NMap 101

NMap short for Network Mapper is as the name suggests a tool used for mapping a network, but one of the great features is that it shows all the open ports, what services are running on the ports and all sorts of custom outputs.

Most versions of Linux I have used already have had nmap install by default, if not then you can easly install it by using the following command straight in your terminal.

sudo apt-get install nmap

To find out what version of nmap your running type this.

nmap --version

There is also a version of nmap with a GUI called Zenmap, this can just as easly be installed by typing.

sudo apt-get install zenmap

The most basic nmap command goes as so.

nmap 192.168.0.6

This shows the ports found, the state of that port open/closed and what service it thinks is running on that port.

Scanning for multiple targets

You can scan multiple targets by adding each individual target one after the other leaving a space between each.

nmap 192.168.0.6 192.168.0.7 192.168.0.8

or you can put the same command like this.

nmap 192.168.0.6,7,8

or you can set a range of addresses.

nmap 192.168.0.6 - 100

This will scan all ips on different subnets for example 192.168.0.1 – 192.168.0.255 and then move onto 192.168.1.1 – 192.168.1.255 and so on until in this example its 192.168.100.1 -192.168.100.255.

nmap 192.168.6-100.*

This will scan all ips in the current subnet.

nmap 192.168.0.1/24

you can create a list of ip addresses and put them in a text file and get nmap to scan the list.

to create the list echo the required IP address into a text file.

echo 192.168.0.6 192.168.0.7 > list.txt

>  Replace contents of file.
>> Amend file this will leave any previous contents of the file in place.

to see the contents of your list.txt use the cat command.

cat list.txt

now use that list in conjunction with nmap as below.

nmap -il list.txt

Scanning Networks while Excluding Certain Targets.

You scan a specified amount of random hosts using the -iR command and then the number of hosts.

nmap -iR 3

If you want to scan an entire subnet excluding a certain pc.

nmap 192.168.0.1/24 --exclude 192.168.0.50

This command below is the same as the one above but its excluding a range of addresses.

nmap  192.168.0.1/24 --exclude 192.168.0.50-100

You can also use a use a text file with a list of ips to exclude.

nmap 192.168.0.6/24 -- excludefile list.txt

Scanning Networks for Open Ports to access

The -A command does a Aggressive scan this will run some of the most popular commands like OS detection, version detection, script scanning and traceroute.

nmap -A 192.168.0.6

Say you find a open Telnet port on a print server as below.

you can use either telnet or a program like Netcat to connect to this port and gain access to the service.

if you want more information on connecting to ports with Netcat see my Netcat 101 tutorial

Using Alternative Packets

Use the -PN to scan a host when its protected with a firewall this will scan a host,nmap not doing a ping scan first and will do a deep scan of the target

nmap -PN 192.168.0.6

This next command is a simple ping scan -sP this will simply just ping the server and wont tell you the names or the open ports.

nmap -sP 192.168.0.6

To change the scan to a Syn scan instead of a ICMP scan.

nmap -PS 192.168.0.6

if you want to check specific ports in your Syn scan type your command like so.

nmap -PS 22,80,443 192.168.0.6

To change the scan to use ACK packets instead of ICMP

nmap -PA 192.168.0.6

To change the scan to use UDP instead of ICMP

nmap -PU 192.168.0.6

To do a SCTP scan instead of ICMP

nmap -PW 192.168.0.6

This is the default scan and what is used if no other scan is specified.

nmap -PE 192.168.0.6

you can use ICMP timestamping for getting around firewalled targets.

nmap -PP  192.168.0.6

another good command for getting around firewalls is ICMP address mask ping.

nmap -PM 192.168.0.6

Discovery Options

You can use the command below to do a IP protocol ping this sends packets with the specified protocol to the target. If no protocols are specified, the default protocols 1 (ICMP), 2(IGMP) and 4 (IP-in-IP) are used.

nmap -PO 192.168.0.6

The -PR option is used to perform an arp ping scan, it cant be used of the target is not on your local subnet.

nmap -PR 192.168.0.6

The -traceroute parameter can be used to trace the network path to the specified host

nmap --traceroute www.google.com

The -R parameter instructs Nmap to always perform a reverse DNS resolution on the target IP address. this is useful when performing reconnaissance on a block of IP addresses, as Nmap will try to resolve the reverse DNS information of every IP address.

nmap -R 192.168.0.6

The –system-dns option instructs Nmap to use the host systems DNS resolver instead of its own internal method.

nmap --system-dns 192.168.0.6

You can also manually specify DNS servers to be queried with the –dns-servers this will bypass the local dns servers on your system to what ever you specified.

nmap --DNS-servers 8.8.8.8 6.6.8.8 192.168.0.6

the -sL option will display a list and performs a reverse DNS lookup of the specified IP addresses

nmap -sL 192.168.0.6

Advanced Scanning Techniques

Syn scan is the most popular scan option. It can scan thousands of ports per secound on a fast network not hampered by restrictive firewalls. it is also relatively unobtrusive and stealthy, since it never completes TCP connections.

nmap -sS 192.168.0.6

TCP connect scan is the default scan and is very noisy on the network.

nmap -sT 192.168.0.6

Use the command below to use UDP scanning. UDP scanning is generally slower and more difficult than TCP

nmap -sU 192.168.0.6

TCP null scan tricks a target to think its probing with TCP

nmap -sN 192.168.0.6

TCP fin scan is used on a target behind a firewall.

nmap -sF  192.168.0.6

Xmas scan sets the FIN, PSH and URG flags, lighting the packet up like a christmas tree.

nmap -sX 192.168.0.6

This option specifies which TCP flags should be set in the TCP packet this is normally used to evade Firewalls or and IDS.

nmap --scanflags ackpsh 192.168.0.6

There are 8 different flags you can use:-

• CWR (congestion Windows Reduced)
• ECN (Explicit Congestion Notification)
• URG (Urgent)
• ACK (Acknowledgement)
• PSH (Push)
• RST (Reset)
• SYN (Synchronize)
• FIN (Finish)

TCP ACK scan this scan is different than the others discussed so far in that it never determines open or even open | filtered ports. It is used to map out firewall rule sets, determining whether they are stateful or not and which ports are filtered.

nmap -sA 192.168.0.6

IP protocol scan this will show just the protocol and the state of the service.

nmap -sO 192.168.0.6

Scan using raw ethernet packets

nmap --send-eth 192.168.0.6

Scan using raw ip packets

nmap  --send-ip 192.168.0.6

Port Scanning Options

nmap will normally scan the top 1000 ports by default but if you want to scan other ports you can use these commands.

Fast scan will just scan the top 100 ports

nmap -F 192.168.0.6

Scan just the specified port.

nmap -p 80 192.168.0.6

This next command is the same as above but uses a comma to sperate the ports also you can do a range of ports.

nmap -p 80,23,140-200 192.168.0.6

If you cant remember the port number you can always use the name of the port.

nmap -p http 192.168.0.6

This will scan for any service with sm in the name the * is a wildcard and the quotes ” ” tell the OS its a nmap scan and not a linux terminal scan.

nmap -p "sm*" 192.168.0.6

this next command specifies UDP and TCP on ports udp 53 tcp 25

nmap -sU -sT -p U:53,T:25 192.168.0.6

You can use a * as a wildcard to scan for every thing.

nmap -p "*" 192.168.0.6

Run through the top 54 ports, The 54 can be any number.

nmap --top-ports 54 192.168.0.6

By default  nmap randomizes the scanned port order. This randomization is normally desirable but you can specify -r for sequential port scanning instead.

nmap -r 192.168.0.6

Add -v to any scan to get more a verbose output as its scanning.

Operating System Detection

Nmap has the power to tell what operating system and services are running on a remote machine this process is called tcp/ip fingerprinting.

This will figure out what Operating system is running, use -v to get even more info.

nmap -O 192.168.0.6

This will scan a host with nmaps best guess of what the OS is if the above command is not working.

nmap -O --osscan-guess 192.168.0.6

Same as the above but a easyer command.

nmap -O --fuzzy 192.168.0.6

This shows the service versions the target is running.

nmap -sV 192.168.0.6

Use the –Version-trace if the above command is not giving the output you thought you would be getting this prints out extensive debugging info.

nmap -sV --Version-trace 192.168.0.6

To do a RPC scan

nmap -sR 192.168.0.6

Timing Options

Sometimes speeding up or slowing down your nmap scan can give you better results for example if you are on a slow network you might want to slow down your scan.

Time in nmap is in ms milliesecounds so if you type 100 it will be 100ms or 100s for secounds 1m for min or 1h for hours.

Remember there is 1000ms to a secound so if i wanted to type 1000ms you could just type 1s and would get the same result.

Avoid firewall and IDS alerts  using -T0. T stands for timing and the zero 0 is its slowest setting

nmap -T0 192.168.0.6

Same as above but with the 5 its extreamly fast.

nmap -T5 192.168.0.6

You can set how meany probes nmap uses to help with port scanning and host discovery.

This command will scan with just 4 probes at the same time.

nmap --max-parallelism 4 192.168.0.6

Scan with 100 probes at the same time this may result with a faster less acurate scan.

nmap --min-parallelism 100  192.168.0.6

Tell nmap to scan a specified number of hosts at the same time in the specified range.

nmap --min-hostgroup 10 192.168.0.1/24

Same as above but will tell nmap the maximum number of hosts to scan at the same time.

nmap --max-hostgroup 10 192.168.0.1/24

Increase or decrease the time nmap times out.

nmap --initial-rtt-timeout 6000 192.168.0.6

same as above but you are setting the max time out.

nmap --max-rtt-timeout 6000 192.168.0.6

The default rtt timeout in nmap is 10s.

