Instructions NMAP Network Scanner Status. Scanning running services. Scanning for open protocols

Have you ever wondered where the attacker knows what ports are open in the system? Or how to find out which applications are running on the server without asking for the administrator? You can do it all and even more with a small tool called NMAP.


What is NMAP? NMAP Name This is a reduction from Network Mapper, NMAP itself is a set of tools for scanning a network. It can be used to check security, simply to identify services running on the node, to identify OS and applications, definitions of the type of firewall used on the scanned node.
NMAP is a famous tool. As soon as you learn more about NMAP, you will understand what he does in the episodes of films such as a matrix reboot, ultimatum Born, Hottabych, and others.
This manual will describe the basics of using NMAP and summarize some examples that you can use.

Where to get NMAP?
If you are using Linux, you can find NMAP packets in repositories for most distributions. The last release of NMAP came out at the beginning of 2010, so the most recent version may not be in current stable branches. Find source and some binary builds can be on the download page. There are also a Windows version.
Basics of using NMAP.
NMAP syntax Next:

NMAP_Scanning options Options.

Suppose you want to scan the node and find out which operating system works on it. To do this, do the following:

Nmap -o target.host.com.

Note that NMAP requires superuser privileges to start a similar scan type. The scanning process can take about a minute, so be patient. When the process is over you will see something similar to it:

Starting NMAP 5.21 (nmap.org) at 2010-02-27 23:52 EST
NMAP SCAN REPORT FOR 10.0.0.1
Host Is Up (0.0015s Latency).
NOT SHOWN: 997 CLOSED PORTS
Port State Service.
53 / TCP Open Domain
5009 / TCP Open Airport-Admin
10,000 / TCP Open SNET-SENSOR-MGMT
Mac Address: 00: 11: 24: 6b: 43: E2 (Apple Computer)
Device Type: WAP | Printer
Running: Apple Embedded, Canon Embedded, Kyocera Embedded, Xerox Embedded
OS Details: VXWORKS: Apple Airport Extreme V5.7 or Airport Express V6.3; Canon ImageRunner Printer (5055, C3045, C3380, OR C5185); Kyocera FS-4020DN Printer; OR Xerox Phaser 8860mfp Printer
Network Distance: 1 Hop

As you see NMAP provides many information. Here it displays the assumption of operating systemwhich was running on the node. In this case, the Apple Airport Extrime router was scanned. As an additional Bonus, NMAP reported that the device at a distance of one jump, as well as the MAC address of the device and the manufacturer of the network card, open ports And how much time scanned.
Below are the results of another scanning, home Computer With running Ubuntu 9.10:

Starting NMAP 5.21 (nmap.org) at 2010-02-28 00:00 EST
NMAP Scan Report For 10.0.0.6
Host Is Up (0.0039S Latency).
NOT SHOWN: 999 CLOSED PORTS
Port State Service.
22 / TCP Open SSH
Mac Address: 00: 17: 08: 2a: D6: F0 (Hewlett Packard)
Device Type: General Purpose
Running: Linux 2.6.x
OS Details: Linux 2.6.19 - 2.6.31
Network Distance: 1 Hop

OS Detection Performed. Please Report Any Incorrect Results At NMAP.org/submit.
NMAP Done: 1 IP Address (1 Host Up) Scanned In 3.40 Seconds

Here we see that the system has network card HP, Linux running between versions 2.6.19 and 2.6.31. By the way, you will not be able to explicitly identify the distribution, only the version of the Linux kernel.

Scanning other nodes.

In the examples above, a local router and one of the workstations were selected for scanning, because we had the right to scan them. However, bad idea Run a multiple scanning of someone else's node if you do not control them or do not have rights to scan. NMAP experiments have a publicly accessible test server scanme.nmap.org that you can use.
Many administrators do not like unauthorized scanning of their servers, so the best option there will be a limitation of scanning of nodes of its local network Or those for which you have the right to scan. Also, in some cases, you can disrupt the contract with your provider, when using some particularly aggressive NMAP scanning methods, so be careful.

Scan multiple nodes.

You can scan more than one node at a time using NMAP. If you scan the IP address you can define a range of 10.0.0.1-6 or 10.0.0.0/24. The usual range 10.0.0.1-6 will be scanned nodes from 10.0.0.1 to 10.0.0.6. Using Definition / 24 will scan the entire range of nodes from 10.0.0.0 to 10.0.0.255. For example, if you need to scan nodes from 10.0.0.1 to 10.0.0.42 and find out which OS is probably running:

NMAP -O 10.0.0.1-42

If you have some domain name list instead of IP addresses, you can divide them into command line, like this:

NMAP -O Host1.Target.com host2.target.com

Check open ports

If you start NMAP at all without options and specify some node, it will scan ports and show all the open ports found and services running on them. For example, run:
nmap target.hostname.com.
After that, he must give something similar to it:

INTERESTING PORTS ON TARGET.HOSTNAME.COM (10.0.0.88):
NOT SHOWN: 1711 CLOSED PORTS
Port State Service.
22 / TCP Open SSH
80 / TCP Open HTTP
3306 / TCP Open MySQL

NMAP Done: 1 IP Address (1 Host Up) Scanned In 0.228 Seconds

NMAP will give more information if you use the -V option (Verbose).

