1. Scan One Host or IP Address
Scan Specific IP Address :
$ nmap 192.168.1.1
Scan server by Hostname :
$ nmap server.valeurbit.com
Increase the Level of Detail of scan results:
$ nmap -v server.valeurbit.com $ nmap -vv server.valeurbit.com
2. Scanning Multiple IP Addresses
Scan Multiple IP Addresses :
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3 $ namp 192.168.1.1,2,3
Scan Subnet :
$ nmap 192.168.1.0/24 $ nmap 192.168.1. *
Scan IP Address Range (192.168.1.0 – 192.168.1.200):
$ nmap 192.168.1.0-200
3. Searching for Active Computers on the Net
Scan the network for Active Hosts :
$ nmap -sn 192.168.1.0/24
4. Scanning the Host List from File
Scanning a list of hosts / networks from a File :
$ nmap -iL input.txt
File format:
# Entries can be submitted in any of the formats with which it works # Nmap from the command line (IP addresses, hostnames, CIDR, IPv6, or octet # ranges). Entries must be separated by one or more spaces, tabs # or line breaks. $ cat input.txt server.valeurbit.com 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200
5. Excluding IP / Hosts / Networks from Scanning
Exclude Targets from Nmap scans:
$ nmap 192.168.1.0/24 --exclude 192.168.1.1 $ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3
Exclude List of hosts taken from file:
$ nmap 192.168.1.0/24 --excludefile exclude.txt
The excluded hosts file format is the same as above.
6. Scanning Specific Ports
Scan One Port :
$ nmap -p 80 192.168.1.1
Scan Multiple Ports :
$ nmap -p 80,443 192.168.1.1
Scan Port Range :
$ nmap -p 80-1000 192.168.1.1
Scan All Ports :
$ nmap -p "*" 192.168.1.1
Scan some of the most Common Ports :
$ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1
7. Determine Supported IP Protocols
Determine which IP Protocols (TCP, UDP, ICMP, etc.) the scanned host supports:
$ nmap -sO 192.168.1.1
8. Scanning TCP / UDP Ports
Scan all TCP Ports :
$ nmap -sT 192.168.1.1
Scan specific TCP Ports :
$ nmap -p T: 80 192.168.1.1
Scan all UDP Ports :
$ nmap -sU 192.168.1.1
Scan specific UDP Ports :
$ nmap -p U: 53 192.168.1.1
Combining scans of different ports:
$ nmap -p U: 53,79,113, T: 21-25,80,443,8080 192.168.1.1
9. Fast Scan
Activate Fast Scan Mode :
$ nmap -F 192.168.1.1
* Scans fewer ports than normal scan.
10. Show Port Status Reason
Show Reason Nmap thinks the port is in a particular state:
$ nmap --reason 192.168.1.1
11. Show Only Open Ports
Show Only Open Ports (or possibly open):
$ nmap --open 192.168.1.1
12. Definition of OS
One of the most well-known features of Nmap is remote OS detection based on analysis of the TCP / IP stack.
Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.
After running many tests, Nmap compares the results with its database and, when a match is found, displays information about the OS.
Enable OS Detection :
$ nmap -O 192.168.1.1
13. Determining the Version of the Services
Enable Service Version Detection :
$ nmap -sV 192.168.1.1
* Determines the versions of programs running on the remote server.
14. Firewall detection
Find out if the computer is protected by any Packet Filters or Firewall :
$ nmap -sA 192.168.1.1
15. Spoofing MAC Address
Spoof MAC Addresses :
$ nmap --spoof-mac 00: 11: 22: 33: 44: 55 192.168.1.1
Spoof MAC Address with Random MAC :
$ nmap --spoof-mac 0 192.168.1.1
16. Scanning the Firewall for Vulnerabilities
These three types of scans exploit an invisible loophole in the TCP RFC to distinguish between open and closed ports.
When an RFC-compliant system is scanned, any packet that does not have the SYN, RST, or ACK bit set will cause an RST to be sent in response if the port is closed, or no response if the port is open.
Because none of these bits are set, then any combination of the three remaining bits (FIN, PSH and URG) will be correct.
TCP Null Scan:
$ nmap -sN 192.168.1.1
* No bits are set (Flags in TCP header 0).
TCP Fin Scan:
$ nmap -sF 192.168.1.1
* Only the TCP FIN bit is set.
TCP Xmas scan:
$ nmap -sX 192.168.1.1
* FIN, PSH and URG flags are set (the package glows like a Christmas tree).
Hosts using a firewall may not respond to standard ICMP pings.
