Nmap
Nmap is one of the best tools for Scan and Network Mapping. It excels in host discovery, using ICMP, ARP and TCP/UDP protocols.
Nmap
Nmap is one of the best tools for Scan and Network Mapping. It excels in host discovery, using ICMP, ARP and TCP/UDP protocols.
Nmap can determine the version of open ports and the operating systems.
Host Discovery with Nmap
General Nmap command line (some scans require sudo):
nmap scanoption(s) target(s) [Optional --script]
All Hosts Scan of a Network
Scan all hosts of a network using TCP Null packets without scanning ports:
nmap -sn 10.1.0.0/24
Or you can scan multiple IPs:
nmap -sn 10.1.0.1 10.4.0.3
nmap -sn -iL list_ips.txt
Change Packet Data Length
You may use the --data-length "length" to change the lenght of the packets sent:
nmap -f --data-length 200 target-ip
Default Scan
Nmap by default performs port scan if
-sn is not used:
nmap target-ip
Delay Scan
nmap --scan-delay 5 target-ip
Enumeration and Port Scanning with Nmap
You can use Nmap for enumeration, such as discover the operating system and the version of the target ports:
You can export the results into a format readable by the Metasploit framework
for further operations.
nmap target-ip
Avoid host scanning to not being blocked (by Windows firewall) and just detect ports:
nmap -Pn target-ip
Get the version of the services and operating systems of the ports:
nmap -Pn -sV -O target-ip
Save the results in a .xml file that will be used by Metasploit framework:
nmap -Pn -sV -O target-ip -oX output.xml
Other Techniques
Fast Scan
Perform a fast scan:
nmap -F target-ip
Set the scan speed (from 1: slowest to 5: fastest):
nmap -sn -T4 target-ip
Fake Techniques
You can use the -g command to falsify the port from where you send the scan:
nmap -g fake-port target-ip
You can use the -D command to falsify your ip, to use a decoy and make your scans appear from a different ip (or ips):
nmap -D fake-ip(s) target-ip
Firewall Detection & IDS Evasion
How to use Nmap to discover firewall or intrusion detection systems.
IDS are systems that can discover your identity and detect where your scan is coming from.
When you do a nmap port scan, sometimes you can receive a comment like:
Not shown: X closed ports or you may receive a X filtered ports.
In the second case it may mean that the Operating System of the target is Windows or that there is a firewall blocking your scan and pings.
Avoid Detection Techniques:Perform a scan on the target:
nmap -sn target-ip
Scan the most common ports on the target:
nmap -Pn -sS -F target-ip
Scan ports 445 and 3389 to see if they are filtered (firewalled) or not:
nmap -Pn -sA -p445,3389 target-ip
Scan for service versions using fragmented packets to reduce detection:
nmap -Pn -sS -sV -F -f target-ip
Same as above, specifying a custom MTU for the fragments:
nmap -Pn -sS -sV -F -f --mtu number target-ip
Same as above, adding custom data length, decoy IPs and a decoy source port:
nmap -Pn -sS -sV -F -f --data-length 200 -D decoy-ip1,decoy-ip2 -g decoy-port target-ip
Fragmented Packet
One technique for detect IDS is to send fragment packets, meaning to send smaller packets, with the -f command.
You can add the -mtu "dimension" command to create fragmented packets.
Mtu stands for Maximum Transmission Unit in order to specify the maximum dimension (in bytes) of your packets.
nmap -f target-ip
nmap -f mtu dimension target-ip
ICMP ping scan
nmap -sn -PE target-ip
Nmap Scripting Engine (NSE)
You can find available scripts:
ls -al /usr/share/nmap/scripts
Search for a script:
ls -al /usr/share/nmap/scripts | grep -e "http"
Run default scripts:
nmap -sC target-ip
Script help:
nmap --script-help=scriptname
Run a specific script:
nmap --script=memcached target-ip
Run all scripts in a category:
nmap --script=ftp* target-ip
Output Formats
Save your scan results for past analysis or using in other tools.
In Nmap there are different format available for saving:
Example:
nmap target-ip -oX
Port Scan
nmap -p port target-ip
nmap -p80,445,8080 target-ip
nmap -p- target-ip
Scan OS, version, scripting and traceroute all-together
nmap -A target-ip
Service Version and Operating System with Nmap
Get version and OS info:
nmap -sV target-ip
nmap -sV --version-intensity target-ip
Get OS version more accurately:
nmap -O target-ip
nmap -O --osscan-guess target-ip
Skip Host Discovery
nmap -Pn target-ip
SMB & NetBIOS Enumeration
Perform a standard scan:
nmap target-ip
Perform a more advanced scan with UDP, version detection, and nbscan script on port 137:
nmap -sU -sV -T4 --script nbscan.nse -p137 -Pn -n target-ip
Scan ports 139 and 445 to detect service versions:
nmap -sV -p139,445 target-ip
Scan to detect SMB protocols supported:
nmap -p445 --script smb-protocols target-ip
Scan to detect the SMB security mode (accounts, authentication):
nmap -p445 --script smb-security-mode target-ip
Connect to SMB to list available shares:
smbclient -L target-ip
Try to login anonymously, without entering a password.
Scan to enumerate SMB users on the system:
nmap -p445 --script smb-enum-users.nse target-ip
SNMP Enumeration
Perform a scan on the 161 port:
nmap -sU -p 161 target-ip
Perform a brute force on the SNMP:
nmap -sU -p 161 --script snmp-brute target-ip
Perform a scan with all the SNMP scripts and save them in a file:
nmap -sU -p 161 --script snmp-* target-ip > snmp_info
Open the file and read the results:
cat snmp_info
SYN Scan (Stealth Scan)
If you have root privileges, it is the default. Otherwise, use
-sS:
nmap -sS target-ip
TCP ACK Packet Scan
Host scan with TCP ACK Ping:
nmap -sn -PA target-ip
Firewall detection with TCP ACK:
nmap -sA target-ip
TCP Connect Scan
nmap -sT target-ip
TCP SYN Packet Scan
nmap -sn -PS target-ip
nmap -sn -PS22 target-ip
nmap -sn -PS1-100 target-ip
nmap -sn -PS1,10,100 target-ip
nmap -sn -PS -p port target-ip
Timeout Host Scan
nmap --host-timeout 15s targe-ip
UDP Ping Scan
nmap -sn -PU target-ip
UDP Port Scan
nmap -sU target-ip
Windows - Check EternalBlue Vulnerability
sudo nmap -sV -p 445 --script=smb-vuln-ms17-010 target-ip
WebDav
Gain info on target WebDav:
nmap -sV -p 80 --script=http-enum target-ip