Nmap is a very powerful and flexible tool, and using it effectively is an important skill for any IT Security Professional or Network Administrator.
Please remember to use these examples for good purposes. I do not condone or recommend breaking the law or unethical practices.
The basic portscan
In its most basic form, nmap is really easy to use. If you have a target IP address, and you want to know what common ports are open; here is the most basic nmap example:
nmap 192.168.1.76
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:29 BST
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:29 BST
Nmap scan report for lin-desktop.lan (192.168.1.76)
Host is up (0.000039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds
Host is up (0.000039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds
So, looking at the results, we can see that this system has FTP (port 21 TCP), SSH (port 22 TCP) and HTTP (port 80 TCP) all responding. A pretty straight forward nmap example.
Hidden hosts
Let's look at a system that does not want to play ball. This system has a built-in firewall and does not respond to the initial ICMP ping, so the system is ignored by a default nmap scan.
nmap 192.168.1.254
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:25 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.68 seconds
So we got no results in this example, but if the initial ICMP test was ignored (using the -P0 option) the scan will proceed, and still yield good results, so definitely worth bearing this option in mind.
nmap -P0 192.168.1.254
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-02 22:25 BST
Nmap scan report for dsldevice.lan (192.168.1.254)
Host is up (0.0085s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
1723/tcp open pptp
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
Scanning a certain port across multiple machines
What if you wanted to scan the same port on several systems. In this example we scan all systems in the range from 192.168.1.1 to 192.168.1.254 for port 80
nmap -p 80 192.168.1.1-254
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:23 UTC
Nmap scan report for laptop.lan (192.168.1.65)
Host is up (0.00013s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for desktop.lan (192.168.1.66)
Host is up (0.021s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 70:1A:04:AC:BD:FC (Liteon Tech)
Nmap done: 254 IP addresses (2 hosts up) scanned in 5.30 seconds
We detected 2 hosts here. Notice the difference when we include the -P0 option, it detects more hosts:
nmap -P0 -p 80 192.168.1.1-254
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:25 UTCNmap scan report for laptop.lan (192.168.1.65)
Host is up (0.00013s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for desktop.lan (192.168.1.66)
Host is up (0.021s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 70:1A:04:AC:BD:FC (Liteon Tech)
Nmap scan report for dsldevice.lan (192.168.1.254)
Host is up (0.033s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)
Nmap done: 254 IP addresses (3 hosts up) scanned in 5.47 seconds
Banner grabbing and versioning
nmap can grab banners to identify the versions of services running, using the -sV option. This shows us which services are running and the various versions (highlighted in green)
nmap -P0 -sV 192.168.1.254
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:34 UTC
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 17:35 (0:00:10 remaining)
Nmap scan report for dsldevice.lan (192.168.1.254)
Host is up (0.0035s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Alcatel Speedtouch aDSL router ftpd
23/tcp open telnet Alcatel/Thomson SpeedTouch DSL router admin interface
80/tcp open http Alcatel/Thomson SpeedTouch aDSL http config 1.0
443/tcp open ssl/http Alcatel/Thomson SpeedTouch aDSL http config 1.0
1723/tcp open pptp THOMSON (Firmware: 1)
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)
Service Info: Host: SpeedTouch; Device: broadband router
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.83 seconds
OS detection
The -O option can be used to identify operating systems versions from various signature patterns. OS guesses are highlighted in green below.
nmap -O 192.168.1.66
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-10 17:39 UTC
Nmap scan report for desktop.lan (192.168.1.66)
Host is up (0.0074s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
5357/tcp open unknown
10243/tcp open unknown
49156/tcp open unknown
MAC Address: 70:1A:04:AC:BD:FC (Liteon Tech)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
OS details: Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.23 seconds
zenmap
If you are new to network scanning, then you may want to start getting familiar with nmap by using zenmap. Zenmap is a graphical tool which can be used to drive nmap, with various preconfigured scans, and some other cool graphical features which can help you to visualise a network:
This tool can help you to quickly get familiar with various nmap command line options, and save your scans for later analysis.
More details and downloads are available at the following location:
http://nmap.org/download.html
Nice post.
ReplyDeleteThanks a lot
ReplyDeleteRasul
ReplyDeleteHey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
nice blog bro
ReplyDeleteNmap Cheat Sheet Tutorial
kd 12
ReplyDeletesupreme shirt
yeezy shoes
supreme clothing
supreme hoodie
off white outlet
curry 7
jordan shoes
kyrie 7
cheap jordans
palm angels outlet
ReplyDeletecurry 9
off white nike
kyrie shoes
cheap golden goose sneakers
palm angels
cheap jordans
off white shoes
kyrie 9
jordan 13