What is Nmap?

nmap is a port scanner that, in addition to seeing open ports, provides information about the operating system and services on it. This tool works with IP, TCP, UDP and ICMP protocols to obtain information. When a packet is sent to a target, its response or lack of response is analyzed. We will see further information exchanges necessary to evaluate whether a port is open or closed. Pay attention to open ports, take for example port 80 which is normally used for a web server. If nmap informs you that port 80 is open, validate it with other tools if it is a web server. It is possible and relatively simple to put another listening service on port 80 depending on what is installed on the server. In addition, if you block ping requests on your network, there is a good chance that an attacker will use tcp requests on port 80 to probe your network. Moreover, with Linux and iptables it is very easy to set up sentinels on networks to detect various types of scanning

Legal Notice

Nmap and scan tools can be illegal where you are. Always obtain written permission before proceeding. you are allowed to use nmap in your labs. Always take written permission before starting a scan. A use considered abusive could have legal consequences, or even criminal. That said, do not be afraid to use nmap, it is an indispensable tool for network administrators. Your servers should be checked regularly or after each change because you must ensure that unauthorized ports remain open accidentally or without your knowledge.

Installation – CentOS

The installation of nmap under CentOS is very simple, just install it with yum

# yum install nmap

Install the latest version of nmap on CentOS The version of nmap that comes with CentOS repositories is not necessarily the most recent. If you want to work with the latest version of nmap. Yum can install it for you from the rpm file on the official nmap website.

https://nmap.org/download.html

On the download page, go to the Linux RPM Source and Binaries section

Many popular Linux distributions (Redhat, Mandrake, Suse, etc) use the RPM package management system for quick and easy binary package installation. We have written a detailed guide to installing our RPM packages, though these simple commands usually do the trick:

rpm -vhU https://nmap.org/dist/nmap-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/zenmap-7.80-1.noarch.rpm
rpm -vhU https://nmap.org/dist/ncat-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/nping-0.7.80-1.x86_64.rpm

In this section, the site gives you the commands you need to make to install the latest nmap version If you just have a terminal with your linux machine, you just have to install the nmap program

You can also download and install the RPMs yourself:

Latest stable release:
x86-64 (64-bit Linux) Nmap RPM: nmap-7.80-1.x86_64.rpm
x86-64 (64-bit Linux) Ncat RPM: ncat-7.80-1.x86_64.rpm
x86-64 (64-bit Linux) Nping RPM: nping-0.7.80-1.x86_64.rpm
Optional Zenmap GUI (all platforms): zenmap-7.80-1.noarch.rpm
Source RPM (includes Nmap, Zenmap, Ncat, and Nping): nmap-7.80-1.src.rpm

Source : https://nmap.org/download.html

Determine the version of nmap (–version)

You can get the version of nmap with this command:

[root@chelou ~]# nmap –version

Nmap version 7.70 ( https://nmap.org ) Platform: x86_64-redhat-linux-gnu Compiled with: liblua-5.3.3 openssl-1.0.2n nmap-libssh2-1.8.0 nmap-libz-1.2.8 nmaplibpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll select

Windows Installation

Installing on Windows is as simple as downloading the installation file and running it.

Link:

https://nmap.org/download.html#window

How to use Nmap?

Specify the target (s)

Scanning a target

Using the nmap command with no option on a target will make sure that it will scan the 1000 most common ports with TCP/IP.

# nmap 192.168.130.101 (your target IP)

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 10:54 EDT Nmap scan report for fw.isimtl.local (192.168.130.101) Host is up (0.0016s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Port status according to nmap

(source: https://nmap.org/book/man-port-scanning-basics.html)

open :

An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.

closed :

A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.

filtered :

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

unfiltered :

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

open|filtered :

Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

closed|filtered :

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

Common Network Ports

Common Network Ports

How to Scan multiple targets using Nmap ?

The nmap command can be used to scan multiple targets at the same time

# nmap 192.168.20.20 192.168.20.15 192.168.20.10

As for scanning a target, you will get a scan result for each specified target.

