Nmap: the powerful Network Mapper.
When used properly, Nmap is a powerful network scanner that helps protect your network from invaders by auditing the network. Nmap allows sysadmins to find which devices are active on the network, discover opened/closed ports, installed services, and detect vulnerabilities. In fact, Nmap can be used for good and evil. Inappropriate use of Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP.
Keep in mind that Network probing or port scanning tools are only permitted when used in conjunction with a residential home network, or if explicitly authorized by the destination host and/or network. Any kind of unauthorized port probing is absolutely forbidden.
Let's look at some basic and advanced Nmap commands.
PS: for full information about our scans, root privilege will be required in any instance.
PS: to better understand how Nmap works a knowledge of TCP/IP and networking concepts will be a +.
#1. Discover IPs in a subnet
$ sudo nmap -sP 192.168.1.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 12:46 GMT
Nmap scan report for 192.168.1.1
Host is up (0.0062s latency).
MAC Address: xx:x3:x2:xx:x5:x4 (xxx)
Nmap scan report for 192.168.1.2
Host is up (0.0049s latency).
MAC Address: x0:xx:x0:xx:xF:x7 (Cisco-Linksys)
Nmap scan report for 192.168.1.121
Host is up (0.15s latency).
MAC Address: xA:x3:x2:Ex:x2:xx (Unknown)
Nmap scan report for 192.168.1.132
Host is up (0.16s latency).
MAC Address: xx:x8:xA:0x:xx:xx (Nintendo)
Nmap scan report for 192.168.1.133
Host is up (0.14s latency).
...
..
.
Nmap done: 256 IP addresses (20 hosts up) scanned in 4.80 seconds
It instructs Nmap to send an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request to all hosts in the given subnet. This command is also known as a "ping scan." Nmap will only provide a list of the responding IPs.
$ sudo nmap -sn 192.168.1.0/24This also performs a ping scanning or host discovery -n (No DNS resolution), tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.
We find -sP to be a little bit faster though ~ .030 sec faster. 💨
#2. Scan for open ports
$ sudo nmap 192.168.1.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 13:21 GMT
Nmap scan report for 192.168.1.109
Host is up (0.00022s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
3283/tcp open netassistant
3689/tcp open rendezvous
5000/tcp open upnp
7000/tcp open afs3-fileserver
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknownThis scan, which Nmap uses by default, can take some time to generate. Nmap will try a TCP SYN connection to 1000 of the most popular ports during this scan as well as an ICMP echo request to see whether a host is up. On the detected IPs, Nmap will additionally run a DNS reverse search because this can occasionally yield relevant information.
#3. Identify Hostnames
sudo nmap -sL 192.168.1.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 14:14 GMT
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
..
.
Nmap scan report for sun (192.168.1.110) <<
Nmap scan report for 192.168.1.142
Nmap scan report for 192.168.1.144
..
.
Nmap scan report for pipe (192.168.1.185) <<
Nmap scan report for 192.168.1.186
Nmap scan report for 192.168.1.190
..
.
Nmap scan report for pluto (192.168.1.212) <<
Nmap scan report for europa (192.168.1.213) <<
Nmap scan report for venus (192.168.1.222) <<
Nmap scan report for mercury (192.168.1.233) <<
Nmap scan report for 192.168.1.234
...
..
.
Nmap done: 256 IP addresses (0 hosts up) scanned in 0.11 secondsThe -sL argument instructs Nmap to run a straightforward DNS query for the given IP address, making it one of the most subtle Nmap instructions. This eliminates the need to transmit packets to each individual computer in a subnet to find the hostnames for all of the IPs. More than you may imagine, hostname information can reveal a lot about a network.
#4. OS detection
$ sudo nmap -O 192.168.1.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 14:29 GMT
Nmap scan report for pipe (192.168.1.177)
Host is up (0.0053s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
3283/tcp open netassistant
3689/tcp open rendezvous
5900/tcp open vnc
9091/tcp filtered xmltec-xmlmail
49152/tcp open unknown
MAC Address: 68:A8:6D:0F:FD:E4 (Apple)
No exact OS matches for host (If you know what OS is running on it,
see https://nmap.org/submit/ ).
TCP/IP fingerprint:
...
..
.
Network Distance: 1 hop
OS detection performed. Please report any incorrect
results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.83 seconds
With the -O option Nmap will try to guess the target's operating system. This is done by making use of the data that Nmap already gathers from the TCP SYN port scan. To restrict the search to a small number of anticipated targets, use the extra flags like osscan-limit. Again, OS detection is not always accurate.
#5. Only show open (or possibly open) ports
$ sudo nmap --open 192.168.1.107
or
$ sudo nmap --open www.xxxxx.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-23 15:56 UTC
Nmap scan report for pipe (192.168.1.107)
Host is up (0.0026s latency).
