mirror of
https://github.com/adambard/learnxinyminutes-docs.git
synced 2025-01-14 21:25:58 +00:00
203 lines
6.0 KiB
Markdown
203 lines
6.0 KiB
Markdown
---
|
||
name: Nmap
|
||
category: tool
|
||
contributors:
|
||
- ["Sebastian Oberdorfer", "https://github.com/SOberdorfer"]
|
||
---
|
||
|
||
### Learn Nmap in Y Minutes
|
||
|
||
So, you’re connected to a network and want to know what else is connected to it.
|
||
Maybe you’re trying to find that mystery device eating up bandwidth or check
|
||
if there are services running you didn’t know about, or you just want to verify
|
||
what ports are exposed on your machine?
|
||
|
||
Meet your swiss-army network knife named **Nmap**!
|
||
|
||
---
|
||
|
||
### Introduction
|
||
|
||
**Nmap 101**
|
||
Nmap is an open-source network scanning tool built by Gordon Lyon. Designed to
|
||
help you find devices, open ports and services across your network.
|
||
It’s a swiss-army knife for network admins, security folks, dev's and anyone
|
||
curious about what’s living on their network.
|
||
|
||
**When to Use It**
|
||
|
||
- **Finding Devices**: What’s connected, and what’s running?
|
||
- **Network Troubleshooting**: Resolve DNS or connection issues.
|
||
- **Vulnerability Detection**: Spotting potentially risky services.
|
||
- **Network Security**: Evaluate exposed ports.
|
||
|
||
**When *Not* to Use It**
|
||
|
||
- **Public Networks**: Scanning Starbucks WiFi might land you in hot tea.
|
||
- **Corporate Networks**: Scanning your corporate network without permission, is
|
||
potentially not allowed.
|
||
- **Global Web**: In some cases scanning across the web can be illegal.
|
||
|
||
Certain scans are intrusive and can trigger security alarms, so stick to **only
|
||
**
|
||
scanning networks or systems where you have permission. Unauthorized scanning
|
||
can be considered illegal under cybersecurity laws in many regions, and
|
||
companies
|
||
might view it as a hacking attempt.
|
||
|
||
Use Nmap extensively and wisely.
|
||
|
||
---
|
||
|
||
### Installation
|
||
|
||
Installation is straightforward, thoroughly explained on [nmap.org - install](https://nmap.org/book/install.html)
|
||
|
||
---
|
||
|
||
### The Basics
|
||
|
||
These are low-key scans that safe to use since they don’t do deep probing.
|
||
|
||
- **Ping Scan**:
|
||
A low-impact scan just to check if devices are online. Typically fine on
|
||
trusted networks.
|
||
- Scan a single device
|
||
```bash
|
||
nmap -sn 192.168.1.1
|
||
```
|
||
- Scan a range of devices
|
||
```bash
|
||
nmap -sn 192.168.1.1-100
|
||
```
|
||
- Scan a CIDR range of devices
|
||
```bash
|
||
nmap -sn 192.168.1.0/24 # Range 192.168.1.0 to 192.168.1.255
|
||
nmap -sn 192.168.0.0/16 # Range 192.168.0.0 to 192.168.255.255
|
||
nmap -sn 192.0.0.0/8 # Range 192.0.0.0 to 192.255.255.255
|
||
```
|
||
|
||
- **Fast Scan**:
|
||
Quickly checks the 100 most common ports. Great for a quick peek without
|
||
probing all 65,535 ports.
|
||
```bash
|
||
nmap -F 192.168.1.1
|
||
```
|
||
|
||
- **Operating System Detection**:
|
||
OS detection requires some extra probing, which might be detectable by
|
||
Intrusion Detection Systems (IDS).
|
||
```bash
|
||
nmap -O 192.168.1.1
|
||
```
|
||
|
||
- **Output to File**
|
||
Specific scanning and saving the output to a file, enables you to scan more
|
||
thorough without overloading your network.
