In the realm of network security and administration, Nmap stands out as one of the most powerful and versatile tools available. Nmap (Network Mapper) is an open-source network scanning and exploration tool used to discover hosts, services, and vulnerabilities within a network. Its flexibility and effectiveness have made it a favorite among security professionals, system administrators, and ethical hackers.
In this article, we will explore some of the essential Nmap commands and their applications.
Before we delve into the commands, let’s set the IP address as a variable for convenience:
export ip=192.168.1.100 export netw=192.168.1.0/24
Detecting Live Hosts
To determine which hosts are active on a given network without scanning specific ports, we use the following command:
nmap -sn -n $netw | grep "report" | cut -d" " -f5
This command performs a “Ping Sweep” (ICMP echo request) on the network defined by `$netw`, and `grep` filters the live hosts from the output.
A Stealth Scan, also known as a SYN Scan, uses SYN packets to establish if ports are open or closed without completing a full TCP connection. The following command demonstrates how to perform a Stealth Scan on a single host defined by `$ip`:
nmap -sS $ip
Only Open Ports and Banner Grab
Banner grabbing is the process of retrieving service version information from open ports. The following command combines a SYN Scan with service version detection to display only open ports and grab banners:
nmap -n -Pn -sS $ip --open -sV
Stealth Scan using FIN Scan
A FIN Scan sends FIN packets to probe for open ports. It works by exploiting certain TCP stack implementations to differentiate between open and closed ports. To perform a FIN Scan on a specific IP (`$ip`), use the following command:
nmap -sF $ip
The Aggressive Scan option is used for in-depth scanning without sending a ping to hosts, avoiding DNS resolution, and testing all TCP ports. This command reveals detailed information about the target system:
nmap -n -Pn -sS -A $ip --open -p-
Nmap Verbose Scan
The Verbose Scan enhances the output, providing detailed information about the scan. It includes syn stealth, T4 timing, OS and service version detection, traceroute, and running scripts against services. The following command performs a verbose scan on the specified IP (`$ip`):
nmap –v –sS –A –T4 $ip
Nmap’s OS Fingerprinting feature attempts to identify the target system’s operating system based on its responses to certain network packets. To perform OS fingerprinting on a target (`$ip`), use the following command:
nmap -O $ip
For a faster scan that targets the most common ports, the Quick Scan is ideal. It uses a timing template of T4 and scans only the 100 most common ports. Use the following command for a Quick Scan of the network (`$netw`):
nmap -T4 -F $netw
Quick Scan Plus
The Quick Scan Plus option extends the Quick Scan by also performing service version detection and OS fingerprinting. This provides additional information about the target hosts. Use the following command for a Quick Scan Plus of the network (`$netw`):
nmap -sV -T4 -O -F --version-light $netw
Output to a File
Nmap allows users to save the scan results to a file for further analysis. To save the results to a specific file (nameFile), use the following command:
nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip
Output to a File Plus
To save scan results in various formats (normal, XML, and grepable) in a single file, use the following command:
nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw
Searching NMAP Scripts
Nmap comes with an extensive collection of scripts that provide advanced scanning and enumeration capabilities. To search for Nmap scripts related to a specific service, such as FTP, use the following command:
ls /usr/share/nmap/scripts/ | grep ftp
In conclusion, Nmap is a powerful and indispensable tool for any network administrator or security professional. Its versatility, efficiency, and extensive range of features make it an essential part of the arsenal for network exploration, vulnerability assessment, and security auditing.
Remember to use Nmap responsibly and only on systems you have explicit authorization to scan. Happy scanning!