Not shown: 500 closed ports, 494 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
3283/tcp open netassistant
3689/tcp open rendezvous
5900/tcp open vnc
49152/tcp open unknown
MAC Address: xx:x8:6x:xx:xD:xx (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 3.00 secondsShow just hosts with open ports and only those hosts' open ports. In this sense, "open ports" refers to all ports that have the potential to be open, including open, open|filtered, and unfiltered ports. Any ports with the potential to be open, including open, open|filtered, and unfiltered ports, are referred to as "open ports" in this context.
#6. TCP SYN and UDP Scan
sudo nmap -sS -sU -Pn 192.168.1.107
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-23 16:05 UTC
Nmap scan report for 192.168.1.107 (192.168.1.107)
Host is up (0.00060s latency).
Not shown: 1000 open|filtered ports, 994 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
587/tcp closed submission
993/tcp closed imaps
6666/tcp open irc
123/udp open ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
MAC Address: xx:x8:6x:xx:xD:xx (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.67 secondsThe TCP SYN and UDP scans are rather silent and invisible, although taking some time to create. This application will check the status of about 2000 prominent TCP and UDP ports to determine if they are responding. When using Nmap, the -Pn option directs it to skip the ping scan and assume the host is up. This may be useful when a firewall may be preventing ICMP responses.
#7. TCP SYN and UDP scan for ALL PORTS
$ sudo nmap -sS -sU -Pn -p 1-65535 192.168.1.107
or
$ sudo nmap -sS -sU -Pn -p- 192.168.1.107
Nmap scan report for 192.168.1.222 (192.168.1.107)
Host is up (0.00061s latency).
Not shown: 65534 open|filtered ports, 65527 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp closed http
123/tcp closed ntp
443/tcp closed https
587/tcp closed submission
993/tcp closed imaps
6666/tcp open irc
61209/tcp closed unknown
143/udp closed imap
MAC Address: xx:x8:6x:xx:xD:xx (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 209.04 seconds
The same as above, except by giving the complete port range from 1 to 65535, Nmap will scan to determine if the host is listening on every accessible port. The -p- option scan all ports from 1 through 65535.
Ps: You can use the port range specification on any scan that performs a port scan.
#8. TCP Connect Scan
sudo nmap -sT 192.168.1.222
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-23 16:21 UTC
Nmap scan report for 192.168.1.222 (192.168.1.222)
Host is up (0.0013s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp closed http
443/tcp closed https
587/tcp closed submission
993/tcp closed imaps
6666/tcp open irc
MAC Address: xx:x8:6x:xx:xD:xx (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.80 secondsSimilar to the TCP SYN scan, however instead of sending a SYN packet and inspecting the headers, this command will request that the OS open a TCP connection to one of the 1000 popular ports.
#9. Aggressively Scan
$ sudo nmap -T4 -A 192.168.1.0/24
or
$ sudo nmap -T insane -A 192.168.1.0/24
Nmap scan report for probe (192.168.1.121)
Host is up (0.00033s latency).
Not shown: 995 closed ports
| 256 rx:da:6k:0f:xx:xx:xx:xx:xx: (ECDSA)
|_ 256 Af:78:fg:66:xx:xx:xx:xx:xx: (ED25519)
88/tcp open kerberos-sec Heimdal Kerberos (server time: 2022-07-23 16:31:54Z)
3283/tcp open netassistant?
5900/tcp open vnc Apple remote desktop vnc
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_vnc-info: ERROR: Script execution failed (use -d to debug)
49152/tcp open http Apple ODS DVD/CD Sharing Agent httpd 1.0
|_http-server-header: ODS/1.0
|_http-title: Site doesn't have a title.
MAC Address: xx:x8:6x:xx:xD (Apple)
Aggressive OS guesses: Apple Mac OS X 10.7.0 (Lion) - 10.12 (Sierra) or iOS 4.1 - 9.3.3 (Darwin 10.0.0 - 16.4.0) (97%), Apple iOS 9.0 (Darwin 15.0.0) (95%), Apple OS X 10.11 (El Capitan) - 10.12 (Sierra) or iOS 10.1 - 10.2 (Darwin 15.4.0 - 16.6.0) (94%), Apple iOS 11.0 (93%), Apple iOS 5.0.1 (93%), Apple Mac OS X 10.7.4 - 10.7.5 (Lion) (Darwin 11.4.2) (93%), Apple Mac OS X 10.7.0 - 10.7.5 (Lion) or iOS 4.2 - 5.0.1 (Darwin 10.4.0 - 11.4.2) (93%), Apple Mac OS X 10.7.0 - 10.7.5 (Lion) (Darwin 11.0.0 - 11.4.2) (93%), Apple TV 5.2.1 or 5.3 (93%), Apple iOS 5.0.1 - 5.1.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Mac OS X; CPE: cpe:/o:apple:mac_os_x
Nmap provides an aggressive mode that makes it possible to trace routes, determine OS versions, and scan scripts. The -A parameter can be used to do an aggressive scan. This command, in contrast to several of the preceding commands, is quite aggressive and noisy. The -A simply tells Nmap to perform OS checking and version checking. The -T4 is for the speed template, these templates are what tell Nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious. -T argument can also be used as follow "Paranoid", "Sneaky", "Polite", "Normal", "Aggressive", and "Insane" or a number from 0 (Paranoid) to 5 (Insane). Remember, an aggressive scan also sends out more probes, and it is more likely to be detected during security audits.