How to Scan an IP address range using Nmap ?

The nmap command can also scan a network address range and scan those that respond to ping

# nmap 192.168.130.20-100

In the example above, the addresses 192.168.130.20 to 192.168.130.100 will be included in the scan

How to Scan an entire network using Nmap ?

The nmap command can also scan a complete network with a CIDR notation

# nmap 192.168.100.0/24

In the example above, the addresses 192.168.100.1 through 192.168.100.254 will be included in the scan.

How to Use a file to provide the list of targets to scan (-iL) in Nmap

The nmap command can also scan predetermined targets using a file. In the file containing the list of IP addresses, the addresses must be separated by a space, a tab, or have an IP address per line. You also have to use the -iL option to tell the nmap command to use a file to get the targets

# nmap –iL scan01.lst

Here is an example for the scan01.lst file

# cat scan01.lst

192.168.100.10

192.168.100.11

192.168.100.12

192.168.100.13

Four IP addresses will be used for scanning with this file

Scan random addresses (-iR)

The -iR option allows nmap to generate random ip addresses for a scan. This option is not recommended and unnecessary for a network administrator. The addresses are really generated by chance and are not limited to a private IP address

# nmap –iR 5

In this example, nmap will generate five IP addresses for its scan

Exclude addresses (–exclude)

The –exclude option allows nmap to exclude specific address (es) when you use an IP address range when scanning

# nmap 192.168.100.0/24 –exclude 192.168.100.1 192.168.100.20

In this example, nmap will use all IP addresses of the 192.168.100.0 network except 192.168.100.1 and 192.168.100.20

It is also possible to exclude an address range

# nmap 192.168.100.0/24 –exclude 192.168.100.1-20

In this example, the IP addresses 192.168.100.1 through 192.168.100.20 will be excluded from the scan

Use a file to exclude addresses (–excludefile)

As with the previous option, we can exclude IP addresses from a list in a file with the option –excludefile

# nmap 192.168.100.0/24 –excludefile scan01.lst

In this example, the 192.168.100.0/24 IP addresses except those included in the scan01.lst file

How to Scan IPv6 target (-6) using Nmap ?

The nmap command can also scan IPv6 addresses. To use this option, you just have to include the -6 option as well as an IPv6 address

# nmap -6 fe80::b1e1:8204:512e:2df0

Discovery of hosts

One of the very first steps in network discovery is to reduce a range of IP addresses to a list of active or interesting hosts. Before being able to do a port scan nmap will ping the target to validate its presence. A firewall on the target will prevent the reception of icmp messages, here are some techniques to reveal the presence of targets.

View a target list to scan (-sL)

One way to view potential targets on a network without sending packets to them, is to do a reverse DNS resolution.

# nmap –sL 192.168.130.0/24

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 11:40 EDT Nmap scan report for 192.168.130.0 Nmap scan report for 192.168.130.1 Nmap scan report for 192.168.130.2 Nmap scan report for kali.isimtl.local (192.168.130.3) Nmap scan report for 192.168.130.4 Nmap scan report for 192.168.130.5 Nmap scan report for opnsense.isimtl.local (192.168.130.6) […] Nmap scan report for 192.168.130.254 Nmap scan report for 192.168.130.255

In this example, the names of the hosts that obtained an IP address and the DHCP service registered the information in the DNS is displayed.

Validate the presence of the targets without doing a port scan (-sn)

By default, nmap pings the target before doing a port scan. If the target responds to the ping, nmap performs the port scan, but if it does not respond because it is off or protected by a firewall, nmap goes to the next IP address. As a result, many targets are not included by default. Although putting a firewall can protect your machines from normal or fast scanning, it is not a protection against nmap or other tools of this kind. There are many other approaches to finding your machines on the network. You will see options that can make a host talk despite him. Host discovery done with -sn consists of an ICMP echo request, TCP SYN at port 443, TCP ACK at port 80, and an ICMP default timestamp query.

