappropriate IP addresses such as private, broadcast, or non-localized address ranges are automatically skipped. Argument 0 can be passed to scan indefinitely. Keep in mind that some system administrators may not like unauthorized scanning of their networks and may complain. Use this option at your own risk! If you're feeling bored on a rainy day, try nmap -sS -PS80 -iR 0 -p 80 to scan random web servers.

–exclude<хост1>[,<хост2>[,…]] (Exclude hosts/networks)

Specifies a comma-separated list of targets to exclude from scanning, even if they are part of the scanning range you specify. The list passed uses standard Nmap syntax, so it can contain network names, CIDR addressing, octet ranges, etc. This option can be useful if the network you want to scan contains servers or systems that respond negatively to port scanning, or subnets administered by other people.

–excludefile<имя_файла>(Exclude list from file)

This option does the same thing as –exclude, except that the targets to exclude are separated by spaces, tabs, or newlines<файле>, not on the command line.

There are four types of NSE scripts, namely:

• Prerule scripts– are scripts that run before any of Nmap’s scan operations, they are executed when Nmap hasn’t gathered any information about a target yet.
• Host scripts– are scripts executed after Nmap has performed normal operations such as host discovery, port scanning, version detection, and OS detection against a target host.
• Service scripts– are scripts run against specific services listening on a target host.
• Postrule scripts– are scripts run after Nmap has scanned all of its target hosts.

Then these scripts are grouped under various categories including those for authentication ( auth), discovering hosts ( broadcast), brute force attacks to guess authentication credentials ( brute), discovering more about a network ( discovery), causing a denial of service ( dos), exploiting some vulnerability ( exploit), etc. A number of scripts belong to the default category.

Note: Before we move any further, you should take a note of these key points:

• Do not execute scripts from third parties without critically looking through them or only if you trust the authors. This is because these scripts are not run in a sandbox and thus could unexpectedly or maliciously damage your system or invade your privacy.
• Secondly, many of these scripts may possibly run as either a prerule or postrule script. Considering this, it is recommended to use a prerule for purposes of consistency.
• Nmap uses the scripts/script.db database to figure out the available default scripts and categories.

To see the location of all available NSE scripts, run the on the terminal, like this:

$ locate *.nse/usr/share/nmap/scripts/acarsd-info.nse /usr/share/nmap/scripts/address-info.nse /usr/share/nmap/scripts/afp-brute.nse /usr/share/nmap/scripts /afp-ls.nse /usr/share/nmap/scripts/afp-path-vuln.nse /usr/share/nmap/scripts/afp-serverinfo.nse /usr/share/nmap/scripts/afp-showmount.nse /usr/share/nmap/scripts/ajp-auth.nse /usr/share/nmap/scripts/ajp-brute.nse /usr/share/nmap/scripts/ajp-headers.nse /usr/share/nmap/scripts /ajp-methods.nse /usr/share/nmap/scripts/ajp-request.nse /usr/share/nmap/scripts/allseeingeye-info.nse /usr/share/nmap/scripts/amqp-info.nse /usr /share/nmap/scripts/asn-query.nse ...

NSE scripts are loaded using the --script flag, which also allows you to run your own scripts by providing categories, script file names, or the name of directories where your scripts are located.

The syntax for enabling scripts is as follows:

$ namp -sC target #load default scripts OR $ nmap --script filename|category|directory|expression,... target

You can view a description of a script with the --script-help option. Additionally, you can pass arguments to some scripts via the --script-args and --script-args-file options, the later is used to provide a filename rather than a command line arg.

To perform a scan with most of the default scripts, use the -sC flag or alternatively use --script=default as shown.

$ nmap -sC scanme.nmap.org OR $ nmap --script=default scanme.nmap.org OR $ nmap --script default scanme.nmap.org

Sample Output

Starting Nmap 7.01 (https://nmap.org) at 2017-11-15 10:36 IST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.0027s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http |_http-title: Go ahead and ScanMe! Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds

To use a script for the appropriate purpose, you can first of all get a brief description of what it actually does, for instance http-headers.

$ nmap --script-help http-headers scanme.nmap.org

Sample Output

Starting Nmap 7.01 (https://nmap.org) at 2017-11-15 10:37 IST http-headers Categories: discovery safe https://nmap.org/nsedoc/scripts/http-headers.html Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.