Scanning running services

If you want to know what service it is possible to start trying the -SV option. This option will produce more aggressive scan and will try to find out which version of services is running on this node, and can also help more accurately determine which OS is running. For example, launch NMAP -SV to the test server and get the following answer:

Starting NMAP 5.21 (nmap.org) at 2010-02-28 00:15 EST
NMAP Scan Report for Test.host.net (xx.xxx.xxx.xx)
Host Is Up (0.090s Latency).
NOT SHOWN: 965 CLOSED PORTS, 33 FILTERED PORTS
PORT STATE SERVICE VERSION
22 / TCP Open SSH OpenSSH 4.7p1 Debian 8ubuntu1.2 (Protocol 2.0)
80 / TCP Open Http Apache httpd 2.2.8 ((Ubuntu) PHP / 5.2.4-2BUNTU5.10 with Suhosin-Patch)
SERVICE INFO: OS: Linux

Service Detection Performed. Please Report Any Incorrect Results At NMAP.org/submit.
NMAP Done: 1 IP Address (1 Host Up) Scanned In 11.43 Seconds

As you see, NMAP can analyze packages and determine the version of running applications on SSH and HTTP ports. Here you can see that the respondent system is Ubuntu with Apache 2.2.8 and OpenSSH 4.7p1. This information may be useful for a number of reasons. NMAP Scanning can identify the system running outdated services that can be vulnerable to known exploits.

Who is in my network?

Do not know how many online nodes are on your network? Try using NMAPSP which will start ping scanning the specified network. For example, NMAP -SP 10.0.0.0/24 scans 256 nodes from 10.0.0.0 to 10.0.0.255 whether they will check and report this. You can also use the range, for example:

NMAP -SP 10.0.0.1-15

Zenmap

Finally, if all these joys of the command line are not for you, NMAP has a GUI that you can use to build and execute commands. Called zenmap. It will allow you to choose a goal, run scan, display the results, as well as save them and compare with others.
GUI Zenmap is good way Get acquainted with NMAP, but it is better to know how to use NMAP on the command line if you are going to work with it often.
In the future leadership, we will more deeply get acquainted with NMAP and specific tasks that you can solve.

This post is a free translation of the article.

  • Detection of services and their versions
  • OS
  • Time Management Options and Performance
  • Various options
  • Interaction during execution
  • Examples

    • Information on NMAP scripts (in English):

    Hidden from guests


    The latest version of NMAP documentation (in English):

    Hidden from guests


    Official book on NMAP from the creators of NMAP (in English):

    Hidden from guests

    Preamble

    nMAP - utility for networking and port scanner

    NMAP ("Network Mapper") is an open source utility for networking and security check. It was designed to quickly scan large networks, although perfectly copes with single goals. NMAP uses raw IP packages with original ways to determine which hosts are available on the network which services (application name and version) they offer what operating systems (and version of the OS) they use which types of batch filters / firewalls are used and still dozens of other characteristics. . At that time, NMAP is usually used to verify security, many network and system administrators find it useful for ordinary tasks, such as controlling the network structure, managing the schedules of the service start-up and accounting of the host work or service.

    NMAP output is a list of scanned goals with for more information For each, depending on the specified options. The key information is the "Table of Important Ports". This table contains the port number, protocol, service name and state. The state may have an Open value (open), Filtered (Filtered), closed (closed) or UNFILTERED (not filtered). Opened means that the application on the target machine is ready to set the connection / acceptance of packets to this port. Filtered means that a firewall, a network filter or some other interference on the network blocks the port, and NMAP cannot set this port open or closed. Closed ports are not associated with any application, so they can be open at any time. The ports are regarded as not filtered when they respond to NMAP requests, but NMAP cannot determine the open or closed. NMAP issues combinations open | Filtered and closed | Filtered when it cannot determine which of these two states describes the port. This table can also provide version items. softwareIf it was requested. When an IP protocol is scanned (-SO), NMAP provides information on supported IP protocols, and not about open ports.

    In addition to the table of important NMAP ports, it may provide further information about the purposes: converted DNS names, the assumption of the operating system used, device types and MAC addresses.

    A typical scanning using NMAP is shown in Example 1. The only arguments used in this example are -a to determine the version of the OS, scanning using scripts and traces; -T4 for faster execution; Then two target hosts.

    Example 1. Typical scanning sample with NMAP:

    # nmap -a -t4 scanme.nmap.org playground starting nmap (https://nmap.org/) intecepting ports on scanme.nmap.org (64.13.134.52): (The 1663 Ports Scanned But Not Shown Below ARE in State : Filtered) Port State Service Version 22 / TCP Open SSH OpenSSH 3.9p1 (Protocol 1.99) 53 / TCP Open Domain 70 / TCP Closed Gopher 80 / TCP Open Http Apache Httpd 2.0.52 ((Fedora)) 113 / TCP Closed Auth Device Type: General Purpose Running: Linux 2.4.x | 2.5.x | 2.6.x Details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting Ports on PlaylGround.nmap.org (192.168.0.40 ): (The 1659 PORTS SCANNED BUT NOT SHOWN BELOW ARE IN STATE: CLOSED) PORT STATE SERVICE VERSION 135 / TCP OPEN MSRPC Microsoft Windows. RPC 139 / TCP Open NetBIOS-SSN 389 / TCP Open LDAP? 445 / TCP Open Microsoft-DS Microsoft Windows XP Microsoft-DS 1002 / TCP Open Windows-ICFW? 1025 / TCP Open MSRPC Microsoft Windows RPC 1720 / TCP Open H.323 / Q.931 COMPTEK AQUAGATEEKEEPER 5800 / TCP OPEN VNC-HTTP REALVNC 4.0 (Resolution 400x250; VNC Port: 5900) 5900 / TCP Open vNC VNC. (Protocol 3.8) Mac Address: 00: A0: CC: 63: 85: 4B (Lite-On Communications) Device Type: General Purpose Running: Microsoft Windows NT / 2K / XP OS Details: Microsoft Windows XP Pro RC1 + Through Final Release Service Info: Oss: Windows, Windows XP NMAP FINISHED: 2 IP Addresses (2 hosts Up) Scanned in 88.392 Seconds

