Nmap is a free open source tool which can be used for foot-printing/ reconnaissance to discover hosts and services on a computer network by sending packets and analyzing the retrieved responses. Nmap is a noisy scanner and can be easily detected by firewalls. “The quieter you become, the more you are able to hear”. Thus, as a security analyst, one must learn how to do it quietly and anonymously.
- Nmap can provide information on targets, including reverse DNS names, device types, and MAC addresses.
- Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
- Port scanning – Enumerating the open ports on target hosts.
- OS detection – Determining the operating system and hardware characteristics of network devices.
- Version detection – Interrogating network services on remote devices to determine the application name and version number.
- Scriptable interaction with the target support using the Nmap Scripting Engine (NSE).
Commands of Nmap
Nmap scans against ip or hosts: These commands will help to scan against ip or hostname.
nmap 220.127.116.11 nmap scanme.nmap.org
Nmap ping scans: It helps in detecting hosts on any network, however, in most cases remote hosts block ip-based ping packets, thus ARP-based requests are recommended.
nmap -sp 192.168.5.0/24
Specific ports or entire port range on a remote or local server: This results in the scan for all 65535 ports on localhost computer. Further, specific ports on specific ip or hosts can be scanned using nmap.
nmap -p 1-65535 localhost nmap-p 80, 443 scanme.nmap.org nmap-p 80, 443 18.104.22.168
Scan multiple IP Addresses: Multiple ip or hosts can be scanned or range of hosts, consecutive ip, or entire subnet, or random hosts, or excluding targets
nmap 192.168.0.1 192.168.0.2 nmap -p 192.168.0.1,2,3,4 nmap 192.168.0.1-10 nmap 192.168.0.1/24 nmap -iR 0 nmap 192.168.0.1/24 –exclude 192.168.0.100, 192.168.0.200
Scan popular ports: Specifying 10 limits the popular ports on the host/ip
nmap --top-ports 10 192.168.1.106
ARP Ping: Using traceroute, force reverse DNS resolution, alternative DNS lookup
nmap –traceroute 192.168.0.1 nmap -R 192.168.0.1 nmap –system-dns 192.168.0.1