# nmap -sn 192.168.130.0/24

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 12:12 EDT Nmap scan report for kali.isimtl.local (192.168.130.3) Host is up (0.0077s latency). Nmap scan report for opnsense.isimtl.local (192.168.130.6) Host is up (0.0031s latency). Nmap scan report for routeur07.isimtl.local (192.168.130.8) Host is up (0.0077s latency). […] Nmap scan report for win-tjgb04monhp.isimtl.local (192.168.130.120) Host is up (0.0029s latency). Nmap done: 256 IP addresses (39 hosts up) scanned in 3.20 seconds

Note: the -sn option on old versions of nmap was -sP

Port scan with all machines (-Pn)

Normally, nmap uses ping to determine which machines are active for a heavier scan. By default, Nmap performs only heavy scans such as port scans, version detection, or operating system detection against hosts that respond to pings. Disable host discovery with -Pn allows nmap to scan all specified IP addresses.

# nmap -Pn 192.168.130.1-5

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 12:37 EDT Nmap scan report for 192.168.130.1 Host is up (0.069s latency). All 1000 scanned ports on 192.168.130.1 are filtered Nmap scan report for 192.168.130.2 Host is up (0.067s latency). All 1000 scanned ports on 192.168.130.2 are filtered Nmap scan report for kali.isimtl.local (192.168.130.3) Host is up (0.033s latency). Not shown: 999 closed ports PORT STATE SERVICE 111/tcp open rpcbind Nmap scan report for 192.168.130.4 Host is up (0.068s latency). All 1000 scanned ports on 192.168.130.4 are filtered Nmap scan report for 192.168.130.5 Host is up (0.069s latency). All 1000 scanned ports on 192.168.130.5 are filtered Nmap done: 5 IP addresses (5 hosts up) scanned in 12.99 seconds

Port Scan – TCP SYN Ping (-PS)

This option sends an empty TCP packet with the SYN flag set. The default port is 80. You can also specify the port if you want, for example: -PS22 or -PS22,80,1000-1500. You can not put spaces between PS and ports.

# nmap -p22 -PS 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 10:30 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0014s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

In this example the scan is limited to port 22, a SYN message is sent to the target

Port Scan – TCP ACK Ping (-PA)

An ACK packet is used to acknowledge data over an established TCP connection, but no connection exists. The target or targets must always respond with a RST packet, revealing their existence in the process. As with the -PS option, -PA uses the default port 80 and you can also specify the ports you want to validate. For example -PA22, -PA22,80,1000-1500.

# nmap -p22 -PA 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 10:45 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.00049s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

In this example the scan is limited to port 22, an ACK message is sent to the target.

Port Scan – UDP Ping (-PU)

Another option for discovering the host is the UDP ping, which sends a UDP packet to the given ports. For most ports, the packet will be empty, although some use a protocol-specific payload that is more likely to elicit a response. A database for the payload can be found at the following address: https://nmap.org/book/nmap-payloads.html

If no port is specified, the default port is 40125. This port should cause the target to respond with an ICMP “unreachable port” packet.

# nmap -PU 192.168.1.145

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-26 20:56 EDT Nmap scan report for centos02 (192.168.1.145) Host is up (0.0019s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:15:5D:38:01:01 (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

Port Scan – SCTP INIT Ping (-PY)

This option sends an SCTP packet containing a minimal INIT block. The default destination port is 80. The INIT block tells the target that you are trying to establish an association. Normally, the destination port will be closed and an ABORT block will be returned. If the port is open, the target will take the second step of a four-wayhandshake SCTP by responding with an INIT-ACK block.

# nmap -PY 192.168.1.145

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 20:19 EDT Nmap scan report for centos02 (192.168.1.145) Host is up (0.0024s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:15:5D:38:01:01 (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 5.25 seconds

Port Scan – Type of ping ICMP (-PE, -PP, -PM)

-PE

nmap can send standard packages like the ping program. With this option, nmap sends an ICMP 8 (echo request) message to the targets and expects a 0 (echo reply) message back from the available targets.