    Summary of options

    Using:
    NMAP [Scan Type] [Options] (setpoint)

    Definition of the scan goal:

    It can work with host names, IP addresses, networks, etc.
    For example: scanme.nmap.org, Microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
    -il.<ввести_имя_файла>: Import from the list of hosts / networks
    -ir.<количество хостов>: Choosing random purposes
    -ExClude : Exclude hosts / networks
    -ExCludefile.<файл_с_исключениями>: Exclude a list of file

    Host detection:

    SL: Scan to draw up a list - Just make a list of targets for scanning
    -sn: ping scanning - just define whether the host works
    -PN: regard all hosts as working - skip the detection of hosts
    -PPS / PA / PU / PY [List_ports]: TCP SYN / ACK, UDP or SCTP Pencing of specified hosts
    -PE / PP / PM: Piging using ICMP ECHO requests, query time tag and network mask
    -PO [List_Rotokolov]: Pencing using IP Protocol
    -N / -r: Never produce DNS permission / Always make permission [Default: Sometimes]
    -DNS-Servers<сервер1[,сервер2],…>: Set your own DNS server
    -System-DNS: use system DNS. converter
    -Traceroute: Conduct trace (trace the way) to each host

    Various scanning techniques:

    SS / ST / SA / SW / SM: TCP SYN / using CONNECT () / ACK / Window / Maimon scanning
    -su: udp scanning
    -SN / SF / SX: TCP NULL, FIN and XMAS Scanning
    -Scanflags.<флаги>: Set your own TCP flags
    -si.<зомби_хост[:порт]>: "Lazy" (IDLE) scanning
    -SY / SZ: SCTP init / cookie-echo scanning
    -So: Scan IP Protocol
    -b. : FTP Bounce Scanning

    Defining ports and scanning order:

    P.<диапазон_портов>: Scan only certain ports
    Example: -p22; -p1-65535; -P U: 53,111,137, T: 21-25,80,139,8080, S: 9
    -F: Fast Scanning - Scanning Limited Ports
    -R: Scan ports successively - do not use random port order
    -Top-ports.<количество_портов>: Scan<количество_портов> The most common ports
    -Port-Ratio.<рейтинг>: Scan ports with a rating bigger than<рейтинг>

    Definition of services and their versions:

    SV: Explore open ports to determine the service information / version
    -Version-Intensity<уровень>: Install from 0 (easy) to 9 (try all requests)
    -VERSION-LIGHT: limit to the easiest requests (intensity 2)
    -Version-All: Use every single request (intensity 9)
    -Version-Trace: output detailed information About scanning process (for debugging)

    Scanning with use of scripts:

    SC: equivalent to -Script \u003d Default options
    -Script \u003d. : This is a divided list of directories, script files or scripting categories
    -Script-args \u003d<имя1=значение1,[имя2=значение2,…]>: Transfer arguments to scripts
    -Script-Args-file \u003d FileName: Transfer NSE scripts of arguments in the file
    -Script-trace: output all received and sent data
    -Script-UpdatedB: Update script database
    -Script-Help \u003d : Showing assistance about scripts. separated Switch Script List or List of Script Categories.

    OS Definition:

    O: Activate the OS definition function
    -Osscan-Limit: Use the function definition function only for "promising" hosts
    -Osscan-Guess: guess the results of the definition of the OS

    Time Management Options and Performance:

    Options accepting argument<время>, set in milliseconds until you add "s" (seconds), "M" (minutes), or "h" (clock) to the value (eg 30m).
    -T.<0-5>: Set time control settings template (more - faster)
    -Min-hostgroup / Max-hostgroup<кол_хостов>: Set the group size for parallel scanning
    -Min-Parallelism / Max-Parallelism<кол_хостов>: Regulates parallelization of requests
    -Min-RTT-Timeout / Max-RTT-Timeout / Initial-RTT-Timeout<время>: Adjusts the response time to request
    -Max-Retries.<количество_попыток>: Specifies maximum amount Removable request
    -Host-timeout.<время>: Stops scanning slow purposes
    -Scan-Delay / -Max-SCAN-DELAY<время>: Adjusts the delay between requests
    -Min-rate.<число>: Send requests with intensity no less than<число> per second
    -Max-rate.<число>: Send requests with intensity no more than<число> per second

    Firewall Crawling / IDS:

    F; -Mtu.<значение>: Fragment Packages (optional with a given MTU value)
    -D.<фикт_хост1,фикт_хост2[,ME],…>: Disguise scanning with fictitious hosts
    -S. : Change the source address
    -E.<интерфейс>: Use a specific interface
    -g / -source-port<номер_порта>: Use the specified port number
    -Proxies. : Relay connections through the proxy http / socks4
    -Data-Length.<число>: Add arbitrary data to sent packages
    -Ip-options.<опции>: Send a package with specified IP options.
    -Ttl.<значение>: Install the Time-To-Live IP field (lifetime)
    -Spooof-Mac : Set own MAC address
    -Badsum: Send Packages with fictitious TCP / UDP / SCTP checks

    Display output:

    ON / -OX / -OS / -OG Display Normal Results, XML, S | -oa.<базовове_имя_файла>: Use three main output format at once.
    -V: increase the level of verbal (set twice or more to increase the effect)
    -d: Increase or set debugging level (up to 9)
    -Reason: show the cause of the port in a certain state
    -Open: Show only open (or perhaps open) ports
    -Packet-Trace: Tracking accepted and transmitted packages
    -IfList: display a list of interfaces and routers (for debugging)
    -Log-Errors: write errors / warnings in the output normal mode file
    -APPend-Output: add to the end, and not overwrite output files
    -Resume<имя_файла>: Continue interrupted scanning
    -StyleSheet.<путь/URL>: Sets the XSL style sheet to convert XML output to HTML
    -Webxml: Loads the style sheet with nmap.org
    -No-StyleSheet: Remove the XSL style declaration of XML table

    Various options:

    6: Enable IPv6 Scanning
    -A: Activate the OS and version definition functions, scanning using scripts and tracing
    -Datadir<имя_директории>: Specifies the location of the NMAP files
    -Send-ETH / -Send-IP: Use raw level Ethernet / IP
    -Privileged: Meet that the user has all the privileges
    -Nprivileged: Meet that the user has no privileges to use raw sockets
    -V: Display version number
    -H: withdraw this help page

    Interactive teams:

    Help: Will not work with "sudo nmap", so use "sudo -i"
    During operation, you can make requests to NMAP by the following keys:
    ? Show this information
    V / V Enlarge / Reduce Verbrality
    D / D Zoom / Reduce debugging
    P / P Enable / disable packet tracing
    and other keys that will be printed in status

    Examples:
    Definition of scan goal

    In the NMAP command line, everything that is not an option (or an argument option) is considered as the purpose of scanning. In the simplest case, the IP address or network name of the target machine is used for scanning.

    Sometimes it is necessary to scan a whole network. For this, NMAP supports CIDR addressing. You can add /<кол-во бит> The IP address or network name and NMAP scans each IP address for which the first<кол-во бит> Same as the specified host. For example, 192.168.10.0/24 Schedules 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111) inclusive. 192.168.10.40/24 will make absolutely the same. Knowing that the ip address scanme.nmap.org 64.13.134.52, when recording type scanme.nmap.org/16 will be made to scan 65.536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest allowable value of / 0, in which the entire Internet will be scanned. The greatest value of / 32, in which only the specified host or IP address will be scanned, because All address bits are blocked.

    CIDR notation is short, but not always flexible enough. For example, you want to scan 192.168.0.0/16, but to skip all IP-ki end-in or.255, because This is usually broadcast addresses. NMAP can carry out such a scan by specifying the ranges in octets. Instead of determining the usual IP address, you can define for each octet or separated by commas list numbers or range. For example, 192.168.0-255.1-254 will miss all addresses in the range end-in-20 and.255. The ranges are not necessarily set only in the last octets: when recording 0-255.0-255.13.37, all addresses will be scanned on the Internet ending at 13.37. This type of scanning can be useful to review the expanses of the Internet and various studies.

    IPv6 addresses can only be defined in the form that fully corresponds to the correct form of IPv6 address recording. CIDR and the use of ranges in octets is not applicable to IPv6 addresses, because They are rarely used.

    You can transmit various options for defining targets in the NMAP command line, not necessarily the same type. Team nmap scanme.nmap.org 192.168.0.0/16 10.0.0,13-7.0-255 Make what you expect.

    The scan goals are usually set on the command line, and there are various options for monitoring the choice of targets:

    Il<имя_файла> (Input from the list)

    Reads goals out<имя_файла>. Although the transfer of a large list of hosts for scanning is a common phenomenon, it is not convenient. For example, your DHCP server transmits you a list of 10,000 addresses you used, and you want to scan it. Or perhaps you want to scan all IP addresses, except those transferred to them to identify unauthorized use of static IP addresses. Just generate a list of hosts for scanning and pass the file name to NMAP as an argument for -il options. Entries in the file can be in any apparatus for NMAP form (IP addresses, network names, CIDR, IPv6, or octet razes). Each entry must be separated by a space or several, tab symbols or transition symbols to a new string. You can transfer the defice (-) as an argument as the file name, if you want NMAP to read the list of hosts from standard input, and not from the file.

    IR<кол-во хостов> (Chooses arbitrary goals)

    To scan within the entire Internet or any research, you may need to choose the goals arbitrarily. Argument<кол-во хостов> Determines how much it is necessary to generate IP addresses. Invalizable IP addresses, such as private, broadcast or non-casual address ranges are automatically skipped. Argument 0 can be transferred for infinite scanning. Keep in mind that some system administrators may not like the unresolved scanning of their networks and they can complain. Use this option at your own risk! If you will be bored in a rainy day, try the NMAP -SS -PS80 -IR 0 -P 80 command to scan arbitrary web servers.

