Introduction
Nmap Scanning A Step by Step Guide For Beginners: Nmap, also known as Network Mapper, is a free and open-source tool that helps with network exploration, management, and security auditing. It is a versatile network scanner that can identify hosts and services on a computer network, and it can also be used to identify security vulnerabilities on a network. In this article, we will discuss the different steps involved in Nmap scanning, target specification, host discovery, port specification and scan order, service version detection, script scan, OS detection and output. We will also provide command examples for each step.
Some common options used with Nmap:-
-v (verbose) / -vv (double verbose): Provides more detailed output during the scan, such as the target being scanned, the status of each port, and any errors that occur.
-p (port specification): This option allows you to specify which ports to scan, using a comma-separated list or a range of ports.
-sS (TCP SYN scan): This is the default scan type in Nmap, and it sends SYN packets to the target’s ports to determine if they are open or not.
-sT (TCP connect scan): This scan type uses a full TCP connection to determine if the target’s ports are open or not.
-sU (UDP scan): This scan type sends UDP packets to the target’s ports to determine if they are open or not.
-A (OS detection and version detection): This option enables version detection, OS detection, script scanning, and traceroute all in one command.
-O (OS detection): This option enables operating system detection of the target.
–script (script scanning): This option allows you to run scripts against the target, such as vulnerability scanners or brute force attacks.
-iL (input file): This option allows you to specify a file containing a list of targets to scan.
-oA (output file): This option allows you to specify an output file for the scan results, which can be in several formats, including XML, grepable, and normal.
Target Specification…
Target specification is a crucial step in using Nmap. It specifies the target hosts, networks, or IP addresses that you want to scan. This can be done in a variety of ways, including specifying individual IP addresses, CIDR notation for IP address ranges, or hostnames. Nmap also supports various target list formats, such as a file containing a list of hosts, or input from standard input.
Here are some common options for target specification:
- Hostnames or IP Addresses.
One of the simplest ways to specify the target is by providing the hostname or IP address of the host. For example:-
nmap -v scanme.nmap.org
nmap -v 192.168.1.1
- CIDR Notation.
CIDR (Classless Inter-Domain Routing) notation allows specifying a range of IP addresses using a prefix length. For example:-
nmap -v -p 80,443 example.com/24
nmap -v 192.168.1.1/24
nmap 192.168.1.1/24
- IP Range.
We can also specify a range of IP addresses using hyphen notation. For example, to scan all IP addresses between 192.168.0.1 to 192.168.0.254, we can use the following command:
nmap 192.168.0.1–254
nmap 10.0.0–255.1–254
- Input from List of Hosts/Networks.
The “-iL” option allows the user to read a list of hosts and networks from a file. For example, let’s say we have a file named “targets.txt,” which contains a list of hosts and networks. We can use the following command to scan those targets:
nmap -v -iL targets.txt
nmap -iL targets.txt
- Choose Random Targets.
The “-iR” option allows the user to choose random targets. For example:
nmap -iR 3
nmap -v -p 80,443,22,21,445 -iR 3
- Exclude Hosts/Networks.
The “ — exclude” option allows the user to exclude specific hosts and networks from the scan. For example, to exclude hosts “192.168.0.1” and “192.168.0.2” from the scan, we can use the following command:
nmap 192.168.0.0/24 –exclude 192.168.0.1,192.168.0.2
- Exclude List from File.
The “ — excludefile” option allows the user to exclude a list of hosts and networks from a file. For example, let’s say we have a file named “exclude.txt,” which contains a list of hosts and networks to exclude. We can use the following command to exclude those targets from the scan:
nmap 192.168.0.0/24 –excludefile exclude.txt
Host Discovery…
Host discovery is essential in conducting a network scan, whether for internal or external penetration testing. This process involves identifying which hosts are active and running on a network, as well as determining their IP addresses and other critical information. Several methods and Nmap commands can be used for host discovery, depending on the type of test being conducted.
For internal penetration testing, the following Nmap TECHNIQUES can be used for host discovery:
ARP Scan
ICMP Scan
TCP (SYN/ACK) Scan
UDP Scan
An ARP scan sends ARP packets to determine which hosts are active on the network. An ICMP scan sends ICMP packets to determine which hosts are up and running, while a TCP SYN/ACK scan sends TCP SYN/ACK packets to identify hosts that are listening on specific ports. A UDP scan sends UDP packets to determine which hosts are accepting UDP traffic.