Loading NSE Scripts To Perform Nmap Scans

You can select or load scripts to perform a scan in different methods explained below.

Using Script Name

Once you know what a script does, you can perform a scan using it. You can use one script or enter a comma-separated list of script names. The command below will enable you view the HTTP headers configured on the web server at the target host.

$ nmap --script http-headers scanme.nmap.org

Scan HTTP Headers

Starting Nmap 7.01 (https://nmap.org) at 2017-11-15 10:39 IST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.27s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-headers: | Date: Wed, 15 Nov 2017 05:10:04 GMT | Server: Apache/2.4.7 (Ubuntu) | Accept-Ranges: bytes | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | |_ (Request type: HEAD) 179/tcp filtered bgp 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 20.96 seconds

Using Categories

You can also load scripts from one category or from a comma-separated list of categories. In this example, we are using all scripts in the default and broadcast category to carry out a scan on the host 192.168.56.1 .

$ nmap --script default,broadcast 192.168.56.1

Using * Wildcard

This is useful when you want to select scripts with a given name pattern. For example to load all scripts with names starting with ssh, run the command below on the terminal:

$ nmap --script "ssh-*" 192.168.56.1

Using Boolean Expressions

You can also select scripts using boolean expressions which you can build using the and, or, and not operators. And names in a Boolean expression may be a category, a filename from script.db, or all.

The following command will load scripts from the default or broadcast categories.

$ nmap --script "default or broadcast" 192.168.56.10

Which is equivalent to:

$ nmap --script default,broadcast 192.168.56.10

To load all scripts omitting those in the vuln category, run this command on the terminal.

$ nmap --script "not vuln" 192.168.56.10

The next command looks a little complicated but it is easy to understand, it selects scripts in the default, or broadcast categories, leaving out those with names starting with ssh-:

$ nmap --script "(default or broadcast) and not ssh-*" 192.168.56.10

Importantly, it is possible to combine categories, script names, a directory containing your custom scripts or a boolean expression to load scripts, like this:

$ nmap --script broadcast,vuln,ssh-auth-methods,/path/to/custom/scripts 192.168.56.10

Passing Arguments to NSE Scripts

Below is an example showing how to pass arguments to scripts with the --script-args option:

$ nmap --script mysql-audit --script-args "mysql-audit.username="root", \ mysql-audit.password="password_here", mysql-audit.filename="nselib/data/mysql-cis. audit""

To pass a port number, use the -p nmap option:

$ nmap -p 3306 --script mysql-audit --script-args "mysql-audit.username="root", \ mysql-audit.password="password_here", mysql-audit.filename="nselib/data/mysql -cis.audit""

This above command runs an audit of the MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark. You can as well create your own useful custom audit files for other MySQL audits.

That's it for now. You can find more information in the nmap man page or check out NSE Usage.

To get started with writing your own NSE scripts, check out this guide: https://nmap.org/book/nse-tutorial.html

Conclusion

Nmap is a really powerful and useful tool that every system or network administrator needs in his/her security arsenal – NSE simply adds more efficiency to it.

In this article, we introduced you to the Nmap Script Engine, and looked at how to find and use the various available scripts under different categories. If you have any questions, do not hesitate to write back to us via the comment form below.

Nmap is a very popular open source network scanner that can be used on both Windows and Linux. Nmap or Network Mapper was developed by Gordon Luon and is currently used by security professionals and system administrators around the world.

This program helps system administrators very quickly understand which computers are connected to the network, find out their names, and also see what software is installed on them, what operating system and what types of filters are used. The functionality of the program can be expanded with its own scripting language, which allows administrators to automate many actions.

For example, scripts can automatically detect new security vulnerabilities in your network. Namp can be used with good and bad intentions, be careful not to use nmap against the law. In this tutorial we will look at how to use namp to scan ports on the Linux operating system. But first you need to try to understand how this utility works.

In computer networks, all connected devices have their own IP address. Each computer supports the ping protocol, which can be used to determine whether it is connected to the network. We simply send a ping request to the computer, and if it responds, we assume that it is connected. Nmap takes a slightly different approach. Computers also react in a certain way to certain network packets; the utility simply sends the necessary packets and looks at which hosts sent the response.

