Nmap
What is NMAP
- Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
- Nmap features include:
Host discovery Port scanning Version detection OS detection Scriptable interaction with the target
- Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.
- Typical uses of Nmap:
Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it. Identifying open ports on a target host in preparation for auditing. Network inventory, network mapping, maintenance and asset management. Auditing the security of a network by identifying new servers. Generating traffic to hosts on a network, response analysis and response time measurement. Find and exploit vulnerabilities in a network.
Port Options
-F Scan 100 most popular ports -p20-2000 Port range -p54,80,443,... Port List -pU:53,U:110,T20-445 Mix TCP and UDP -r Scan linearly (do not randomize ports) --top-ports <n> Scan n most popular ports -p- Scan ports 1-65535
Scripting
- Script Categories
auth: Utilize credentials or bypass authentication on target hosts. broadcast: Discover hosts not included on command line by broadcasting on local network. brute: Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc. default: Scripts run automatically when -sC or -A are used. discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more. dos: May cause denial of service conditions in target hosts. exploit: Attempt to exploit target systems. external: Interact with third-party systems not included in target list. fuzzer: Send unexpected input in network protocol fields. intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion. malware: Look for signs of malware infection on the target hosts. safe: Designed not to impact target in a negative fashion. version: Measure the version of software or protocol spoken by target hosts. vul: Measure whether target systems have a known vulnerability.
- Scripting Engine
-sC Run default scripts --script=<ScriptName>| <ScriptCategory>|<ScriptDir>... Run individual or groups of scripts --script-args=<Name1=Value1,...> Use the list of script arguments --script-updatedb Update script database
- Famous Scripts
- A full list of Nmap Scripting Engine scripts is available at:
https://nmap.org/nsedoc/
- Some particularly useful scripts include:
dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server.
$ nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain> -p53 <hosts>
http-robots.txt: Harvests robots.txt files from discovered web servers.
$ nmap --script http-robots.txt <hosts>
smb-brute: Attempts to determine valid username and password combinations via automated guessing.
$ nmap --script smb-brute.nse -p445<hosts>
smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs.
$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>
Probing Options
-Pn Don't probe (assume all hosts are up) -PB Default probe (TCP 80, 445 & ICMP) -PS<portlist> Check whether targets are up by probing TCP ports -PE Use ICMP Echo Request -PP Use ICMP Timestamp Request -PM Use ICMP Netmask Request
Scan Types
-sP Probe only (host discovery, not port scan) -sS SYN Scan -sT TCP Connect Scan -sU UDP Scan -sV Version Scan -O OS Detection --max-os-tries Set the maximum number of tries against a target --scanflags Set custom list of TCP using URGACKPSHRSTSYNFIN in any order
Fine-Grained Timing Options
--min-hostgroup/max-hostgroup <size> Parallel host scan group sizes --min-parallelism/max-parallelism<numprobes> Probe parallelization --min-rtt-timeout/max-rtttimeout/initial-rtt-timeout
Aggregate Timing Options
-T0 Paranoid: Very slow, used for IDS evasion -T1 Sneaky: Quite slow, used for IDS evasion -T2 Polite: Slows down to consume less bandwidth, runs ~10 times slower than default -T3 Normal: Default, a dynamic timing model based on target responsiveness -T4 Aggressive: Assumes a fast and reliable network and may overwhelm targets -T5 Insane: Very aggressive; will likely overwhelm targets or miss open ports
Output Formats
-oN Standard Nmap output -oG Greppable format -oX XML format -oA <basename> Generate Nmap, Greppable, and XML output files using basename for files
Misc Options
-n Disable reverse IP address lookups -6 Use IPv6 only -A Use several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute --reason Display reason Nmap thinks port is open, closed, or filtered -v Increase verbosity level -d (1-9) set debugging level v/V increase/decrease verbosity level d/D increase/decrease debugging level p/P turn on/off packet tracing --packet-trace trace packets
Host discovery
-PS n tcp syn ping -PA n tcp ack ping -PU n udp ping -PM netmask req -PP timestamp req -PE echo req -sL list scan -PO protocol ping -PN no ping -n no DNS -R DNS resolution for all targets --traceroute trace path to host (for topology map) -sP ping same as –PP –PM –PS443 –PA80
Port scanning techniques
-sS tcp syn scan -sT tcp connect scan -sU udp scan -sY sctp init scan -sZ sctp cookie echo -sO ip protocol -sW tcp window -sN null –sF fin -sX xmas –sA tcp ack
Firewall/IDS evasion
-f fragment packets -D d1,d2 cloak scan with decoys -S ip spoof source address –g source spoof source port --randomize-hosts order --spoof-mac mac change the src mac
Examples
- Nmap command usage
nmap [Scan Types] [Options] {target specification}
- Quick scan
nmap -T4 -F 192.168.1.1
- Fast scan (port80)
nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80 192.168.1.1
- Pingscan
nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4 192.168.1.1
- Slow comprehensive
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all 192.168.1.1
- Quick traceroute:
nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute 192.168.1.1
- Scan a System with Hostname and IP Address
nmap server.ubuntu.com nmap 192.168.1.101
- Scan Multiple Hosts
nmap 192.168.1.* nmap 192.168.1.101 192.168.1.102 192.168.1.103 nmap 192.168.1.101,102,103
- Getting more details
nmap -v server.ubuntu.com
- Scan list of Hosts from a File
nmap -iL nmaptest.txt
- Scan OS & version detection, script scanning and traceroute
nmap -A 192.168.1.1
- Enable OS Detection with Nmap
nmap -O 192.168.1.1
- Find Host Services version Numbers
nmap -sV 192.168.1.1
- Scan remote hosts using TCP Syn (ICMP Blocked)
nmap -PS 192.168.1.1
- Scan Remote host for specific ports with TCP Syn
nmap -PS -p 22,80 192.168.1.1
- Scan Remote host for specific ports with TCP ACK (ICMP Blocked)
nmap -PA -p 22,80 192.168.1.1
- Perform a stealthy Scan
nmap -sS 192.168.1.1
- Check most commonly used Ports with TCP Syn
nmap -sT 192.168.1.1
- Perform a tcp null scan to fool a firewall
nmap -sN 192.168.1.1
- List of all the ciphersuites:
nmap --script ssl-enum-ciphers -p 443 192.168.1.1
- References
{{#widget:DISQUS
|id=networkm
|uniqid=Nmap
|url=https://aman.awiki.org/wiki/Nmap
}}