For external penetration testing, the following Nmap TECHNIQUES can be used for host discovery:
ICMP Scan
TCP (SYN/ACK) Scan
UDP Scan
In addition to these commands, other Nmap options can be used for host discovery, including:
- List Scan (-sL)
The list scan is a method for listing all hosts on a network without actually scanning them. This method can be useful for generating a list of targets for further scanning. To perform a list scan, use the following command:
nmap -sL 192.168.0.0/24
- Ping Scan (-sn)
This option is used to disable port scanning and perform a ping scan. If the scan is run on a LAN, it uses the ARP protocol. If it is run in an external pentest, it uses the default ICMP protocol. If ICMP does not respond, it sends TCP SYN packets on ports 80 and 443.
nmap -sn 192.168.0.0/24
- Never do DNS resolution (-n)
This option is used to disable DNS resolution. By default, Ping Scan performs DNS resolution to determine the hostname of the target host. However, in some cases, DNS resolution can slow down the scanning process, and the -n flag can be used to disable it.
Example:
nmap -n 192.168.1.1
nmap -n 192.168.1.1/24
nmap -n example.com
- Treat all hosts as online skip host discovery (-Pn)
This option is used to skip host discovery and treat all hosts as online. When this flag is used, nmap assumes that all the hosts are up and running and it directly scans the targeted ports.
nmap -v -Pn 192.168.1.1/24
nmap -Pn 192.168.1.1
nmap -Pn example.com
- TCP SYN/ACK, UDP or SCTP discovery to given ports (-PS/PA/PU/PY[portlist])
These options specify the type of probe to use for host discovery. They send TCP SYN/ACK, UDP, or SCTP packets to the specified ports to determine which hosts are up.
nmap -v -sn -PS 192.168.1.1/24
nmap -v -sn -PA 192.168.1.1/24
nmap -sn -PU 192.168.1.1/24
- ICMP echo, timestamp, and netmask request discovery probes (-PE/PP/PM)
These options specify the type of ICMP probe to use for host discovery. They send ICMP echo, timestamp, or netmask request packets to determine which hosts are up. To use this option, use the following command:
For ICMP echo:- nmap -v -sn -PE 192.168.1.1/24
For ICMP timestamp:- nmap -v -sn -PP 192.168.1.1/24
For ICMP Mask:- nmap -sn -PM 192.168.1.1/24
- Specify custom DNS servers ( dns-servers )
This option allows you to specify custom DNS servers to use for DNS resolution.
Example: nmap –dns-servers 8.8.8.8 192.168.1.1
- — system-dns:
This option tells Nmap to use the OS’s DNS resolver for DNS resolution.
Example: nmap –system-dns 192.168.1.1
9 — traceroute:
This option performs a traceroute to each host to determine the path between the scanning host and the target host.
Example: nmap –traceroute 192.168.1.1
Port Specification And Scan Order…
By default, Nmap scans the 1000 most common ports used by various services and applications. Port specification and scan order refer to the process of specifying which ports to scan during network reconnaissance. This is important for effective scanning as it allows you to exclude unnecessary ports and prioritize the scan based on the frequency of usage. Nmap provides several options for port specification and scan order to customize your scans based on your specific needs.
Here are some common options for port specification and scan order:
- -p :
This option allows you to specify which ports to scan. You can use a comma-separated list of individual ports, a range of ports separated by a hyphen, or a combination of both. For example:
nmap -v -p0–65535 192.168.1.1
nmap -v -p 22 192.168.1.1
nmap -Pn 192.168.1.1/24
nmap -v -p T:80,443,U:53,111 192.168.1.1
nmap -v -p- example.com
- — exclude-ports :
This option allows you to exclude certain ports from the scan. You can use the same syntax as with the -p option to specify the ports to exclude.
nmap -v –exclude-ports 80 example.com
nmap -v –exclude-ports 100–400 192.168.1.1/24
nmap –exclude-ports 1–1000,3389–3390
- -F:
This option enables “fast” mode, which scans a smaller set of ports than the default scan. By default, Nmap scans the 1000 most common TCP ports, but with the -F option it will scan only the 100 most common ports.
nmap -F 192.168.1.1
nmap -v -F 192.168.1.1
- -r:
This option tells Nmap to scan the ports in sequential order instead of randomizing the order. This can be useful in certain situations, such as when scanning slow or unreliable networks.
nmap -r -p- 192.168.1.1–10
nmap -v -r -F example.com
- — top-ports :
This option specifies the number of most common ports to scan.
nmap –top-ports 100 192.168.1.1/24
nmap –top-ports 100 example.com
Scan Techniques…
Scan techniques refer to the different methods used by a network scanner to discover and gather information about hosts, networks, and services. Nmap, one of the most popular network scanners, offers a wide range of scan techniques that can be used for various purposes, including network mapping, vulnerability assessment, and penetration testing.
Here are some common options for scan techniques:
- SYN Scan (-sS)
This is the most popular and widely used scan technique in Nmap. It sends an SYN packet to the target host and waits for a response. If the target responds with an SYN/ACK packet, it indicates that the port is open, and if it responds with an RST packet, it indicates that the port is closed. This scan technique is also known as a half-open scan because it does not complete the TCP three-way handshake. The SYN scan is fast and stealthy, making it an ideal scan technique for mapping large networks.
nmap -sS -p- 192.168.1.1/24
nmap -v -sS -p 21,22,25,80,443 example.com
nmap -v -Pn -sS example.com/24
- Connect Scan (-sT)
This is a full TCP connection scan that completes the full TCP three-way handshake. This scan technique is slower than the SYN scan and is easily detectable by intrusion detection systems and firewalls. The Connect scan is useful for detecting the presence of certain types of firewalls that block SYN packets.
nmap -v -sT -p- 192.168.1.1/24
nmap -v -sT -p 1-100 example.com
nmap -v -sT example.com/24
nmap -v -sT -p 80,443,22,21,25,445,69,53 example.com
- ACK Scan (-sA)
This scan technique sends an ACK packet to the target host and waits for a response. If the target responds with an RST packet, it indicates that the port is unfiltered, and if it does not respond at all, it indicates that the port is filtered by a firewall. The ACK scan helps detect the presence of stateless packet-filtering firewalls.
nmap -v -sA -p- 192.168.1.1/24
nmap -v -sA -Pn example.com
nmap -v -sA example.com/24
- Window Scan (-sW)
This scan technique sends a packet with a window size of zero to the target host and waits for a response. If the target responds with an RST packet, it indicates that the port is closed, and if it responds with an SYN/ACK packet, it means that the port is open. The Window scan helps detect the presence of certain types of firewalls that block specific types of packets.
nmap -sW 192.168.1.1/24
nmap -v -sW example.com
nmap -v -sW example.com/24
- Maimon Scan (-sM)
This scan technique is similar to the Window scan, but it sends a packet with the URG flag set instead of a window size of zero. The Maimon scan helps detect the presence of certain types of firewalls that block Window scan packets.
nmap -sM 192.168.1.1/24
nmap -v -sM example.com
nmap -v -sM example.com/24
- Customize TCP scan flags (–scanflags )
Customizing TCP scan flags allows for the manipulation and set of TCP flags during a network scan to achieve specific scanning objectives. TCP flags control the state of a TCP connection, and altering them can result in tailored scans that reveal information about the target system, including open ports, service versions, and operating system information.
nmap -Pn -v –scanflags SYN -p 80,443 example.com
nmap -Pn -v –scanflags SYN -p 80,443 example.com
- UDP Scan (-sU)
The “-sU” option in nmap stands for UDP scan. This allows the user to scan for open UDP ports on a target system. Unlike TCP, which uses a three-way handshake to establish a connection, UDP is a connectionless protocol that does not require a handshake to establish a connection. This makes UDP scan more challenging, as the scanner must send a UDP packet to each port and wait for a response.
nmap -sU 192.168.1.1
nmap -v sU example.com
- Idle Scan (-sI)
The “-sI” option in nmap stands for the idle scan. This technique allows the user to perform a stealthy scan by using a “zombie” host that is already trusted by the target system. The idle scan involves sending a series of packets to the zombie host, which in turn sends packets to the target system. By analyzing the sequence numbers of the packets, nmap can determine which ports are open on the target system without being detected.
Syntex:- nmap -sI zombie_host target_host
- FTP bounce scan (-b)
The “-b” option in nmap stands for FTP bounce scan. This technique involves using an FTP server as a proxy to scan a target system. The scanner sends a PORT command to the FTP server, which causes the server to connect to the target system and send the scan results back to the scanner. This technique can be useful for bypassing firewalls and other security measures that block direct scans, but it is also considered a security risk and is not commonly used.
