nmap

nmap

nmap (Network Mapper) is an open-source tool for network discovery and security auditing. It is widely used by network administrators, penetration testers, and security professionals to scan networks and systems to discover hosts, open ports, services, and potential vulnerabilities. Nmap supports a variety of scanning techniques and options, making it extremely flexible for identifying devices and assessing security risks within a network.

Common Nmap Options and Switches:

  • -sP
    Ping scan. This is used to check if a host is online without performing a port scan. It sends ICMP echo requests and reports the hosts that respond.
  • -sS
    SYN scan. This is the most popular scan for discovering open ports. It is faster and stealthier than a full TCP connection.
  • -sU
    UDP scan. Similar to the SYN scan, but it scans for open UDP ports.
  • -sT
    TCP connect scan. This scan attempts to establish a full TCP connection, which is more easily detected than the SYN scan.
  • -p <port range>
    Specifies the port or range of ports to scan. You can scan individual ports (e.g., -p 22) or ranges (e.g., -p 1-1000).
  • -T<0-5>
    Timing template. This controls the speed of the scan. -T0 is the slowest (used for stealth), while -T5 is the fastest (but more likely to be detected).
  • -A
    Aggressive scan. This option enables OS detection, version detection, script scanning, and traceroute.
  • -O
    OS detection. Nmap attempts to determine the operating system running on the target machine.
  • -v
    Verbose output. This provides more detailed information about the scan’s progress and results.
  • -Pn
    Treats all hosts as online. This skips the host discovery step and assumes that all hosts are online.
  • -iL <input file>
    Input from a file. This allows Nmap to scan a list of hosts or IP ranges provided in a file.
  • -oN <output file>
    Output to a file in normal format. The results of the scan will be written to the specified file.
  • -oX <output file>
    Output to an XML file. The scan results will be formatted as XML, which can be used for further processing.
  • -oG <output file>
    Output to a Grepable format file. This format is optimized for easy searching of results.
  • –script <script name>
    Runs a specific Nmap script. Scripts can be used to detect various vulnerabilities and misconfigurations.
  • -R
    Reverse DNS resolution. This resolves the hostnames of IP addresses in the scan results.
  • –traceroute
    Traces the network path to the target hosts, showing hops and round-trip times.
  • –reason
    Provides a reason for each port being open, closed, or filtered, helping with further investigation.
  • -6
    Enables IPv6 scanning, allowing Nmap to scan IPv6 addresses.
  • -sV
    Version detection. This scans for the version numbers of services running on open ports.
  • -f
    Fragment packets. This option splits the packets into smaller fragments to bypass firewalls or packet filters.
  • -D <decoy addresses>
    Use decoy addresses to obscure the real source of the scan, providing additional stealth during the scan.
  • –spoof-mac <MAC address>
    Spoof the MAC address. This helps avoid detection based on the machine’s MAC address.
  • –host-timeout <time>
    Specifies a time limit for scanning a single host. After the time limit is exceeded, the host will be skipped.
  • -l <level>
    Sets the verbosity level of output from the Nmap scan.

Example Nmap Commands:

  1. Basic Ping Scan:
    > nmap -sP 192.168.1.1
    This command checks whether a specific IP address (192.168.1.1) is online without scanning for open ports.
  2. TCP SYN Scan on a Single Port:
    > nmap -sS -p 80 192.168.1.1
    This command performs a SYN scan on port 80 (HTTP) of the target host.
  3. Scan Multiple Ports:
    > nmap -p 22,80,443 192.168.1.1
    This scans ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) on the target host.
  4. Aggressive Scan (OS and Version Detection):
    > nmap -A 192.168.1.1
    This performs an aggressive scan that detects the operating system, open ports, and service versions on the target.
  5. Save Scan Results to XML File:
    > nmap -oX output.xml 192.168.1.1
    This command saves the scan results in an XML format, useful for further processing.
  6. Scan a Range of IP Addresses:
    > nmap 192.168.1.1-10
    This scans a range of IP addresses (from 192.168.1.1 to 192.168.1.10).
  7. Scan with a Timing Template (Aggressive Speed):
    > nmap -T4 192.168.1.1
    This command scans the target with a timing template set to 4 (aggressive speed).
  8. Use a Script to Detect Vulnerabilities:
    > nmap --script vuln 192.168.1.1
    This runs Nmap’s vulnerability scanning scripts on the target host.
  9. Scan with OS Detection:
    > nmap -O 192.168.1.1
    This command attempts to detect the operating system of the target host.
  10. Scan with UDP Scan:
    > nmap -sU -p 161 192.168.1.1
    This scans for open UDP ports (specifically port 161) on the target host.

Use Cases

Nmap is essential for:

  • Network discovery: Mapping out the devices and services running in a network.
  • Security auditing: Identifying vulnerabilities by scanning for open ports and weak services.
  • Penetration testing: Scanning a target network to detect potential attack vectors.
  • Troubleshooting: Identifying misconfigurations and blocked ports in a network.
  • Service enumeration: Identifying the services running on hosts and determining their versions.