Posts Tagged ‘nmap’

From the manual entry :

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.”

Here are few common ports used by TCP/IP to map packets to services :

20 – FTP (File Transfer Protocol, data transfer)
21 – FTP (File Transfer Protocol, control)
22 – SSH (Secure Shell)
23 – Telnet
25 – SMTP (Send Mail Transfer Protocol)
80 – HTTP (Hyper Text Transfer Protocol)
110 – POP3 (Post Office Protocol, version 3)
139 – Net BIOS
443 – HTTPS (Hyper Text Transfer Protocol secure)

Well, lets explore this tool…

  • nmap takes host name as its argument. Use help option to know more.
    #nmap –help or #nmap -h

    Screenshot from 2013-11-07 13:12:01

  • Scan a single host (IPv4)
    Scan (SYN scan, by default) a host using the following command,
    #nmap host-name or #nmap host-ip
    For verbose output, use -v option, for more verbose output, use -vv option.

    Screenshot from 2013-11-08 00:34:27

  • Scan multiple IP address
    scan a range of IP address using
    Or scan the entire subnet using,
    you can also use wildcard,
    #nmap 192.168.1.*

    Screenshot from 2013-11-08 00:09:40

  • Stealth Scan / Half Open Scan.
    This sends SYN packet. If port open, the target sends SYN/ACK packet. Knowing that the port is open, Nmap will send RST packet to break the connection. This scan still be detected. Use -sS option to do this scan.
    #nmap -sS

    Screenshot from 2013-11-07 21:48:04

  • TCP Connect / Full Open Scan.
    A complete 3-Way handshake is established. Nmap sends SYN packet, if the port is open, the target acknowledges with SYN/ACK packet, and nmap completes the connection with the ACK packet. Use -sT option for this scan.
    #nmap -sT

    Screenshot from 2013-11-07 21:48:52

  • Scan for UDP.
    To scan all the UDP ports use -sU option.
    #nmap -sU

    Screenshot from 2013-11-07 22:19:52

  • To know the version the services are running, use
    #nmap -sV

    Screenshot from 2013-11-07 21:43:49

  • Or go for Aggressive scan, use -A option for this. It is same as using -O -sV options together.
    #nmap -A
  • ICMP scan. Just scan, don’t ping
    #nmap -PO
  • Fast scan.
    #nmap -F

    Screenshot from 2013-11-08 01:05:14

  • Specify port(s) to scan.
    You can specify the port that yo wish to know the status of. Say for an instance, port 80,
    #nmap -p 80
    Or you can scan for more than one port,
    #nmap -p 80,443
    Or give a range,
    #nmap -p 20-100

    Screenshot from 2013-11-08 01:10:46

  • To see the host interfaces and routers
    #nmap –iflist

    Screenshot from 2013-11-08 01:09:24

  • Detect the Operating system (TCP/IP fingerprinting)
    Use -O option,
    #nmap -O
    If this doesn’t work, ask nmap to guess for you.
    #nmap -O –osscan-guess

    Screenshot from 2013-11-08 00:40:39

  • Trace the Packets
    #nmap –packet-trace
    Screenshot from 2013-11-08 01:07:46