Syntex:- nmap -b ftp_server target_host
TCP Null, FIN, and Xmas Scans:
- A TCP Null scan is a type of scan in which an attacker sends a packet with no flags set (i.e., null) to the target system’s ports. If the port is open, the target system will not respond to the packet, while if the port is closed, the target system will send a TCP RST (reset) packet in response.
nmap -v -sN -p 80,443 192.168.1.1
nmap -v -sN -p 80,443 example.com
nmap -v -Pn -sN example.com
- A TCP FIN scan is a type of scan in which an attacker sends a packet with the FIN flag set to the target system’s ports. If the port is open, the target system will not respond to the packet, while if the port is closed, the target system will send a TCP RST (reset) packet in response.
nmap -v -sF -p- 192.168.1.1
nmap -v -sF -p 80,443 example.com
- An Xmas scan is a type of scan in which an attacker sends a packet with the FIN, PSH, and URG flags set (i.e., “lit up like a Christmas tree”) to the target system’s ports. If the port is open, the target system will not respond to the packet, while if the port is closed, the target system will send a TCP RST (reset) packet in response.
nmap -v -sX -p 80,443 192.168.1.1
nmap -v -sX -p 80,443 example.com
OUTPUT…
The Nmap output is presented in a human-readable format that can be easily understood by network administrators and security analysts. The output can be customized to display specific details, and Nmap supports various output formats, including plain text, XML, and HTML.
Here are some common options for output:
-oN/-oX/-oS/-oG Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
One of the most basic and important options in Nmap is the output option. By default, Nmap will display the results of the scan on the screen, but you can also save the results to a file using one of the output options.
The -oN option can be used to save the results in normal format to a file. This format is human-readable and easy to understand.
nmap –top-ports 100 192.168.1.1/24 -oN scan-results.txt
nmap –top-ports 100 example.com -oN scan-results.txt
nmap -sn -PU 192.168.1.1/24 -oN scan-results.txt
nmap -v -p0–65535 192.168.1.1 -oN scan-results.txt
nmap -v -p T:80,443,U:53,111 192.168.1.1 -oN scan-results.txt
The -oX option can be used to save the results in XML format to a file. This format is machine-readable and can be easily processed by other tools.
nmap –top-ports 100 192.168.1.1/24 -oX scan-results.xml
nmap –top-ports 100 example.com -oX scan-results.xml
nmap -sn -PU 192.168.1.1/24 -oX scan-results.xml
nmap -v -p0–65535 192.168.1.1 -oX scan-results.xml
nmap -v -p T:80,443,U:53,111 192.168.1.1 -oX scan-results.xml
The -oS option can be used to save the results in s|<rIpt kIddi3 format to a file. This format is similar to the normal format, but it is designed to be easily parsed by scripts.
nmap –top-ports 100 192.168.1.1/24 -oS scan-results.txt
nmap –top-ports 100 example.com -oS scan-results.txt
nmap -sn -PU 192.168.1.1/24 -oS scan-results.txt
nmap -v -p0–65535 192.168.1.1 -oS scan-results.txt
nmap -v -p T:80,443,U:53,111 192.168.1.1 -oS scan-results.txt
The -oG option can be used to save the results in Grepable format to a file. This format is designed to be easily parsed by Unix tools like grep and awk.
nmap –top-ports 100 192.168.1.1/24 -oG scan-results.txt
nmap –top-ports 100 example.com -oG scan-results.txt
nmap -sn -PU 192.168.1.1/24 -oG scan-results.txt
nmap -v -p0–65535 192.168.1.1 -oG scan-results.txt
nmap -v -p T:80,443,U:53,111 192.168.1.1 -oG scan-results.txt
- -oA
The -oA option can be used to save the results in all three major formats (normal, XML, and Grepable) at once. This can be useful if you want to have multiple copies of the results in different formats, or if you want to compare the results from different formats.
nmap — top-ports 100 192.168.1.1/24 -oA
nmap — top-ports 100 example.com -oA
nmap -sn -PU 192.168.1.1/24 -oA
nmap -v -p0–65535 192.168.1.1 -oA
nmap -v -p T:80,443,U:53,111 192.168.1.1 -oA
- -v: Increase verbosity level (use -vv or more for greater effect)
The -v option can be used to increase the verbosity level of Nmap. By default, Nmap will only display basic information about the scan, but with the -v option, you can get more detailed information about the scan.
You can use the -v option multiple times to increase the verbosity level even further. For example, the -vv option will display even more detailed information than the -v option.
- -d: Increase debugging level (use -dd or more for greater effect)
The -d option can be used to increase the debugging level of Nmap. This can be useful if you are trying to troubleshoot a problem with Nmap or if you want to get even more detailed information about the scan.
Like the -v option, you can use the -d option multiple times to increase the debugging level even further. For example, the -dd option will display even more detailed information than the -d option.
- –reason: Display the reason a port is in a particular state
The –reason option can be used to display the reason why a port is in a particular state. For example, if a port is shown as open, the –reaso option can be used to display why Nmap believes the port is open.
