mirror of
https://github.com/adambard/learnxinyminutes-docs.git
synced 2024-12-23 09:41:36 +00:00
Merge 3605031c3e
into e0cfe4feca
This commit is contained in:
commit
2fa53283fc
203
nmap.html.markdown
Normal file
203
nmap.html.markdown
Normal file
@ -0,0 +1,203 @@
|
||||
---
|
||||
category: tool
|
||||
tool: Nmap
|
||||
contributors:
|
||||
- [ "Sebastian Oberdorfer" , "https://github.com/SOberdorfer" ]
|
||||
filename: LearnNmap.txt
|
||||
---
|
||||
|
||||
### Learn Nmap in Y Minutes
|
||||
|
||||
So, you’re connected to a network and want to know what else is connected to it.
|
||||
Maybe you’re trying to find that mystery device eating up bandwidth or check
|
||||
if there are services running you didn’t know about, or you just want to verify
|
||||
what ports are exposed on your machine?
|
||||
|
||||
Meet your swiss-army network knife named **Nmap**!
|
||||
|
||||
---
|
||||
|
||||
### Introduction
|
||||
|
||||
**Nmap 101**
|
||||
Nmap is an open-source network scanning tool built by Gordon Lyon. Designed to
|
||||
help you find devices, open ports and services across your network.
|
||||
It’s a swiss-army knife for network admins, security folks, dev's and anyone
|
||||
curious about what’s living on their network.
|
||||
|
||||
**When to Use It**
|
||||
|
||||
- **Finding Devices**: What’s connected, and what’s running?
|
||||
- **Network Troubleshooting**: Resolve DNS or connection issues.
|
||||
- **Vulnerability Detection**: Spotting potentially risky services.
|
||||
- **Network Security**: Evaluate exposed ports.
|
||||
|
||||
**When *Not* to Use It**
|
||||
|
||||
- **Public Networks**: Scanning Starbucks WiFi might land you in hot tea.
|
||||
- **Corporate Networks**: Scanning your corporate network without permission, is
|
||||
potentially not allowed.
|
||||
- **Global Web**: In some cases scanning across the web can be illegal.
|
||||
|
||||
Certain scans are intrusive and can trigger security alarms, so stick to **only
|
||||
**
|
||||
scanning networks or systems where you have permission. Unauthorized scanning
|
||||
can be considered illegal under cybersecurity laws in many regions, and
|
||||
companies
|
||||
might view it as a hacking attempt.
|
||||
|
||||
Use Nmap extensively and wisely.
|
||||
|
||||
---
|
||||
|
||||
### Installation
|
||||
|
||||
Installation is straightforward, thoroughly explained on [nmap.org - install](https://nmap.org/book/install.html)
|
||||
|
||||
---
|
||||
|
||||
### The Basics
|
||||
|
||||
These are low-key scans that safe to use since they don’t do deep probing.
|
||||
|
||||
- **Ping Scan**:
|
||||
A low-impact scan just to check if devices are online. Typically fine on
|
||||
trusted networks.
|
||||
- Scan a single device
|
||||
```bash
|
||||
nmap -sn 192.168.1.1
|
||||
```
|
||||
- Scan a range of devices
|
||||
```bash
|
||||
nmap -sn 192.168.1.1-100
|
||||
```
|
||||
- Scan a CIDR range of devices
|
||||
```bash
|
||||
nmap -sn 192.168.1.0/24 # Range 192.168.1.0 to 192.168.1.255
|
||||
nmap -sn 192.168.0.0/16 # Range 192.168.0.0 to 192.168.255.255
|
||||
nmap -sn 192.0.0.0/8 # Range 192.0.0.0 to 192.255.255.255
|
||||
```
|
||||
|
||||
- **Fast Scan**:
|
||||
Quickly checks the 100 most common ports. Great for a quick peek without
|
||||
probing all 65,535 ports.
|
||||
```bash
|
||||
nmap -F 192.168.1.1
|
||||
```
|
||||
|
||||
- **Operating System Detection**:
|
||||
OS detection requires some extra probing, which might be detectable by
|
||||
Intrusion Detection Systems (IDS).
|
||||
```bash
|
||||
nmap -O 192.168.1.1
|
||||
```
|
||||
|
||||
- **Output to File**
|
||||
Specific scanning and saving the output to a file, enables you to scan more
|
||||
thorough without overloading your network.
