mirror of
https://github.com/adambard/learnxinyminutes-docs.git
synced 2024-12-23 09:41:36 +00:00
204 lines
6.0 KiB
Markdown
204 lines
6.0 KiB
Markdown
|
---
|
|||
|
category: tool
|
|||
|
tool: Nmap
|
|||
|
contributors:
|
|||
|
- [ "Sebastian Oberdorfer" , "https://github.com/SOberdorfer" ]
|
|||
|
filename: LearnNmap.txt
|
|||
|
---
|
|||
|
|
|||
|
### Learn Nmap in Y Minutes
|
|||
|
|
|||
|
So, you’re connected to a network and want to know what else is connected to it.
|
|||
|
Maybe you’re trying to find that mystery device eating up bandwidth or check
|
|||
|
if there are services running you didn’t know about, or you just want to verify
|
|||
|
what ports are exposed on your machine?
|
|||
|
|
|||
|
Meet your swiss-army network knife named **Nmap**!
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
### Introduction
|
|||
|
|
|||
|
**Nmap 101**
|
|||
|
Nmap is an open-source network scanning tool built by Gordon Lyon. Designed to
|
|||
|
help you find devices, open ports and services across your network.
|
|||
|
It’s a swiss-army knife for network admins, security folks, dev's and anyone
|
|||
|
curious about what’s living on their network.
|
|||
|
|
|||
|
**When to Use It**
|
|||
|
|
|||
|
- **Finding Devices**: What’s connected, and what’s running?
|
|||
|
- **Network Troubleshooting**: Resolve DNS or connection issues.
|
|||
|
- **Vulnerability Detection**: Spotting potentially risky services.
|
|||
|
- **Network Security**: Evaluate exposed ports.
|
|||
|
|
|||
|
**When *Not* to Use It**
|
|||
|
|
|||
|
- **Public Networks**: Scanning Starbucks WiFi might land you in hot tea.
|
|||
|
- **Corporate Networks**: Scanning your corporate network without permission, is
|
|||
|
potentially not allowed.
|
|||
|
- **Global Web**: In some cases scanning across the web can be illegal.
|
|||
|
|
|||
|
Certain scans are intrusive and can trigger security alarms, so stick to **only
|
|||
|
**
|
|||
|
scanning networks or systems where you have permission. Unauthorized scanning
|
|||
|
can be considered illegal under cybersecurity laws in many regions, and
|
|||
|
companies
|
|||
|
might view it as a hacking attempt.
|
|||
|
|
|||
|
Use Nmap extensively and wisely.
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
### Installation
|
|||
|
|
|||
|
Installation is straightforward, thoroughly explained on [nmap.org - install](https://nmap.org/book/install.html)
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
### The Basics
|
|||
|
|
|||
|
These are low-key scans that safe to use since they don’t do deep probing.
|
|||
|
|
|||
|
- **Ping Scan**:
|
|||
|
A low-impact scan just to check if devices are online. Typically fine on
|
|||
|
trusted networks.
|
|||
|
- Scan a single device
|
|||
|
```bash
|
|||
|
nmap -sn 192.168.1.1
|
|||
|
```
|
|||
|
- Scan a range of devices
|
|||
|
```bash
|
|||
|
nmap -sn 192.168.1.1-100
|
|||
|
```
|
|||
|
- Scan a CIDR range of devices
|
|||
|
```bash
|
|||
|
nmap -sn 192.168.1.0/24 # Range 192.168.1.0 to 192.168.1.255
|
|||
|
nmap -sn 192.168.0.0/16 # Range 192.168.0.0 to 192.168.255.255
|
|||
|
nmap -sn 192.0.0.0/8 # Range 192.0.0.0 to 192.255.255.255
|
|||
|
```
|
|||
|
|
|||
|
- **Fast Scan**:
|
|||
|
Quickly checks the 100 most common ports. Great for a quick peek without
|
|||
|
probing all 65,535 ports.
|
|||
|
```bash
|
|||
|
nmap -F 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **Operating System Detection**:
|
|||
|
OS detection requires some extra probing, which might be detectable by
|
|||
|
Intrusion Detection Systems (IDS).
|
|||
|
```bash
|
|||
|
nmap -O 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **Output to File**
|
|||
|
Specific scanning and saving the output to a file, enables you to scan more
|
|||
|
thorough without overloading your network.
