Difference between revisions of "Nmap"

Latest revision as of 00:04, 6 June 2021

nmap is a network exploration tool and security scanner.

Nmap ("Network Mapper") is a free and open-source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.

Usage

Note: The man page has many more examples.

NOTE: The flags -sP and -P0 are now known as -sn and -Pn, respectively. However, the older flags are still found to be working in the newer versions.

TL;DR

Check if an IP address is up, and guess the remote host's operating system:

$ nmap -O ip_or_hostname

Try to determine whether the specified hosts are up and what are their names:

$ nmap -sn ip_or_hostname optional_another_address

Like above, but also run a default 1000-port TCP scan if host seems up:

$ nmap ip_or_hostname optional_another_address

Also enable scripts, service detection, OS fingerprinting, and traceroute:

$ nmap -A address_or_addresses

Assume good network connection and speed up execution:

$ nmap -T4 address_or_addresses

Scan a specific list of ports (use -p- for all ports 1-65535):

$ nmap -p port1,port2,…,portN address_or_addresses

Perform TCP and UDP scanning (use -sU for UDP only, -sZ for SCTP, -sO for IP):

$ nmap -sSU address_or_addresses

Perform TLS cipher scan against a host to determine supported ciphers and SSL/TLS protocols:

$ nmap --script ssl-enum-ciphers address_or_addresses -p 443

Perform full port, service, version detection scan with all default Nmap Scripting Engine (NSE) scripts active against a host to determine weaknesses and info:

$ nmap -sC -sV address_or_addresses

Examples

Check to see if a port is open on your localhost:

nmap -v localhost -p 80

It will return something like the following if the port is open:

PORT   STATE SERVICE
80/tcp open  HTTP

Scan all hosts in a given CIDR:

$ nmap -sP 10.0.0.0/24
$ nmap -sn 10.0.0.0/24

Get extended information on ports, etc.:

nmap -A -T4 localhost

Determine which ports are listening for TCP connections from the network:

nmap -sT -O localhost

If you find an "unknown" service, look it up:

grep 873 /etc/services

then find out more information about this service like so:

netstat -anp | grep 873

also:

lsof -i | grep 873

Misc.:

nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -sS -O scanme.nmap.org/24
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Make Nmap choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -P0 since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway:

nmap -v -iR 10000 -P0 -p 80

To launch a full port scan with OS detection and service identification, use:

nmap -p 1-65535 -T5 -A -v 128.92.67.0/24 -oX scan.xml

Replace 128.92.67.0/24 with your network description or the IP address of Metasploitable.

Netstat

show active network connections

netstat -nape --inet

External links

official website

Tutorials, resources, etc.

@@ Line 1: / Line 1: @@
-'''nmap''' is network exploration tool and security scanner.
+'''nmap''' is a network exploration tool and security scanner.
-Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
+Nmap ("Network Mapper") is a free and open-source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
 ==Usage==
 ''Note: The man page has many more examples.''
+NOTE: The flags <code>-sP</code> and <code>-P0</code> are now known as <code>-sn</code> and <code>-Pn</code>, respectively. However, the older flags are still found to be working in the newer versions.
+===TL;DR===
+* Check if an IP address is up, and guess the remote host's operating system:
+ $ nmap -O ip_or_hostname
+* Try to determine whether the specified hosts are up and what are their names:
+ $ nmap -sn ip_or_hostname optional_another_address
+* Like above, but also run a default 1000-port TCP scan if host seems up:
+ $ nmap ip_or_hostname optional_another_address
+* Also enable scripts, service detection, OS fingerprinting, and traceroute:
+ $ nmap -A address_or_addresses
+* Assume good network connection and speed up execution:
+ $ nmap -T4 address_or_addresses
+* Scan a specific list of ports (use <code>-p-</code> for all ports 1-65535):
+ $ nmap -p port1,port2,…,portN address_or_addresses
+* Perform TCP and UDP scanning (use <code>-sU</code> for UDP only, <code>-sZ</code> for SCTP, <code>-sO</code> for IP):
+ $ nmap -sSU address_or_addresses
+* Perform TLS cipher scan against a host to determine supported ciphers and SSL/TLS protocols:
+ $ nmap --script ssl-enum-ciphers address_or_addresses -p 443
+* Perform full port, service, version detection scan with all default Nmap Scripting Engine (NSE) scripts active against a host to determine weaknesses and info:
+ $ nmap -sC -sV address_or_addresses
 ===Examples===
 *Check to see if a port is open on your <code>localhost</code>:
@@ Line 10: / Line 42: @@
 It will return something like the following if the port is open:
   PORT   STATE SERVICE
-/tcp open  http
+/tcp open  HTTP
+*Scan all hosts in a given CIDR:
+ $ nmap -sP 10.0.0.0/24
+ $ nmap -sn 10.0.0.0/24
 *Get extended information on ports, etc.:
   nmap -A -T4 localhost
+*Determine which ports are listening for TCP connections from the network:
+ nmap -sT -O localhost
+*If you find an "unknown" service, look it up:
+ grep 873 /etc/services
+then find out more information about this service like so:
+ netstat -anp | grep 873
+also:
+ lsof -i | grep 873
 *Misc.:
@@ Line 23: / Line 69: @@
 *Make Nmap choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -P0 since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway:
   nmap -v -iR 10000 -P0 -p 80
+*To launch a full port scan with OS detection and service identification, use:
+ nmap -p 1-65535 -T5 -A -v 128.92.67.0/24 -oX scan.xml
+Replace <code>128.92.67.0/24</code> with your network description or the IP address of [http://blog.metasploit.com/2010/05/introducing-metasploitable.html Metasploitable].
+===Netstat===
+*show active network connections
+ netstat -nape --inet
 ==See also==
+*[[Network tools for Linux]]
 *[[ngrep]]
 *[[tcpdump]] &mdash; dump traffic on a network[http://www.tcpdump.org/]
 *[[snoop]] &mdash; capture and inspect network packets
 *[[netcat]] (aka <tt>nc</tt>) &mdash; a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.[http://netcat.sourceforge.net/]
+**[http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/ netcat: a couple of useful commands]
+*[http://www.ivarch.com/programs/pv.shtml Pipe Viwer (pv)]
+*[http://www.g-loaded.eu/2006/01/06/partition-images-with-partimage-and-partimaged/ partimage + partimaged] &mdash; create images of partitions
 *[http://logi.cc/linux/netfilter-log-format.php3 Netfilter]
 *[http://logi.cc/nw/NetCalc.php3 NetCalc]
@@ Line 34: / Line 92: @@
 *[http://www.nagios.org/ Nagios] &mdash; an Open Source host, service, and network monitoring program.
 *[http://www.wireshark.org/ Wireshark] &mdash; network protocol analyser
+*[http://www.fastandeasyhacking.com/ Armitage] (w/ [http://www.ethicalhacker.net/content/view/348/2/ tutorial])
+*[http://www.metasploit.com/ Metasploit]
 ==External links==
@@ Line 52: / Line 112: @@
 *[http://www.openssl.org OpenSSL cryptography toolkit]
 ===Tutorials, resources, etc.===
+*[http://www.nmap-tutorial.com/html/nmap-tutorial.html Nmap Tutorial]
 *[http://www.ethicalhacker.net/content/view/155/1/ Nmap from an Ethical Hacker's View, Part 1]
 [[Category:Linux Command Line Tools]]

Difference between revisions of "Nmap"

Latest revision as of 00:04, 6 June 2021

Contents

Usage

TL;DR

Examples

Netstat

See also

External links

Further reading

Tutorials, resources, etc.

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools