2024-12-11 02:24:59 +00:00
|
|
|
|
---
|
2024-12-11 10:12:53 +00:00
|
|
|
|
name: Nmap
|
2024-12-11 02:24:59 +00:00
|
|
|
|
category: tool
|
|
|
|
|
contributors:
|
2024-12-18 22:54:05 +00:00
|
|
|
|
- ["Sebastian Oberdorfer", "https://github.com/SOberdorfer"]
|
2024-12-11 02:24:59 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Learn Nmap in Y Minutes
|
|
|
|
|
|
|
|
|
|
So, you’re connected to a network and want to know what else is connected to it.
|
|
|
|
|
Maybe you’re trying to find that mystery device eating up bandwidth or check
|
|
|
|
|
if there are services running you didn’t know about, or you just want to verify
|
|
|
|
|
what ports are exposed on your machine?
|
|
|
|
|
|
|
|
|
|
Meet your swiss-army network knife named **Nmap**!
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Introduction
|
|
|
|
|
|
|
|
|
|
**Nmap 101**
|
|
|
|
|
Nmap is an open-source network scanning tool built by Gordon Lyon. Designed to
|
|
|
|
|
help you find devices, open ports and services across your network.
|
|
|
|
|
It’s a swiss-army knife for network admins, security folks, dev's and anyone
|
|
|
|
|
curious about what’s living on their network.
|
|
|
|
|
|
|
|
|
|
**When to Use It**
|
|
|
|
|
|
|
|
|
|
- **Finding Devices**: What’s connected, and what’s running?
|
|
|
|
|
- **Network Troubleshooting**: Resolve DNS or connection issues.
|
|
|
|
|
- **Vulnerability Detection**: Spotting potentially risky services.
|
|
|
|
|
- **Network Security**: Evaluate exposed ports.
|
|
|
|
|
|
|
|
|
|
**When *Not* to Use It**
|
|
|
|
|
|
|
|
|
|
- **Public Networks**: Scanning Starbucks WiFi might land you in hot tea.
|
|
|
|
|
- **Corporate Networks**: Scanning your corporate network without permission, is
|
|
|
|
|
potentially not allowed.
|
|
|
|
|
- **Global Web**: In some cases scanning across the web can be illegal.
|
|
|
|
|
|
|
|
|
|
Certain scans are intrusive and can trigger security alarms, so stick to **only
|
|
|
|
|
**
|
|
|
|
|
scanning networks or systems where you have permission. Unauthorized scanning
|
|
|
|
|
can be considered illegal under cybersecurity laws in many regions, and
|
|
|
|
|
companies
|
|
|
|
|
might view it as a hacking attempt.
|
|
|
|
|
|
|
|
|
|
Use Nmap extensively and wisely.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Installation
|
|
|
|
|
|
|
|
|
|
Installation is straightforward, thoroughly explained on [nmap.org - install](https://nmap.org/book/install.html)
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### The Basics
|
|
|
|
|
|
|
|
|
|
These are low-key scans that safe to use since they don’t do deep probing.
|
|
|
|
|
|
|
|
|
|
- **Ping Scan**:
|
|
|
|
|
A low-impact scan just to check if devices are online. Typically fine on
|
|
|
|
|
trusted networks.
|
|
|
|
|
- Scan a single device
|
|
|
|
|
```bash
|
|
|
|
|
nmap -sn 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
- Scan a range of devices
|
|
|
|
|
```bash
|
|
|
|
|
nmap -sn 192.168.1.1-100
|
|
|
|
|
```
|
|
|
|
|
- Scan a CIDR range of devices
|
|
|
|
|
```bash
|
|
|
|
|
nmap -sn 192.168.1.0/24 # Range 192.168.1.0 to 192.168.1.255
|
|
|
|
|
nmap -sn 192.168.0.0/16 # Range 192.168.0.0 to 192.168.255.255
|
|
|
|
|
nmap -sn 192.0.0.0/8 # Range 192.0.0.0 to 192.255.255.255
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Fast Scan**:
|
|
|
|
|
Quickly checks the 100 most common ports. Great for a quick peek without
|
|
|
|
|
probing all 65,535 ports.
|
|
|
|
|
```bash
|
|
|
|
|
nmap -F 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Operating System Detection**:
|
|
|
|
|
OS detection requires some extra probing, which might be detectable by
|
|
|
|
|
Intrusion Detection Systems (IDS).
|
|
|
|
|
```bash
|
|
|
|
|
nmap -O 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Output to File**
|
|
|
|
|
Specific scanning and saving the output to a file, enables you to scan more
|
|
|
|
|
thorough without overloading your network.