Try the following methods to detect connected hosts if the firewall is blocking standard ICMP pings:
# TCP SYN Ping $ nmap -sn -PS 192.168.1.0/24 # TCP ACK Ping $ nmap -sn -PA 192.168.1.0/24 # UDP Ping $ nmap -sn -PU 192.168.1.0/24 # Ping over IP Protocol $ nmap -sn -PO 192.168.1.0/24 # ARP Ping $ nmap -sn -PR 192.168.1.0/24
The last three commands must be run as root.
17. Covert Scan
TCP SYN scan:
$ nmap -sS 192.168.0.1
* Known as scanning with half-open connections, as it does not open full TCP connections.
18. Disable Host Discovery (No Ping)
Do not ping hosts before scanning:
$ nmap -Pn 192.168.1.1
19. Disable DNS Usage
Never perform reverse DNS resolution for every active IP address found:
$ nmap -n 192.168.1.1
20. Saving Nmap Scan Results to File
Save Nmap scan result to Text File :
$ nmap 192.168.1.1> output.txt $ nmap -oN output.txt 192.168.1.1
Save Nmap Scan Result to XML File :
$ nmap -oX output.xml 192.168.1.1
Anonymous Port Scanning: Nmap + Tor + ProxyChains
Installing Tor + Nmap + ProxyChains
To perform anonymous port scanning, we need to install the following programs:
| Program | Description |
|---|---|
| tor | Anonymizing Network for TCP |
| nmap | Network Port Scanner |
| proxychains | Redirects connections through proxy servers |
Tor
Install the Tor client from the standard repositories:
$ sudo apt-get install tor
Nmap
Install Nmap:
$ sudo apt-get install nmap
ProxyChains
Install ProxyChains:
$ sudo apt-get install proxychains
ProxyChains is already configured to work with Tor by default .
You can verify this by looking at /etc/proxychains.conf.
The last lines of the config should look like this:
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050
Anonymous Port Scanning Over Tor
Run the following command to scan anonymously with Nmap over the Tor network :
$ proxychains nmap -sT -PN -n -sV -p 80,443,21,22 217.xx.xx.xx ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.00 (http://nmap.org) at 2014-03-24 17:34 EET | S-chain | - <> - 127.0.0.1:9050-<><>-217.xx.xx.xx:443-<><>-OK | S-chain | - <> - 127.0.0.1:9050-<><>-217.xx.xx.xx:21-<><>-OK | S-chain | - <> - 127.0.0.1:9050-<><>-217.xx.xx.xx:80-<><>-OK | S-chain | - <> - 127.0.0.1:9050-<><>-217.xx.xx.xx:22-<--denied Nmap scan report for 217.xx.xx.xx Host is up (0.14s latency). PORT STATE SERVICE VERSION 21 / tcp open ftp Pure-FTPd 22 / tcp closed ssh 80 / tcp open http Apache httpd 2.2.26 ((CentOS)) 443 / tcp open ssl / http Apache httpd 2.2.26 ((CentOS))
In the scan logs, we can see a ‘chain’ that goes from the Tor proxy (127.0.0.1:9050) to the host being scanned (217.xx.xx.xx).
Nmap over Tor: Bypassing Node Blocking
We may face a situation where the scan fails due to the fact that the Tor exit nodes are blocked (banned by the host being scanned).
A way out of this situation can be adding an ordinary public proxy server to the ‘chain’ .
This is done by editing /etc/proxychains.conf and adding a new entry at the end of [ProxyList] (also make sure the random_chain option is off).
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 socks4 115.71.237.212 1080
The new ‘chain’ goes through the Tor proxy (127.0.0.1:9050) to the public proxy server we specified (115.71.237.212:1080) and then to the scanned host (217.xx.xx.xx).
$ proxychains nmap -sT -PN -n -sV -p 21 217.xx.xx.xx ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.00 (http://nmap.org) at 2014-03-25 11:05 EET | S-chain | - <> - 127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK | S-chain | - <> - 127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK Nmap scan report for 217.xx.xx.xx Host is up (1.2s latency). PORT STATE SERVICE VERSION 21 / tcp open ftp Pure-FTPd
In the examples above, I run nmap with the following options:
| Option | Description |
|---|---|
| -sT | full TCP scan |
| -PN | skip host discovery |
| -n | never resolve DNS (to avoid DNS leaks) |
| -sV | determine service version |
| -p | which ports to scan |
Scanning through Tor is very slow. Therefore, in the examples above, I only scanned certain ports.