-PP and -PM

Timestamp queries and address masks can be sent with the -PP and -PM options, respectively. A timestamp response (ICMP code 14) or an address mask response (code 18) will reveal that the target is available. Both of these types of queries can be useful when administrators specifically block packages echo request and echo reply

Port Scan – IP Ping (-PO)

An IP protocol ping sends IP packets with the specified protocol number defined in their IP header.

# nmap -PO 192.168.1.145

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 20:50 EDT Nmap scan report for centos02 (192.168.1.145) Host is up (0.0032s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:15:5D:38:01:01 (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds

Port Scan – Ping ARP (-PR)

ARP analysis puts nmap and its algorithms in charge of ARP queries. If it receives a response, nmap will not send ping packets based on the IP addresses because it already knows that the target is present. This option is for use on a local area network (LAN). This option is useless if requests go through a router or firewall.

# nmap -PR 192.168.1.145

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 21:05 EDT Nmap scan report for centos02 (192.168.1.145) Host is up (0.0024s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:15:5D:38:01:01 (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

Do not do DNS resolution (-n)

# nmap -n 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 21:55 EDT Nmap scan report for 192.168.4.114 Host is up (0.0043s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds

Always do the DNS resolution (-R)

Instructs nmap to always do the reverse resolution on the detected IP addresses.

# nmap -R 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 21:56 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0067s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.75 seconds

Specify the DNS server (–dns-servers)

By default, nmap uses DNS servers from the resolv.conf (Unix) file or from the registry (Windows). You can use this option to specify other servers.

# nmap -sL 192.168.130.0/24 –dns-server 192.168.20.10

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 22:07 EDT Nmap scan report for router.isimtl.local (192.168.130.0) Nmap scan report for 192.168.130.1 Nmap scan report for 192.168.130.2 Nmap scan report for kali.isimtl.local (192.168.130.3) Nmap scan report for 192.168.130.4 Nmap scan report for 192.168.130.5 Nmap scan report for opnsense.isimtl.local (192.168.130.6) Nmap scan report for 192.168.130.7 […] Nmap scan report for 192.168.130.255

Port scanning techniques

Most scan types are only available to users with privileges (root, administrator, etc.). Scanning techniques are generally more limited for user accounts.

Only one method can be tried at a time except for UDP and SCTP scans that can be combined with TCP scans. By default, nmap performs a SYN scan for administrator accounts and a full TCP scan for other users.

TCP SYN Scan (-sS)

This type of scan allows for a quick scan of targets. It does not respect TCP rules because it never ends the threeway handshake. And no, although it’s stealthy in the nmap manual, this type of scan is not stealthy. It is usually easily detected by an IDS / IPS and some firewalls

# nmap -sS 192.168.130.10

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-27 23:11 EDT Nmap scan report for chelou.isimtl.local (192.168.130.10) Host is up (0.032s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds

TCP connect Scan (-sT)

A TCP connect scan is the default TCP scan type when SYN scan is not possible. This is the case when a user does not have necessary privileges. Instead of writing raw packets, nmap requests the operating system to establish a connection to the target and the port by initiating the connection system call..

# nmap -sT 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 10:25 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0013s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.92 seconds

UDP Scan (-sU)

The UDP scan sends a UDP header (without data) to each targeted port for services like DNS, SNMP, DHCP. If an ICMP message “unreachable port (type 3, code 3)” is received, then the port is considered closed. If an error message “unreachable ICMP (type 3, codes 1, 2, 9, 10, or 13)” is received, the port is considered filtered. If the target responds, the port is open. If no response is received after several tries, the port is considered to be open | filtered.

# nmap -sU -p53 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 10:51 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.00054s latency). PORT STATE SERVICE 53/udp open|filtered domain MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

SCTP INIT Scan (-sY)

SCTP INIT scan is similar to a TCP SYN scan. It can be done quickly, by analyzing thousands of ports per second on a fast network if there are no firewalls that interfere with this type of communication. This technique is also called a semi-open scan because you do not open a full SCTP association. You send an INIT packet, as if you were going to open a real association and then wait for an answer. An INIT-ACK block indicates that the port is open, while an ABORT block indicates that the port is closed. If no response is received after multiple retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP error message (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received.