|
|
|
|
|
- Plain text
|
|
|
|
|
```bash
|
|
|
|
|
nmap -oN output.txt 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
- XML, handy for using elsewhere
|
|
|
|
|
```bash
|
|
|
|
|
nmap -oX output.xml 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Moving Up: More Insightful Scans
|
|
|
|
|
|
|
|
|
|
These scans dig a bit deeper, so they may trigger alarms on security systems.
|
|
|
|
|
Use these only on networks where you have explicit permission to scan.
|
|
|
|
|
|
|
|
|
|
- **Service Version Detection**:
|
|
|
|
|
Tries to identify versions of services on open ports. Useful but more
|
|
|
|
|
invasive.
|
|
|
|
|
```bash
|
|
|
|
|
nmap -sV 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Aggressive Scan**:
|
|
|
|
|
The aggressive scan mode (`-A`) combines multiple checks, like OS detection,
|
|
|
|
|
version detection and traceroute. This is likely to be flagged on
|
|
|
|
|
any network and can be considered illegal on networks you don’t own.
|
|
|
|
|
```bash
|
|
|
|
|
nmap -A 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Scanning Specific Ports**:
|
|
|
|
|
Narrowing scans to specific ports is generally fine.
|
|
|
|
|
- Scan a specific port
|
|
|
|
|
```bash
|
|
|
|
|
nmap -p 80 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
- Scan a range of ports
|
|
|
|
|
```bash
|
|
|
|
|
nmap -p 1-100 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Advanced Scans: When You’re the Power User
|
|
|
|
|
|
|
|
|
|
So, you’re getting into the advanced stuff—maybe testing your own firewall or
|
|
|
|
|
finding rogue services.
|
|
|
|
|
The following scans are loud and intrusive that definitely trigger security
|
|
|
|
|
defenses.
|
|
|
|
|
|
|
|
|
|
- **Scripted Scans (NSE)**
|
|
|
|
|
Nmap’s script engine is like a toolbox of plugins. Need to check for a
|
|
|
|
|
specific vulnerability? There’s likely an NSE script for it.
|
|
|
|
|
```bash
|
|
|
|
|
nmap --script=http-vuln-cve2021-12345 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Aggressive and fastest Scans**:
|
|
|
|
|
`-T5` turns up to knob to 11. `-A` scans all ports.
|
|
|
|
|
Use it sparse and only if you really need full visibility.
|
|
|
|
|
```bash
|
|
|
|
|
nmap -T5 -A 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **TCP and UDP Combined Scans**:
|
|
|
|
|
Combining TCP and UDP scans (`-sS` for SYN scans and `-sU` for UDP) gives
|
|
|
|
|
complete coverage but increases the scan’s footprint, making it detectable.
|
|
|
|
|
```bash
|
|
|
|
|
nmap -sS -sU 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- **Spoofing and Decoy Scans**:
|
|
|
|
|
Using decoys (`-D`) or spoofed IP addresses to hide your real IP can be seen
|
|
|
|
|
as deceptive. These scans are easily flagged by IDS and could lead to legal
|
|
|
|
|
repercussions if you’re not authorized.
|
|
|
|
|
```bash
|
|
|
|
|
# 10 random IP decoys
|
|
|
|
|
nmap -D RND:10 192.168.1.1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
### Practical Tips and Tricks
|
|
|
|
|
|
|
|
|
|
**Timing Templates**
|
|
|
|
|
Nmap has timing options from `-T0` (paranoid) to `-T5` (insane). Stick with
|
|
|
|
|
`-T2` or `-T3` for a good balance between speed and not making too much noise.
|
|
|
|
|
More
|
|
|
|
|
on [nmap - timing-templates](https://nmap.org/book/performance-timing-templates.html)
|
|
|
|
|
|
|
|
|
|
**Check Out Nmap’s Scripts**
|
|
|
|
|
NSE scripts make Nmap super versatile. From DNS enumeration to vulnerability
|
|
|
|
|
checks, there’s probably a script for whatever you need.
|
|
|
|
|
More on [nmap - Nmap Scripting Engine](https://nmap.org/book/man-nse.html)
|
|
|
|
|
|
|
|
|
|
**Use aggressive scans and decoys only on networks you own** or with formal
|
|
|
|
|
authorization, such as during a penetration test with client permission. If
|
|
|
|
|
you’re running scans at work, talk to the network admins first.
|
|
|
|
|
|
|
|
|
|
**Know When to Stop**
|
|
|
|
|
Once you’ve got the info you need, wrap it up. It’s easy to get scan-happy.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
Happy scanning!
|