|
||
- Plain text
|
||
```bash
|
||
nmap -oN output.txt 192.168.1.1
|
||
```
|
||
- XML, handy for using elsewhere
|
||
```bash
|
||
nmap -oX output.xml 192.168.1.1
|
||
```
|
||
|
||
---
|
||
|
||
### Moving Up: More Insightful Scans
|
||
|
||
These scans dig a bit deeper, so they may trigger alarms on security systems.
|
||
Use these only on networks where you have explicit permission to scan.
|
||
|
||
- **Service Version Detection**:
|
||
Tries to identify versions of services on open ports. Useful but more
|
||
invasive.
|
||
```bash
|
||
nmap -sV 192.168.1.1
|
||
```
|
||
|
||
- **Aggressive Scan**:
|
||
The aggressive scan mode (`-A`) combines multiple checks, like OS detection,
|
||
version detection and traceroute. This is likely to be flagged on
|
||
any network and can be considered illegal on networks you don’t own.
|
||
```bash
|
||
nmap -A 192.168.1.1
|
||
```
|
||
|
||
- **Scanning Specific Ports**:
|
||
Narrowing scans to specific ports is generally fine.
|
||
- Scan a specific port
|
||
```bash
|
||
nmap -p 80 192.168.1.1
|
||
```
|
||
- Scan a range of ports
|
||
```bash
|
||
nmap -p 1-100 192.168.1.1
|
||
```
|
||
|
||
---
|
||
|
||
### Advanced Scans: When You’re the Power User
|
||
|
||
So, you’re getting into the advanced stuff—maybe testing your own firewall or
|
||
finding rogue services.
|
||
The following scans are loud and intrusive that definitely trigger security
|
||
defenses.
|
||
|
||
- **Scripted Scans (NSE)**
|
||
Nmap’s script engine is like a toolbox of plugins. Need to check for a
|
||
specific vulnerability? There’s likely an NSE script for it.
|
||
```bash
|
||
nmap --script=http-vuln-cve2021-12345 192.168.1.1
|
||
```
|
||
|
||
- **Aggressive and fastest Scans**:
|
||
`-T5` turns up to knob to 11. `-A` scans all ports.
|
||
Use it sparse and only if you really need full visibility.
|
||
```bash
|
||
nmap -T5 -A 192.168.1.1
|
||
```
|
||
|
||
- **TCP and UDP Combined Scans**:
|
||
Combining TCP and UDP scans (`-sS` for SYN scans and `-sU` for UDP) gives
|
||
complete coverage but increases the scan’s footprint, making it detectable.
|
||
```bash
|
||
nmap -sS -sU 192.168.1.1
|
||
```
|
||
|
||
- **Spoofing and Decoy Scans**:
|
||
Using decoys (`-D`) or spoofed IP addresses to hide your real IP can be seen
|
||
as deceptive. These scans are easily flagged by IDS and could lead to legal
|
||
repercussions if you’re not authorized.
|
||
```bash
|
||
# 10 random IP decoys
|
||
nmap -D RND:10 192.168.1.1
|
||
```
|
||
|
||
---
|
||
|
||
### Practical Tips and Tricks
|
||
|
||
**Timing Templates**
|
||
Nmap has timing options from `-T0` (paranoid) to `-T5` (insane). Stick with
|
||
`-T2` or `-T3` for a good balance between speed and not making too much noise.
|
||
More
|
||
on [nmap - timing-templates](https://nmap.org/book/performance-timing-templates.html)
|
||
|
||
**Check Out Nmap’s Scripts**
|
||
NSE scripts make Nmap super versatile. From DNS enumeration to vulnerability
|
||
checks, there’s probably a script for whatever you need.
|
||
More on [nmap - Nmap Scripting Engine](https://nmap.org/book/man-nse.html)
|
||
|
||
**Use aggressive scans and decoys only on networks you own** or with formal
|
||
authorization, such as during a penetration test with client permission. If
|
||
you’re running scans at work, talk to the network admins first.
|
||
|
||
**Know When to Stop**
|
||
Once you’ve got the info you need, wrap it up. It’s easy to get scan-happy.
|
||
|
||
---
|
||
|
||
Happy scanning!
|