This can be useful for understanding why certain ports are open or closed and for troubleshooting problems with the scan.
nmap –top-ports 100 192.168.1.1/24 –reason
nmap –top-ports 100 example.com –reason
nmap -sn -PU 192.168.1.1/24 –reason
nmap -v -p0–65535 192.168.1.1 –reason
nmap -v -p T:80,443,U:53,111 192.168.1.1 –reason
Service Version Detection…
The Service Version Detection feature in Nmap is a powerful tool for identifying the services and versions running on open ports of the target system. This information is useful for identifying vulnerabilities and weaknesses in the target system, which can be used to improve its security posture. By using Nmap’s service/version detection feature, you can gain valuable insights into the target system and make informed decisions regarding its security.
To use the service/version detection feature, you need to specify the ‘-sV’ option along with the TCP Connect Scan. The ‘-sV’ option probes the open ports to determine the service and version information. Additionally, you can use the following options to control the intensity of the version detection:
- Basic Service Version Detection.
nmap -sV 192.168.1.1
This command will scan the IP address 192.168.1.1 and attempt to determine the service and version information running on the open ports.
- Set Version Intensity
nmap -sV –version-intensity 5 192.168.1.1
nmap -v -n -sV — version-intensity 5 192.168.1.1
nmap -v -n -sT -sV –version-intensity 5 192.168.1.0/24
This command will scan the IP address 192.168.1.1 and set the version detection intensity level to 5.
- Use Version Light
nmap -sV –version-light 192.168.1.1
This command will scan the IP address 192.168.1.1 and limit the version detection to the most likely probes with intensity level 2.
- Use Version All
nmap -sV –version-all 192.168.1.1
This command will scan the IP address 192.168.1.1 and perform every possible version detection probe with an intensity level of 9.
OS Detection…
Nmap’s OS detection feature is a powerful tool for determining the operating system running on the target system. This information is useful for identifying vulnerabilities specific to the operating system and optimizing attacks against the target system. By using Nmap’s OS detection feature, you can gain valuable insights into the target system and make informed decisions regarding its security. However, it is important to note that the OS detection feature is not always accurate and should be used in conjunction with other tools and techniques to confirm the operating system.
Here are some examples of using Nmap’s OS detection feature:
- Basic OS Detection
nmap -O 192.168.1.1
nmap -vv -sT -O -p- 192.168.1.1/24
nmap -v -O example.com -oA
- Limit OS Detection
nmap -O –osscan-limit 192.168.1.0/24
This command will scan the network 192.168.1.0/24 and limit OS detection to promising targets. This option is useful when scanning a large number of systems, and you want to reduce the scan time by skipping the OS detection on systems that are unlikely to return useful results.
- Aggressive OS Detection
nmap -O –osscan-guess 192.168.1.1
This command will scan the IP address 192.168.1.1 and guess the operating system more aggressively. This option is useful when the target system’s operating system is hidden or deliberately obfuscated.
- Advanced OS Detection
nmap -A 192.168.1.1
This command will enable OS detection, version detection, script scanning, and traceroute for the IP address 192.168.1.1. This is useful when performing a comprehensive scan of the target system.
Script Scan…
Nmap Script Scan is a powerful feature of Nmap that allows users to automate tasks using pre-written scripts or write their own scripts using the Lua programming language. The scripts can be used to gather information about hosts, services, and vulnerabilities, or to perform tasks such as brute-force attacks, denial-of-service attacks, and exploitation.
The Nmap Script Scan feature is activated by using the “-sC” option or the “ — script=default” option. This option tells Nmap to run the default script set that comes with the tool. The default script set contains over 600 scripts that cover a wide range of tasks, from information gathering to vulnerability detection.
nmap -v -p- -sT -sV -sC -T4 192.168.1.0/24
nmap -v -Pn -sT -sV -O -sC example.com
nmap -v -Pn -sT -sV -O –script=http-vuln-cve2006-3392.nse example.com
In conclusion, Nmap is an incredibly versatile and powerful tool that can be used for network exploration, management, and security auditing. Throughout this article, we have explored the various steps involved in Nmap scanning, including target specification, host discovery, port specification and scan order, and output. We have also provided examples of command usage for each step, along with some common options used with Nmap.
Target specification is a critical step in using Nmap, and there are several ways to specify the target, including individual IP addresses or hostnames, CIDR notation, or a range of IP addresses. Host discovery is also an essential part of network scanning, and various Nmap techniques can be used to achieve this.
Overall, by learning how to use Nmap, you will be better equipped to manage and audit your network’s security. Nmap provides invaluable insights into your network’s vulnerabilities, enabling you to proactively secure your systems and protect your data. So, whether you’re an IT professional, a security researcher, or simply interested in network security, Nmap is an essential tool in your toolkit. We hope this article has provided you with the knowledge and confidence to use Nmap effectively.
So, happy scanning!