|
|||
|
- Plain text
|
|||
|
```bash
|
|||
|
nmap -oN output.txt 192.168.1.1
|
|||
|
```
|
|||
|
- XML, handy for using elsewhere
|
|||
|
```bash
|
|||
|
nmap -oX output.xml 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
### Moving Up: More Insightful Scans
|
|||
|
|
|||
|
These scans dig a bit deeper, so they may trigger alarms on security systems.
|
|||
|
Use these only on networks where you have explicit permission to scan.
|
|||
|
|
|||
|
- **Service Version Detection**:
|
|||
|
Tries to identify versions of services on open ports. Useful but more
|
|||
|
invasive.
|
|||
|
```bash
|
|||
|
nmap -sV 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **Aggressive Scan**:
|
|||
|
The aggressive scan mode (`-A`) combines multiple checks, like OS detection,
|
|||
|
version detection and traceroute. This is likely to be flagged on
|
|||
|
any network and can be considered illegal on networks you don’t own.
|
|||
|
```bash
|
|||
|
nmap -A 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **Scanning Specific Ports**:
|
|||
|
Narrowing scans to specific ports is generally fine.
|
|||
|
- Scan a specific port
|
|||
|
```bash
|
|||
|
nmap -p 80 192.168.1.1
|
|||
|
```
|
|||
|
- Scan a range of ports
|
|||
|
```bash
|
|||
|
nmap -p 1-100 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
### Advanced Scans: When You’re the Power User
|
|||
|
|
|||
|
So, you’re getting into the advanced stuff—maybe testing your own firewall or
|
|||
|
finding rogue services.
|
|||
|
The following scans are loud and intrusive that definitely trigger security
|
|||
|
defenses.
|
|||
|
|
|||
|
- **Scripted Scans (NSE)**
|
|||
|
Nmap’s script engine is like a toolbox of plugins. Need to check for a
|
|||
|
specific vulnerability? There’s likely an NSE script for it.
|
|||
|
```bash
|
|||
|
nmap --script=http-vuln-cve2021-12345 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **Aggressive and fastest Scans**:
|
|||
|
`-T5` turns up to knob to 11. `-A` scans all ports.
|
|||
|
Use it sparse and only if you really need full visibility.
|
|||
|
```bash
|
|||
|
nmap -T5 -A 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **TCP and UDP Combined Scans**:
|
|||
|
Combining TCP and UDP scans (`-sS` for SYN scans and `-sU` for UDP) gives
|
|||
|
complete coverage but increases the scan’s footprint, making it detectable.
|
|||
|
```bash
|
|||
|
nmap -sS -sU 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
- **Spoofing and Decoy Scans**:
|
|||
|
Using decoys (`-D`) or spoofed IP addresses to hide your real IP can be seen
|
|||
|
as deceptive. These scans are easily flagged by IDS and could lead to legal
|
|||
|
repercussions if you’re not authorized.
|
|||
|
```bash
|
|||
|
# 10 random IP decoys
|
|||
|
nmap -D RND:10 192.168.1.1
|
|||
|
```
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
### Practical Tips and Tricks
|
|||
|
|
|||
|
**Timing Templates**
|
|||
|
Nmap has timing options from `-T0` (paranoid) to `-T5` (insane). Stick with
|
|||
|
`-T2` or `-T3` for a good balance between speed and not making too much noise.
|
|||
|
More
|
|||
|
on [nmap - timing-templates](https://nmap.org/book/performance-timing-templates.html)
|
|||
|
|
|||
|
**Check Out Nmap’s Scripts**
|
|||
|
NSE scripts make Nmap super versatile. From DNS enumeration to vulnerability
|
|||
|
checks, there’s probably a script for whatever you need.
|
|||
|
More on [nmap - Nmap Scripting Engine](https://nmap.org/book/man-nse.html)
|
|||
|
|
|||
|
**Use aggressive scans and decoys only on networks you own** or with formal
|
|||
|
authorization, such as during a penetration test with client permission. If
|
|||
|
you’re running scans at work, talk to the network admins first.
|
|||
|
|
|||
|
**Know When to Stop**
|
|||
|
Once you’ve got the info you need, wrap it up. It’s easy to get scan-happy.
|
|||
|
|
|||
|
---
|
|||
|
|
|||
|
Happy scanning!
|