#10. Detect services version
$ sudo nmap -sV 192.168.1.117
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-23 17:27 UTC
Nmap scan report for WebServer (192.168.1.117)
Host is up (0.000057s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
80/tcp open http nginx
443/tcp open ssl/http nginx
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelFinding application versions is a crucial part of penetration testing. It makes your life easier since you can find an existing vulnerability from the Common Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can then use it to attack a machine using an exploitation tool like Metasploit. Just keep in mind that version scans are not always 100% accurate, but it does take you one step closer to successfully getting into a system. Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.
#11. Fast Scan
$ sudo nmap -Pn -T polite -F snubmonkey.com
or
$ sudo nmap -6 -F IPv6_Address_Here << on IPV6
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-23 17:00 UTC
Nmap scan report for snubmonkey.com (160.155.34.120)
Host is up (0.0035s latency).
rDNS record for 160.155.34.120: OCI-160.155.34.120.aviso.ci
Not shown: 97 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
587/tcp closed submission
This command is a quick and dirty way to identify prospective hosts that may have ports open that shouldn't be. It restricts the search to the most popular 100 ports.
#12. Scan with decoys
$ sudo nmap -n -D192.168.1.102,10.3.1.12,172.4.1.2,192.168.2.1 192.168.1.127 192.168.1.117
With the -Doption it appears to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys. It is generally an effective technique for hiding your IP address.
#13. Verbose
$ sudo nmap -Pn -T polite -F -vv 192.168.1.107
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-23 17:21 UTC
Initiating ARP Ping Scan at 17:21
Scanning 192.168.1.107 [1 port]
Completed ARP Ping Scan at 17:21, 0.40s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:21
Completed Parallel DNS resolution of 1 host. at 17:21, 0.00s elapsed
Initiating SYN Stealth Scan at 17:21
Scanning 192.168.1.107 (192.168.1.107) [100 ports]
SYN Stealth Scan Timing: About 36.00% done; ETC: 17:22 (0:00:55 remaining)
Completed SYN Stealth Scan at 17:22, 87.12s elapsed (100 total ports)
Nmap scan report for 192.168.1.222 (192.168.1.107)
Host is up, received arp-response (0.00069s latency).
Scanned at 2022-07-23 17:21:25 UTC for 87s
Not shown: 95 filtered ports
Reason: 95 no-responses
PORT STATE SERVICE REASON
22/tcp closed ssh reset ttl 64
80/tcp closed http reset ttl 64
443/tcp closed https reset ttl 64
587/tcp closed submission reset ttl 64
993/tcp closed imaps reset ttl 64
MAC Address: 0x:x0:xx:df:x6:68 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 87.77 seconds
Raw packets sent: 215 (9.444KB) | Rcvd: 43 (5.344KB)By adding verbose to a majority of the commands above you get a better insight into what Nmap is doing; for some scans, verbosity will provide additional details that the report does not provide. The verbose output provides additional information about the scan being performed.
#14. Multiple Formats
$ sudo nmap -p- -oA output snubmonkey.com
The above command will export the scan result in three files — output.xml, output. Nmap and output.gnmap.
#15. ie
$ sudo nma -vv -Pn -T insame -A p 80,443,22, 3543-26738 -oA logs\probe-scan -iR 500
The above asks Nmap to randomly probe for ports 80, 443, 22, and ports 3543 to 26738 on 500 hosts, determine OS Versions and run traceroute -A and save the output in 3 formats while disabling host enumeration -Pn, all that by increasing verbosity -vv to gather more information about the scan in progress and go insane -T insame or -T4 on the task to be executed.
Open, closed, filtered, and unfiltered states
open: An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port.
closed: A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.filtered: Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.
unfiltered: The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
open|filtered: Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
closed|filtered: This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
Nmap is clearly the "Swiss Army Knife" of networking, thanks to its inventory of versatile commands. It lets you quickly scan and discover essential information about your network, hosts, ports, firewalls, and operating systems. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent idle scan technique. But remember that there is always a trade-off. You are harder to find if you launch scans from an open WAP far from your house, with 17 decoys, while doing subsequent probes through a chain of nine open proxies. But if anyone does track you down, they will be mighty suspicious of your intentions.