    -ExClude<хост1>[,<хост2>[, ...]] (exclude hosts / networks)

    Defines a comma-separated list of objectives that need to be excluded from scanning, even if they are part of the scan range specified by you. The transmitted list uses the standard NMAP syntax, so it may contain network names, CIDR addressing, octet razes, etc. This option may be useful if the network you want to scan contains servers or systems that negatively respond to port scanning, or subnets administered by other people.

    -ExCludefile.<имя_файла> (Exclude a list of file)

    This option does the same as -exclude, except that the targets for exclusion are in separated spaces, tabs or transition symbols to a new string.<файле>, not on the command line.

    Below you will find 20 basic nMAP command use examples.

    You will learn how to use NMAP from command line in Linux To search for active hosts on the network and scanning open ports.

    You will see how remotely determine the operating system Using the TCP / IP stack fingerprints and how find out the software version Launched on a remote server.

    I will show you like NMAP to implement hidden scanning, as determine firewall And How create Mac address.

    1. Scan one host or IP address

    Scan Separate IP address:

    $ nmap 192.168.1.1

    Scan Server PA Host name:

    $ Nmap Server.Syt.

    Increase Level of detail Scan Results:

    $ nmap -v server..site

    2. Scan the set of IP addresses

    Scan Many IP addresses:

    $ nmap 192.168.1.1 192.168.1.2 192.168.1.3 NAMP 192.168.1.1,2,3

    Scan Subnet:

    $ nmap 192.168.1.0/24 $ NMAP 192.168.1. *

    Scan Range of IP addresses (192.168.1.0 — 192.168.1.200):

    $ nmap 192.168.1.0-200

    3. Search for active computers online

    Useful advice: Scan the Network using the Ping command alone! Calculate all active computers!

    Scan network in search Active hosts:

    $ nmap -sn 192.168.1.0/24

    4. Scan the list of hosts from the file

    Scanning a list of hosts / networks from File:

    $ nmap -il input.txt

    File format:

    Entries can be represented in any of the formats with which # NMAP is running from the command line (IP addresses, host names, CIDR, IPv6, or octetic # bands). Entries should be shared by one or more spaces, tabs # or transitions to a new string. $ Cat Input.txt Server.Sype 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200

    5. Exclude IP / Hosts / Scan Networks

    Eliminate goals From the scan Nmap-Ohm:

    $ nmap 192.168.1.0/224 --exclude 192.168.1.1 $ nmap 192.168.1.0/224 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3

    Exclude List hosts taken from the file:

    $ nmap 192.168.1.0/224 --exCludefile Exclude.txt

    The file format with excluded hosts is similar to the above.

    6. Scanning certain ports

    Scan One port:

    $ nmap -p 80 192.168.1.1

    Scan Multiple ports:

    $ nmap -p 80,443 192.168.1.1

    Scan Port Range:

    $ nmap -p 80-1000 192.168.1.1

    Scan All ports:

    $ nmap -p "*" 192.168.1.1

    Scan several very Common ports:

    $ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1

    7. Definition of supported IP protocols

    Define what IP protocols (TCP, UDP, ICMP, etc.) Supports the scanned host:

    $ nmap -So 192.168.1.1

    8. Scan TCP / UDP ports

    Scan all TCP ports:

    $ nmap -st 192.168.1.1

    Scan certain TCP ports:

    $ nmap -p t: 80 192.168.1.1

    Scan all UDP ports:

    $ nmap -su 192.168.1.1

    Scan certain UDP ports:

    $ nmap -p u: 53 192.168.1.1

    Combining scanning of different ports:

    $ nmap -p u: 53,79,113, t: 21-25,80,443,8080 192.168.1.1

    9. Fast scanning

    Activate Quick mode Scan:

    $ nmap -f 192.168.1.1

    * Scans a smaller number of ports than with ordinary scanning.

    10. Show the cause of the port status

    Show CauseBy which NMAP believes that the port is in a certain condition:

    $ nmap --reason 192.168.1.1

    11. Show only open ports

    Show Only open ports (or perhaps open):

    $ nmap --Open 192.168.1.1

    12. Definition of OS.

    One of the most well-known features of NMAP is the remote definition of the OS based on the TCP / IP stack operation analysis.

    NMAP sends a series of TCP and UDP packets to a remote host and studies answers.

    After conducting a plurality of tests, NMAP compares the results with its database and, when compliant, displays information about the OS.

    Enable OS:

    $ nmap -o 192.168.1.1

    13. Defining the version of services

    Enable Defining the version of services:

    $ nmap -sv 192.168.1.1

    * Defines versions of programs running on a remote server.

    14. Firevolo detection

    Learn whether the computer is protected by any Batch filters or Feroral:

    $ nmap -sa 192.168.1.1

    15. Subtitution of MAC addresses

    Replace Mac addresses:

    $ nmap --spooof-mac 00: 11: 22: 34: 44: 55 192.168.1.1

    Create Mac address Random MAC-Ohm:

    $ nmap --spooof-mac 0 192.168.1.1

    16. Scanning Firevola on Vulnerabilities

    These three types of scan use an imperceptible loophole in TCP RFC to share ports to open and closed.

    When the RFC responding to the RFC requirements is scanned, any packet that does not contain the installed SYN, RST or ACK bit, will entail the RST sending in response if the port is closed, or does not entail any response if the port is open.

