From 4fb68fb99107a465aea123e6240763e024ed2d26 Mon Sep 17 00:00:00 2001 From: Sebastian Oberdorfer <104016288+SOberdorfer@users.noreply.github.com> Date: Wed, 11 Dec 2024 03:24:59 +0100 Subject: [PATCH] [nmap/en] Add tool: nmap (#5193) * [nmap/en] Add tool: nmap * [nmap/en]: Linter fix --- nmap.html.markdown | 203 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 203 insertions(+) create mode 100644 nmap.html.markdown diff --git a/nmap.html.markdown b/nmap.html.markdown new file mode 100644 index 00000000..064e47fd --- /dev/null +++ b/nmap.html.markdown @@ -0,0 +1,203 @@ +--- +category: tool +tool: Nmap +contributors: + - [ "Sebastian Oberdorfer" , "https://github.com/SOberdorfer" ] +filename: LearnNmap.txt +--- + +### Learn Nmap in Y Minutes + +So, you’re connected to a network and want to know what else is connected to it. +Maybe you’re trying to find that mystery device eating up bandwidth or check +if there are services running you didn’t know about, or you just want to verify +what ports are exposed on your machine? + +Meet your swiss-army network knife named **Nmap**! + +--- + +### Introduction + +**Nmap 101** +Nmap is an open-source network scanning tool built by Gordon Lyon. Designed to +help you find devices, open ports and services across your network. +It’s a swiss-army knife for network admins, security folks, dev's and anyone +curious about what’s living on their network. + +**When to Use It** + +- **Finding Devices**: What’s connected, and what’s running? +- **Network Troubleshooting**: Resolve DNS or connection issues. +- **Vulnerability Detection**: Spotting potentially risky services. +- **Network Security**: Evaluate exposed ports. + +**When *Not* to Use It** + +- **Public Networks**: Scanning Starbucks WiFi might land you in hot tea. +- **Corporate Networks**: Scanning your corporate network without permission, is + potentially not allowed. +- **Global Web**: In some cases scanning across the web can be illegal. + +Certain scans are intrusive and can trigger security alarms, so stick to **only +** +scanning networks or systems where you have permission. Unauthorized scanning +can be considered illegal under cybersecurity laws in many regions, and +companies +might view it as a hacking attempt. + +Use Nmap extensively and wisely. + +--- + +### Installation + +Installation is straightforward, thoroughly explained on [nmap.org - install](https://nmap.org/book/install.html) + +--- + +### The Basics + +These are low-key scans that safe to use since they don’t do deep probing. + +- **Ping Scan**: + A low-impact scan just to check if devices are online. Typically fine on + trusted networks. + - Scan a single device + ```bash + nmap -sn 192.168.1.1 + ``` + - Scan a range of devices + ```bash + nmap -sn 192.168.1.1-100 + ``` + - Scan a CIDR range of devices + ```bash + nmap -sn 192.168.1.0/24 # Range 192.168.1.0 to 192.168.1.255 + nmap -sn 192.168.0.0/16 # Range 192.168.0.0 to 192.168.255.255 + nmap -sn 192.0.0.0/8 # Range 192.0.0.0 to 192.255.255.255 + ``` + +- **Fast Scan**: + Quickly checks the 100 most common ports. Great for a quick peek without + probing all 65,535 ports. + ```bash + nmap -F 192.168.1.1 + ``` + +- **Operating System Detection**: + OS detection requires some extra probing, which might be detectable by + Intrusion Detection Systems (IDS). + ```bash + nmap -O 192.168.1.1 + ``` + +- **Output to File** + Specific scanning and saving the output to a file, enables you to scan more + thorough without overloading your network. + - Plain text + ```bash + nmap -oN output.txt 192.168.1.1 + ``` + - XML, handy for using elsewhere + ```bash + nmap -oX output.xml 192.168.1.1 + ``` + +--- + +### Moving Up: More Insightful Scans + +These scans dig a bit deeper, so they may trigger alarms on security systems. +Use these only on networks where you have explicit permission to scan. + +- **Service Version Detection**: + Tries to identify versions of services on open ports. Useful but more + invasive. + ```bash + nmap -sV 192.168.1.1 + ``` + +- **Aggressive Scan**: + The aggressive scan mode (`-A`) combines multiple checks, like OS detection, + version detection and traceroute. This is likely to be flagged on + any network and can be considered illegal on networks you don’t own. + ```bash + nmap -A 192.168.1.1 + ``` + +- **Scanning Specific Ports**: + Narrowing scans to specific ports is generally fine. + - Scan a specific port + ```bash + nmap -p 80 192.168.1.1 + ``` + - Scan a range of ports + ```bash + nmap -p 1-100 192.168.1.1 + ``` + +--- + +### Advanced Scans: When You’re the Power User + +So, you’re getting into the advanced stuff—maybe testing your own firewall or +finding rogue services. +The following scans are loud and intrusive that definitely trigger security +defenses. + +- **Scripted Scans (NSE)** + Nmap’s script engine is like a toolbox of plugins. Need to check for a + specific vulnerability? There’s likely an NSE script for it. + ```bash + nmap --script=http-vuln-cve2021-12345 192.168.1.1 + ``` + +- **Aggressive and fastest Scans**: + `-T5` turns up to knob to 11. `-A` scans all ports. + Use it sparse and only if you really need full visibility. + ```bash + nmap -T5 -A 192.168.1.1 + ``` + +- **TCP and UDP Combined Scans**: + Combining TCP and UDP scans (`-sS` for SYN scans and `-sU` for UDP) gives + complete coverage but increases the scan’s footprint, making it detectable. + ```bash + nmap -sS -sU 192.168.1.1 + ``` + +- **Spoofing and Decoy Scans**: + Using decoys (`-D`) or spoofed IP addresses to hide your real IP can be seen + as deceptive. These scans are easily flagged by IDS and could lead to legal + repercussions if you’re not authorized. + ```bash + # 10 random IP decoys + nmap -D RND:10 192.168.1.1 + ``` + +--- + +### Practical Tips and Tricks + +**Timing Templates** +Nmap has timing options from `-T0` (paranoid) to `-T5` (insane). Stick with +`-T2` or `-T3` for a good balance between speed and not making too much noise. +More +on [nmap - timing-templates](https://nmap.org/book/performance-timing-templates.html) + +**Check Out Nmap’s Scripts** +NSE scripts make Nmap super versatile. From DNS enumeration to vulnerability +checks, there’s probably a script for whatever you need. +More on [nmap - Nmap Scripting Engine](https://nmap.org/book/man-nse.html) + +**Use aggressive scans and decoys only on networks you own** or with formal +authorization, such as during a penetration test with client permission. If +you’re running scans at work, talk to the network admins first. + +**Know When to Stop** +Once you’ve got the info you need, wrap it up. It’s easy to get scan-happy. + +--- + +Happy scanning!