You can set the amount of retries the scan does, good for slow networks.

nmap --max-retries 3 192.168.0.6

Set the ttl (time to live) of your scan .

nmap --ttl 100 192.168.0.6

This will stop nmap trying a host after a given time.

nmap --host-timeout 1m 192.168.0.6

Create a delay between scan probes very slow but very accurate.

nmap --scan-delay 10s 192.168.0.6

Same as above but is a lot faster but is less accurate.

nmap --max-scan-delay 10s 192.168.0.6

Set the minimum amount of packets per secound

nmap --min-rate 50 192.168.0.6

This command is the same as above but you are setting the maximum amount of packets  per secound good for going undetected on a network but very slow.

nmap --max-rate 10 192.168.0.6

This will defeat the rst packets (reset packets) probaley wont ever need to use this command as its built into nmap by default

nmap --defeat-rst-ratelimit 192.168.0.6

Fun with Firewalls

Send smaller 8byte probes instead of a whole packet can also be done with nmap –send-eth to do the same thing

nmap -f 192.168.0.6

Specify the MTU size of your scan, can only us multiples of 8 when setting the size.

nmap --mtu 8 192.168.0.6

The decoy option will scan using multiple decoy ip addresses -D is for decoy RND generates the number random ip addresses specified after the colon : .

nmap -D RND:10 192.168.0.6 this is

Specify which pcs to uses as a decoy in this example its .52 and .100

nmap -D 192.168.0.52,192.168.0.100 192.168.0.6

Idol zombie scan this will scan a pc pretending to be any idol PC.

nmap -sI 192.168.0.52 192.168.0.6

specify what port number the nmap scans from, also can be done with a -g command.

nmap --source-port 54 192.168.0.6

Add random data to probe packets to help try and evade the firewall, the size is in bytes.

nmap --data-length  25 192.168.0.6

Randomize your target scan order

nmap --randomize-hosts 192.168.0.6-100

spoof the mac address in your scan the 0 tells nmap to make a random mac address

nmap -sT -PN --spoof-mac 0 192.168.0.6

send packets with incorrect checksums.

nmap --badsum 192.168.0.6

How to Output to a file

Scan your network and output to a file called scan.txt

nmap -oN scan.txt  192.168.0.6/24

Scan the network outputting the results to a xml file called scan.xml.

nmap -oX scan.xml 192.168.0.6/24

make a grep-able file

nmap -oG scan.txt 192.168.0.1/24

then u can grep the file( grep “Microsoft” scan.txt )and it will pull out all the info with Microsoft on.

This next command will output a txt file a xml and a grep-able file with the name of scan.

nmap -oA scan 192.168.0.1/24

Force your scan to give you info every  2 seconds, you can use m for min or h for hours.

nmap --stats-every 2s 192.168.0.6/24

Save a file called scan.txt and changes the output into l33t speak.

nmap -oS scan.txt 192.168.0.1/24

How to Troubleshoot Scans

To bring up help type

nmap -h

Nmap manual

man nmap

Nmap Version

nmap -v

Debug output, to get even more output you can use d1 upto d9 d1 being the fastest

nmap -d 192.168.0.6

Port state reason codes added to your scan. if a port does not give you a reason code its either closed or behind a firewall.

nmap --reason 192.168.0.6

this will show just the open ports.

nmap --open 192.168.0.6

Shows the packets sent and received during a scan, you can output the info to a textfile by using nmap –packet-trace 192.168.0.6 > trace.txt

nmap --packet-trace 192.168.0.6

Show you the network interfaces and routes that are configured on your local network.

nmap --iflist

-e lets you specifies the network interface wlan0, eth0 or what ever your network interfaces are called to run your scan from.

nmap -e wlan0 192.168.0.6

Nmap Scripting Engine

nmap comes with a ton of scripts but there are over 400 that can be downloaded from https://nmap.org/nsedoc and they are normally saved to /home/usr/share/nmap/scripts/… you have to navigate to the scripts folder to be able to run a script.

Nmap needs to be atlest version 5.0 to run a script.

This script does a banner grab of any open tcp ports.

nmap --script banner 192.168.0.6

This is a wildcard and will run any script with http in the name and output any info its able to use.

nmap --script "http*" 192.168.0.6

This next command does eaxctly the same as -sC as well as default you can use all, auth, Discovery, external, intrusive, safe or vun.

nmap --script default 192.168.0.6

This command shows troubleshooting info for a specific script.

nmap --script banner --script-trace 192.168.0.6

update your scripts folder using this command.

nmap --script-updatedb

ndiff

ndiff allows you to compaire to different xml files

ndiff test1.xml test2.xml

the – sign is for test 1 and the + sign for test 2

you can also use -v for verbose mode

Buttons you can click when a nmap scan is running (runtime interaction)

v verbose mode
d debugging
p packet tracing
? help