|
||||
- Plain text
|
||||
```bash
|
||||
nmap -oN output.txt 192.168.1.1
|
||||
```
|
||||
- XML, handy for using elsewhere
|
||||
```bash
|
||||
nmap -oX output.xml 192.168.1.1
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Moving Up: More Insightful Scans
|
||||
|
||||
These scans dig a bit deeper, so they may trigger alarms on security systems.
|
||||
Use these only on networks where you have explicit permission to scan.
|
||||
|
||||
- **Service Version Detection**:
|
||||
Tries to identify versions of services on open ports. Useful but more
|
||||
invasive.
|
||||
```bash
|
||||
nmap -sV 192.168.1.1
|
||||
```
|
||||
|
||||
- **Aggressive Scan**:
|
||||
The aggressive scan mode (`-A`) combines multiple checks, like OS detection,
|
||||
version detection and traceroute. This is likely to be flagged on
|
||||
any network and can be considered illegal on networks you don’t own.
|
||||
```bash
|
||||
nmap -A 192.168.1.1
|
||||
```
|
||||
|
||||
- **Scanning Specific Ports**:
|
||||
Narrowing scans to specific ports is generally fine.
|
||||
- Scan a specific port
|
||||
```bash
|
||||
nmap -p 80 192.168.1.1
|
||||
```
|
||||
- Scan a range of ports
|
||||
```bash
|
||||
nmap -p 1-100 192.168.1.1
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Advanced Scans: When You’re the Power User
|
||||
|
||||
So, you’re getting into the advanced stuff—maybe testing your own firewall or
|
||||
finding rogue services.
|
||||
The following scans are loud and intrusive that definitely trigger security
|
||||
defenses.
|
||||
|
||||
- **Scripted Scans (NSE)**
|
||||
Nmap’s script engine is like a toolbox of plugins. Need to check for a
|
||||
specific vulnerability? There’s likely an NSE script for it.
|
||||
```bash
|
||||
nmap --script=http-vuln-cve2021-12345 192.168.1.1
|
||||
```
|
||||
|
||||
- **Aggressive and fastest Scans**:
|
||||
`-T5` turns up to knob to 11. `-A` scans all ports.
|
||||
Use it sparse and only if you really need full visibility.
|
||||
```bash
|
||||
nmap -T5 -A 192.168.1.1
|
||||
```
|
||||
|
||||
- **TCP and UDP Combined Scans**:
|
||||
Combining TCP and UDP scans (`-sS` for SYN scans and `-sU` for UDP) gives
|
||||
complete coverage but increases the scan’s footprint, making it detectable.
|
||||
```bash
|
||||
nmap -sS -sU 192.168.1.1
|
||||
```
|
||||
|
||||
- **Spoofing and Decoy Scans**:
|
||||
Using decoys (`-D`) or spoofed IP addresses to hide your real IP can be seen
|
||||
as deceptive. These scans are easily flagged by IDS and could lead to legal
|
||||
repercussions if you’re not authorized.
|
||||
```bash
|
||||
# 10 random IP decoys
|
||||
nmap -D RND:10 192.168.1.1
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Practical Tips and Tricks
|
||||
|
||||
**Timing Templates**
|
||||
Nmap has timing options from `-T0` (paranoid) to `-T5` (insane). Stick with
|
||||
`-T2` or `-T3` for a good balance between speed and not making too much noise.
|
||||
More
|
||||
on [nmap - timing-templates](https://nmap.org/book/performance-timing-templates.html)
|
||||
|
||||
**Check Out Nmap’s Scripts**
|
||||
NSE scripts make Nmap super versatile. From DNS enumeration to vulnerability
|
||||
checks, there’s probably a script for whatever you need.
|
||||
More on [nmap - Nmap Scripting Engine](https://nmap.org/book/man-nse.html)
|
||||
|
||||
**Use aggressive scans and decoys only on networks you own** or with formal
|
||||
authorization, such as during a penetration test with client permission. If
|
||||
you’re running scans at work, talk to the network admins first.
|
||||
|
||||
**Know When to Stop**
|
||||
Once you’ve got the info you need, wrap it up. It’s easy to get scan-happy.
|
||||
|
||||
---
|
||||
|
||||
Happy scanning!
|
Loading…
Reference in New Issue
Block a user