# nmap -sY 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 11:01 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.00051s latency). All 52 scanned ports on target.isimtl.local (192.168.4.114) are filtered MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds

SCTP COOKIE ECHO Scan (-sZ)

SCTP scan COOKIE ECHO is a more advanced SCTP scan. It takes advantage of the fact that with SCTP, it is necessary to silently remove the packets containing COOKIE ECHO on the open ports and to send an ABORT if the port is closed. A disadvantage with a SCTP COOKIE ECHO scan is that it can not tell the difference between open and filtered ports, giving a result of open | filtered in both cases.

# nmap -sZ -p22,80,443 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 12:48 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0015s latency). PORT STATE SERVICE 22/sctp open|filtered ssh 80/sctp open|filtered http 443/sctp open|filtered https MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds

In the above example, ports 22 and 80 are open on the server and port 443 is filtered

Scan Null, FIN and Xmas (-sN, -sF, -sX)

These three types of analysis have exactly the same behavior, there are just flags that vary. If a RST packet is received, the port is considered closed and no response means it is open | filtered. The port is marked as filtered if an ICMP error message (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. Originally, these options were made to pass through a stateless firewall but are easily detectable by IDS / IPS.

TCP ACK Scan (-sA)

This type of scan is different from others, it does not determine if a port is open or open | filtered. It is used to establish firewall rules, determining whether they are stateful or stateless and which ports are filtered. Ports that do not respond or return an ICMP error message (type 3, code 1, 2, 3, 9, 10, or 13) are considered filtered.

# nmap -sA 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 11:12 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0012s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp unfiltered ssh 80/tcp unfiltered http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds

TCP Window scan (-sW)

The TCP window scan is exactly the same as the ACK scan, but instead of always showing unfiltered when a RST is returned. On some systems, open ports use a positive TCP window size, including RST packets, while closed ports have a zero size window. The window scan indicates that the port is open or closed depending on the TCP window size. Do not trust this scan because it is supported by very few machines on the network. In the following example, the scan is done on the same machine as -sA, -sS, and -sT. The results give closed ports while they are open. In this case, or can extrapolate that the machine to 998 of the 1000 closed and 2 open ports.

# nmap -sW 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 11:33 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0012s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp closed http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.64 seconds

Scan TCP personalized (–scanflags)

The –scanflags option allows you to customize the TCP request by combining the URG, ACK, PSH, RST, SYN and FIN flags as needed. for example:

  • Activate the urgent flag and Ack

–scanflags URGACK

  • Activate all flags

–scanflags URGACKPSHRSTSYNFIN

Scan idle (-sI)

For this type of scan, you need a device on the network that does nothing. For example, a printer that has a web interface and is waiting (idle) hence the name of this type of scan. This device becomes the zombie for this type of scan. This method is also called side channel attack:

An idle scan consists of three repeated steps for each port:

  • Probe the zombie’s IP ID and save it.
  • Forge a SYN packet with the zombie’s IP address and send it to the target port. Depending on the state of the port, the target’s reaction may or may not increase the zombie’s IP ID.
  • Probe the zombie’s IP ID again. The state of the target port is then determined by comparing this new IP identifier with that recorded in the first step

Following the three steps, the zombie’s IP ID should have increased:

An increase of 1 indicates that the zombie did not send any packets except its response to the attacker’s probe. This lack of packets corresponds to a closed port. In other words, the target has either sent the zombie a RST packet that has been ignored or nothing at all.

An increase of two indicates that the zombie exchanged packets with the target. Which means that the port is open. In other words, the target has sent a SYN / ACK packet to the zombie in response to the falsified SYN, and the zombie had to respond with an RST packet to the target.

You can have a better description of this type of scan at the following address: https://nmap.org/book/idlescan.html

TCP ACK Scan (-sO)

IP protocol analysis allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target.

# nmap -sO 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-28 15:20 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.00075s latency). Not shown: 255 open|filtered protocols PROTOCOL STATE SERVICE 6 open tcp MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds

Port Options:

Port range (-p)

This option specifies the port or ports that you want to scan and replace the default port.