    Because None of these bits are set, then any combination of the three remaining (FIN, PSH and URG) will be correct.

    TCP NULL scanning:

    $ nmap -sn 192.168.1.1

    * No bits are installed (flags in TCP header 0).

    TCP FIN. scanning:

    $ nmap -sf 192.168.1.1

    * Install only TCP FIN bit.

    TCP Xmas. scanning:

    $ nmap -sx 192.168.1.1

    * FIN, PSH and URG flags are installed (the package is lit as a Christmas tree).

    17. Hidden scanning

    Useful advice: Keep anonymity while scanning ports! Use NMAP + Tor + ProxyChains! Safe and simple penetration testing!

    TCP Syn. scanning:

    $ nmap -ss 192.168.0.1

    * Known as scanning using semi-open compounds, since it does not take off the full TCP connections.

    18. Disable host detection (NO PING)

    Do not ping hosts before scanning:

    $ nmap -pn 192.168.1.1

    19. Disable DNS use

    Useful advice: Do you need to strengthen security in Linux? Encrypt DNS traffic to protect against spoofing!

    Never produce the reverse conversion of DNS names for each detected active IP address.

    Are you worried about your or some other network security? Protection of your router from unwanted connections is the security deposit of your network. One simple method is NMAP or Network Mapper. This is a scanning program that checks what ports are open and which are closed, as well as other details. Safety specialists use this program to test network security. To learn how to use this program, see Step 1.

    Steps

    Using zenmap

      Download Nmap installer. You can find installer on the developers website and download for free. It is recommended to download from the developers from the site to avoid the risk of downloading viruses or replaced files. By downloading NMAP, you simultaneously get zenmap, a graphical interface for NMAP, which makes a program easy to use for beginners when scanning without team knowing.

      • The ZENMAP program is available for Windows operating systems, Linux, and Mac OS X. You can find installers on the official NMAP website.

    1. Run the program "NMAP - Zenmap" GUI. If during the installation you left all items not touched, then the program icon should appear on your desktop. If not, look at the Start menu and start Zenmap.

      Enter the purpose of your scan. The ZENMAP program turns the network scan to a very simple process. First of all choose the purpose of the scan. You can enter the domain (example.com), IP address (127.0.0.1), network (192.168.1.0/24), or a combination of listed.

      • Depending on the download and purpose of your scanning, the use of NMAP may be a violation of the user rules of your Internet provider. Always check the local user rules while using NMAP in the scanning cases by this program outside your own network.

    2. Choose your profile. Profiles represent a group of modifications that change the scan structure. Profiles allow you to quickly select different types of scans without the need for a set of modifications on the command line. Choose the best profile for your needs:

      • Intense Scan. - Extensive scanning. Includes recognition of the operating system, version, scripts, tracing, and has an aggressive scan time.
      • Ping Scan. - This scan, defines the online status of your scan target, and does not scan ports.
      • Quick Scan. - Scans faster than normal scan with aggressive scanning time and sampling ports.
      • REGULAR SCAN. - These are the standard NMAP scan without any modifications. The result includes ping and open ports.

    3. Press SCAN to start scanning. The active results of the scan will be displayed in the NMAP OUTPUT tab. Scanning time will depend on the selected profile, physical distance to the target, and the network configuration.

      Look at your results. After completing the scan, you will see the message "NMAP IS DONE" in the bottom of the NMAP Output tab. Now you can check your results, depending on the type of the selected scan. All results are collected in the Output tab, but, choosing other tabs, you can study the resulting result in more detail.

      • Ports / hosts. - This tab will show port scanning, including services operating at these ports.
      • TOPOLOGY. - Shows trace for scanned. You can see through how many "jumps" your data reach the desired goal.
      • Host Details - shows full information about the goal, the number of ports, IP addresses, host names, operating systems, and more.
      • Scans - This tab records the story of your previous scans. In this way, you can quickly restart the scan made in the past, with a specific set of parameters.

    Using the command line

    1. Install NMAP. NMAP is not a big and free program. You can download the program on the developer's website. Follow the instructions on the basis of your operating system:

      Open your command prompt. NMAP commands work from the command line and show the results immediately under the command. You can use the settings to change the scan structure. You can run scan from any place prescribed in your command line.

    2. Spend the scan of the ports you need. To start a simple scanning, write nmap . Thus, the ping of the selected goal and port scanning will begin. This scan is very easy to recognize. The results will be visible on your screen. You may have to scroll up to see the results completely.

      • Depending on the download and purpose of your scan, the use of NMAP may be violating the rules of your Internet provider. Always check the local user rules while using NMAP in the scanning cases by this program outside your own network.

    3. Spend modified scanning. You can use command variables to change the scan settings, resulting in more or less extensive scanning. You can add a few variables leaving a space between each. Variables are set to the target: nmap

      • -ss. - This is a hidden scanning SYN. This scan is more difficult to detect than the usual, but may take longer to complete. Most new firewalls can detect -SS scanning.
      • -sn. - This is a ping scan. This scan does not use the detection of ports, and only checks the online goal status.
      • -O. - This scan defines the type of operating system target.
      • -A. - This variable includes a detection of more extensive information: operating system, version, scripts, and tracing.
      • -F. - Enables fast scanning, and reduces the number of scanned ports.
      • -V. - This variable shows more results of your scan, making them readable.