But you probably already know about this. What's more interesting is how Nmap finds out what services are running on a machine. The essence of all network programs is based on ports. To receive a message from the network, the program must open a port on your computer and wait for incoming connections. And to send a message over the network, you need to connect to a different program (destination) port. The program will then need to open the port on which it will wait for a response.

The nmap utility, while scanning the network, goes through the available range of ports and tries to connect to each of them. If the connection is successful, in most cases, by transmitting several packets the program can even find out the version of the software that is listening for connections to this port. Now that we've covered the basics, let's look at how to use nmap to scan ports and networks.

Nmap Syntax

The Nmap launch command is very simple; all you need to do is pass it the target IP address or network in the parameters, and also specify options if necessary:

$ nmap options address

Now let's look at the main options that we will need in this article.

• -sL- just create a list of running hosts, but do not scan nmap ports;
• -sP- only check if the host is accessible using ping;
• -PN- consider all hosts accessible, even if they do not respond to ping;
• -sS/sT/sA/sW/sM- TCP scanning;
• -sU- UDP scanning nmap;
• -sN/sF/sX- TCP NULL and FIN scanning;
• -sC- run the script by default;
• -sI- lazy Indle scanning;
• -p- specify the range of ports to check;
• -sV- detailed examination of ports to determine service versions;
• -O- determine the operating system;
• -T- scanning speed, the higher the faster;
• -D- mask scanning using fictitious IPs;
• -S- change your IP address to the specified one;
• -e- use a specific interface;
• --spoof-mac- set your MAC address;
• -A- determination of the operating system using scripts.

Now that we've covered all the basic options, let's talk about how nmap port scanning works.

How to Use Nmap to Scan Ports on Linux

Next, let's look at nmap examples. First, let's look at how to find all devices connected to the network; to do this, just use the -sL option and specify the mask of our network. in my case it is 192.168.1.1/24. You can find your local network mask by running the command:

From the output for the interface you are using, take the number after the slash, and before the slash indicate the ip of your router. The command to scan the nmap network will look like this:

nmap -sL 192.168.1.1/24

Sometimes this scan may not produce any results because some operating systems have protection against port scanning. But this can be bypassed by simply using ping to scan all IP addresses on the network; for this there is the -sn option:

nmap -sn 192.168.1.1/24

As you can see, the program has now detected active devices on the network. Next, we can scan nmap ports for the desired host by running the utility without options:

sudo nmap 192.168.1.1

Now we can see that we have several ports open, all of which are used by some service on the target machine. Each of them can be potentially vulnerable, so it is not safe to have many open ports on a machine. But that’s not all you can do; next you’ll learn how to use nmap.

To find out more detailed information about the machine and the services running on it, you can use the -sV option. The utility will connect to each port and determine all available information:

sudo nmap -sV 192.168.1.1

Our machine is running ftp, so we can try to take a closer look at this service using standard nmap scripts. Scripts allow you to check the port in more detail and find possible vulnerabilities. To do this, use the -sC and -p option to set the port:

sudo nmap -sC 192.168.56.102 -p 21

We executed the default script, but there are also other scripts, for example, you can find all scripts for ftp with the command:

sudo find /usr/share/nmap/scripts/ -name "*.nse" | grep ftp

Then we will try to use one of them, to do this, just specify it using the --script option. But first you can look at the information about the script:

sudo nmap --script-help ftp-brute.nse

This script will try to determine the FTP login and password on the remote host. Then run the script:

sudo nmap --script ftp-brute.nse 192.168.1.1 -p 21

As a result, the script picked up the login and password, admin/admin. This is why you don't need to use the default login options.

You can also run the utility with the -A option; it activates a more aggressive operating mode of the utility, with which you will get most of the information with one command:

sudo nmap -A 192.168.1.1

Please note that almost all the information we have seen before is here. It can be used to increase the protection of this machine.

conclusions

In this article, we looked at how nmap port scanning is performed, as well as several simple examples of using this utility. These nmap commands can be useful to many system administrators to improve the security of their systems. But this is not all the capabilities of the utility. Continue experimenting with the utility to learn more, just not on other people's networks!

about the author

Founder and site administrator, I am passionate about open source software and the Linux operating system. I currently use Ubuntu as my main OS. In addition to Linux, I am interested in everything related to information technology and modern science.