Ports can be separated by a comma (,) or dash (-)

-p 22,80,443 for the ports 22, 80 and 443

-p 20-25 for the ports 22 to 25

-p- for the ports 1 to 65535

With the -sO option, the -p option will allow you to choose the protocol number (0 -255)

Some protocol numbers:

  • 1 ICMP
  • 2 IGMP
  • 6 TCP
  • 17 UDP

It is also possible to scan the TCP and UDP protocols at the same time, just start the list with the prefix T: for TCP and U: for UDP. Groups must be separated by a comma

Example:

-p U:53,161, T:22,25,80

Exclude ports (–exclude-ports)

This option allows you to exclude ports that are specified with the -p option. For the protocol of the -sO option to exclude protocol numbers.

# nmap -p80-445 –exclude-ports 81-440 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 12:17 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.00083s latency). PORT STATE SERVICE 80/tcp open http 441/tcp filtered decvms-sysmgt 442/tcp filtered cvc_hostd 443/tcp filtered https 444/tcp filtered snpp 445/tcp filtered microsoft-ds MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds

Quick scan (-F)

Lets tell nmap to scan less port. Normally, nmap uses the 1000 of the most
common. With the -F option, nmap reduces the list to 100 most used ports

# nmap -F 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 12:19 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0012s latency). Not shown: 98 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 1.91 seconds

Example with the -F option

# nmap 192.168.4.114

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 12:19 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.0011s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:15:5D:04:95:0E (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds

Normal example

Use the port list sequentially (-r)

By default, nmap uses the list of ports randomly. If the need arises, it is possible to use the list sequentially, from the smallest port to the largest.

Service detection (-sV)

Following the port scan, nmap will display the ports that are not closed and display the service that corresponds to each known port. When you do vulnerability assessments or an inventory of your network, you need to make sure that you have versions of the services running on your servers. The services displayed with normal scanning is not sufficient to determine the versions. Version detection is used to obtain this information.

# nmap 192.168.4.114 -sV

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 15:35 EDT Nmap scan report for target.isimtl.local (192.168.4.114) Host is up (0.00094s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS)) MAC Address: 00:15:5D:04:95:0E (Microsoft) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.35 seconds

Change the intensity of service detection

–version-intensity

This option, paired with -sV, adjusts the test intensity level between 0 and 9. The default is 7. The intensity level specifies which tests should be performed. The higher the value, the better the service is likely to be identified correctly.

–version-light

This option is an alias for the option –version-intensity 2

–version-all

This option is an alias for the option –version-intensity 9

Operating System Detection (-O)

Nmap can detect the operating system of the target using the TCP / IP stack. Nmap sends a series of TCP and UDP packets to the target and analyzes its responses. Following the analysis, nmap compares the results with its database “nmap-os-db” which contains more than 2600 operating system signatures.

# nmap 192.168.4.123 -O

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-30 13:26 EDT Nmap scan report for win-5pee04pqjns.isimtl.local (192.168.4.123) Host is up (0.0019s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 00:15:5D:04:95:0D (Microsoft) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2012 OS CPE: cpe:/o:microsoft:windows_server_2012:r2 OS details: Microsoft Windows Server 2012 or Windows Server 2012 R2 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds

More aggressive system detection (–osscan-guess)

When nmap fails to detect a perfect match of the operating system, it sometimes provides close matches as possibilities. With this option, nmap becomes more aggressive with its analysis it will indicate when an imperfect match is printed and displays its percent confidence level for each probability

Using script

Nmap Scripting Engine (NSE) is one of the features of nmap. It allows users to write (and share) scripts with the Lua programming language.

Use default scripts (-sC)

The -sC option is the equivalent of the option –script=default

Use scripts (–script)

This option executes allows you to use scripts based on a list of file names, script categories, or directories. Each item in the list can also be a Boolean expression for a more complex set of scripts.

Examples of script usage

Nmap –script “not intrusive”

LEAVE A REPLY

Please enter your comment!
Please enter your name here