    4. Display your scan results in an XML file. You can configure the output of your scan to the XML file and, later, easily open them in any web browser. To do this use a variable -Ox. With the name of the file for data output. Fully the command looks like nmap -ox scanResults.xml .

      • Your XML file will be saved in the current directory of your command line.
    • I wonder how the scan is going? Press the gap, or any button during the operation of the scan to view the NMAP progress.
    • The goal is not responsible? Try adding the "-p0" variable to your scan. As a result, the NMAP scan will begin its work, even if the program "thinks" that the goal does not exist. This is useful when the computer is protected by the firewall.
    • If your scanning takes a great time (more than 20 minutes), try adding a variable "-f", so nmap scanning will affect only recently used ports.

    Warnings

    • Make sure you have permission to scan the target. Scanning public sites will bring you no little problems. If you want to check the scan, you can use scanme.nmap.org. This is a test computer installed by the creator of the program.
    • If you often use NMAP scanning, be prepared to answer questions from your Internet provider. Some providers specifically check the traffic on the NMAP scan. The program is a well-known and frequently used hackers.

    Have you ever wondered where the crackers learn about which ports are open in the system and what services are available on these ports? How do they do this without asking questions to the server administrator? This is much more can be done with a small utility called nmap. NMAP is a reduction from "N.etwork Mapper ", in Russian, you can call the" network card builder ". NMAP - Truly a huge set of tools "In one bottle" to scan networks. It can be used to search and define services running on the network, the type of operation of the operating system used, such as a firewall or simply to quickly determine hosts on the network. In short, you will not be superfluous to use this thing. NMAP is a very well-known utility literally. When you get acquainted with her, you can learn it in some movie episodes. In this note, I will show you the basic techniques of work with NMAP and show some examples how to use it.

    In most modern distributions, NMAP is present in standard repositories. If the system you use does not apply, you can get source utility codes and some binary builds from the project download page.

    Call syntax utility from the command line Next:

    Nmap<опции> target

    Suppose you need to try to determine the type and version of the running OS on the deleted Target.host.com system. Run NMAP with option "-O"(The use of this option requires administrative privileges):

    # NMAP -O target.host.com

    The remote system survey will take some time after it is completed, you will receive a conclusion similar to the following:

    Starting NMAP 5.21 (http://nmap.org) at 2010-02-27 23:52 EST NMAP Scan Report for 10.0.0.1 Host Is Up (0.0015s Latency). NOT SHOWN: 997 CLOSED PORTS PORT STATE SERVICE 53 / TCP OPEN DOMAIN 5009 / TCP OPEN AIRPORT-ADMIN 10000 / TCP OPEN SNET-SENSOR-MGMT MAC ADDRESS: 00: 11: 24: 6B: 43: E2 (Apple Computer) Device Type : WAP | Printer Running: Apple Embedded, Canon Embedded, Kyocera Embedded, Xerox Embedded OS Details: VXWORKS: Apple Airport Extreme V5.7 or Airport Express V6.3; Canon ImageRunner Printer (5055, C3045, C3380, OR C5185); Kyocera FS-4020DN Printer; OR Xerox Phaser 8860mfp Printer Network Distance: 1 Hop OS Detection Performed. Please Report Any Incorrect Results at http://nmap.org/submit/. NMAP Done: 1 IP Address (1 Host Up) Scanned In 10.21 Seconds

    As you can see, NMAP has provided a lot of information. In the presented example, NMAP performed a series of tests, on the basis of which it tried to determine the type and version of the OS used on the host. The above NMAP output is the result of the Apple Airport Extreme Routher. In addition to the fact that NMAP told us the type of proposed OS, it also brought information about the network remote control, the MAC address and the manufacturer of the network interface, the list of open ports and the time spent on scanning.

    Below is the withdrawal of another scanning, the host under Ubuntu 9.10:

    Starting NMAP 5.21 (http://nmap.org) AT 2010-02-28 00:00 EST NMAP Scan Report for 10.0.0.6 Host Is Up (0.0039S Latency). NOT SHOWN: 999 CLOSED PORTS PORTT STATE SERVICE 22 / TCP OPEN SSH MAC ADDRESS: 00: 17: 08: 2A: D6: F0 (Hewlett Packard) Device Type: General Purpose Running: Linux 2.6.x Details: Linux 2.6.19 - 2.6.31 NETWORK DISTANCE: 1 Hop OS Detection Performed. Please Report Any Incorrect Results at http://nmap.org/submit/. NMAP Done: 1 IP Address (1 Host Up) Scanned In 3.40 Seconds

    Here we see that the manufacturer of the network interface is HP, the operating system is Linux with a vertex version in the area 2.6.19-2.6.31. In general, it is usually impossible to accurately determine the version of the Linux kernel using NMAP.

    A warning

    In the examples given above, I scanned my own router and one of the workstations located in my network, as I have full right. In principle, you can scan any host as you wish, however, not a very good idea to scan other people's networks and hosts without the permission of their owners. If you need you want for experiments, the community is ready to provide it to you at scanme.nmap.org.. This host is specifically designed to test NMAP, only if you are not going to test the attacks of the DOS type on it.

    Some administrators without understanding belong to unexpected scans of their networks, so do not get out of the frames and scan the hosts that you allowed to scan. Among other things, the action of some aggressive NMAP scanning methods can go beyond the rules installed by your provider, so be attentive.

    Scanning several hosts

    In one launch of NMAP, you can scan more than one host. If you use IP addresses in the object of scan purposes, you can transmit them to NMAP in the form of bands, for example: 10.0.0.1-6 or 10.0.0.0/24 . The first method determines the range of IP addresses C 10.0.0.1 to 10.0.0.6, and the second - from 10.0.0.1 to 10.0.0.254, i.e., the entire subnet 10.0.0.0 with a 24 in CIDR-notation. For example, if you want to scan hosts with IP addresses 10.0.0.1-10.0.0.42, the team will be as follows:

    # NMAP -O 10.0.0.1-42

    If you use host names instead of addresses, simply list the names via the space:

    # nmap -o host1.target.com host2.target.com

    Search for open ports

    If you run NMAP without options, passing it only the name of the target host, the NMAP will scan the target for open network ports and listening to them. For example:

    $ nmap target.hostname.com Interesting ports on target.hostname.com (10.0.0.88): not Shown: 1711 Closed Ports Port State Service 22 / TCP Open SSH 80 / TCP Open HTTP 3306 / TCP Open MySQL NMAP Done: 1 IP ADDRESS (1 HOST UP) Scanned in 0.228 Seconds

    Here you can see that ports 22, 80 and 3306 are open on the target host with the list of services sitting on these ports, respectively, SSH, HTTP and MySQL. NMAP recognizes six state states: open. (open) closed (closed), filtered (port is not available, most likely filtered by firewall), unfiltered (port is available, but the state failed to determine), open | Filtered (open or filtered by firewall), and closed | Filtered (closed or filtered by firewall).

    If you need more detailed information, use the single or double option. "-V", eg:

    $ nmap -vv host.target.com Initiating Ping Scan At 11:44 Scanning 10.0.0.28 Completed Ping Scan At 11:44, 0.00s Elapsed (1 Total Hosts) Initiating Parallel DNS Resolution Of 1 Host. At 11:44 Completed Parallel DNS Resolution of 1 Host. At 11:44, 0.00s Elapsed Initiating Connect Scan At 11:44 Scanning host.target.com (10.0.0.28) Discovered Open Port 22 / TCP on 10.0.0.28 Discovered Open Port 80 / TCP on 10.0.0.28 Discovered Open Port 3306 / TCP ON 10.0.0.28 Completed Connect Scan At 11:44, 0.08s elapsed (1714 Total Ports) Host Host.target.com (10.0.0.28) Appears to Be Up ... Good. Interesting Ports on host.target.com (0.0.0.28): Not Shown: 1711 Closed Ports Port State Service 22 / TCP Open SSH 80 / TCP Open HTTP 3306 / TCP Open MySQL Read Data Files From: / USR / Share / NMAP NMAP Done: 1 IP Address (1 Host Up) Scanned In 0.104 Seconds

    Scanning Services

    If you need to find out how it is possible for more details, what the service is dangling on a thorest, try using options. "-sv". These options cause NMAP instead of normal port scans, make more aggressive scanning, polishing services on a thirty port. Also, this method sometimes allows you to more accurately determine the type and version of the OS used on the target system.

    $ nmap -sv target.host.com starting nmap 5.21 (http://nmap.org) at 2010-02-28 00:15 EST NMAP Scan Report for test.host.net (xx.xxx.xxx.xx) Host IS UP (0.090s Latency). Not Shown: 965 Closed Ports, 33 Filtered Ports Port State Service Version 22 / TCP Open SSH OpenSSH 4.7p1 Debian 8Buntu1.2 (Protocol 2.0) 80 / TCP Open Http Apache Httpd 2.2.8 ((Ubuntu) PHP / 5.2.4- 2UBuntu5.10 with Suhosin-Patch) Service Info: OS: Linux Service Detection Performed. Please Report Any Incorrect Results at http://nmap.org/submit/. NMAP Done: 1 IP Address (1 Host Up) Scanned In 11.43 Seconds

    As can be seen from the output above, NMAP has defined the SSH-4.7 and Apache-2.2.8 servers located on ports 22 and 80. Also from the names of the software versions can be determined that the server works under Ubuntu Linux. Such a scanning method may be quite by the way, when you need to identify outdated software versions that work on your hosts that may be subject to known threats.

    Who lives in my network?

    Are not sure for sure what you know about all the inhabitants of your network? Try starting NMAP with parameters "-SP" And it will perform the usual ping scan, defining only responding hosts without resorting to port scanning. For example, to identify "alive" in the subnet 10.0.0.0/24, a fairly simple team:

    $ nmap -sp 10.0.0.0/24

    Or, as mentioned above, you can specify the range of hosts, not the entire subnet. For example:

    $ NMAP -SP 10.0.0.1-16

    Zenmap

    If working in command line mode is not your horse, you can use the GUI utility that facilitates the construction of the NMAP command line, as well as with some bonuses such as building a graphics card network.

    ZenMap has pre-installed scan profiles that you can simply select from the drop-down list and may not be immersed in the subtleties of the NMAP options. Zenmap is a great tool for those who are just going to get acquainted with NMAP or just want to play with him. If you have to use NMAP to use NMAP for a debt, then, of course, be sure to study the documentation for it and spend time on experiments.

    RESULTS

    In future articles on NMAP, we will more tightly touch this incredibly powerful tool. In the meantime, I hope this article will give some stimulus to studying those who have not done this yet.