Nmap: How to use the king of network scanning

There is no person in her place security who hasn't heard of Nmap, the predominant network scanning tool. In this article we will try to analyze the utility of this tool and show you the possible ways you can install it on your computer. Unfortunately, because it is impossible to see all the commands we can use in Nmap one by one, we will try to show the main ones.

Some of the features of Nmap include detection host (Host Discovery), the port scan of each host, service and OS fingerprinting of each host, as well as a basic vulnerability detection. Additionally, there is the option of using ZeNmap, that is, the Nmap graphics version.

How to install it

Nmap can be used on an operating system Windows. However, it is advisable to use the operating system Linux as Nmap works faster and better with it. Some of the limitations that someone who uses Nmap in a Windows environment might face are:

• It is not possible to scan for the machine on which Nmap is running.
• Only Ethernet interfaces are supported.
• Some scans take much longer to complete than the corresponding time it would take to complete in a Linux environment.

Here we should note that at Kali Linux, you can find Nmap pre-installed.

Windows

1. Visit the address https://Nmap.org/download.html and download the latest version of self-installer.
2. Run the .exe file you just downloaded and accept the terms of use

3. Select the components you want to install.

4. Finally, select the installation folder.

5. The installation will be completed in a few minutes.

Linux

The installation process of Nmap for Linux versions is very simple. Just open the terminal and depending on your Linux flavor type the corresponding command to install the Nmap package:

• CentOS

• Debian

• Ubuntu

How Nmap works

In order to better understand exactly how Nmap works, the different types Scan that offers, with SYN scan being the most common choice, we need to understand how the following works:

3 Way Handhake (Tripartite handshake)

When communicating with a TCP service, the connection is made via the 3 Way Handhake. This consists of the following steps:

• Step 1: computer A sends a TCP segment SYN on computer B on the door that is connected to the corresponding service (eg 80 HTTP, 25 SMTP, 22 SSH)
• Step 2: computer B receives the SYN, and responds in part SYN ACK,
• Step 3: computer A receives the SYN ACK and responds in part ACK

In the steps above, the firewall (firewall) may be a stand-alone device or may work as a local device software in the computers. As is well known, the job of a firewall is to protect a system from unwanted traffic and packets.

Open, closed and filtered doors

In the case of Nmap scan, there may be 3 possible results at the terminal of the scan run:

• Filtered port: Occurs when this door has not responded at all. The SYN packet is blocked by the firewall.
• Closed port: Occurs when there is no service running on that door and the firewall has allowed the connection to pass. It may also mean that there is no firewall.
• Open port: Occurs when there is a service running on this door that is accessible from the outside.

Types of Nmap scan

There are different types of scans that can be performed using Nmap. Some of them are:

• TCP Scan: Used to control and complete the three way handshake between the target and the target computer. This type of scan can be very easily detected because the service is logged and can activate the Intrusion Detection System.
• UDP Scan: Used to check if there is an accessible UDP port waiting for incoming connections to the target computer. Unlike TCP, the UDP does not have a mechanism to respond to and confirm the download of the packet, which is why in these scans we find cases false positive. It is much slower than TCPs because machines tend to delay their responses to such traffic as a precautionary measure.
• SYN Scan: Unlike a regular TCP scan, Nmap creates and sends its own SYN packet, that is, the first packet sent for the purpose of establishing a TCP connection. What is important to explain here is that the connection is never complete, but the target computer's responses are analyzed by Nmap.
• ACK Scan: ACK scans are used by Nmap to "understand" whether a door is open, closed or filtered. This is quite useful in cases where the attacker is trying to determine the presence of the firewall and the rules associated with it.
• FIN Scan: It works like a SYN scan, except it sends TCP FIN packets. Most computers respond with RST packets when receiving FIN. This way, the attacker can bypass several firewalls but can be detected by IDS.
• NULL Scan: In this case the packages that are sent contain null headers, so they are not valid packages.
• XMAS Scan: This scan is named because the flags of all packets are enabled and more specifically the PSH, URG and FIN flags.
• RPC Scan: Used for detecting machines that respond to Remote Procedure Call (RPC) services. These services allow remote commands to be executed on a machine.

How to use it

To see all available commands on the tool, type Nmap in a terminal:

root @ kali: ~ # Nmap Nmap 7.80 (https://Nmap.org) Usage: Nmap [Scan Type (s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.Nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts / networks -iR <num hosts>: Choose random targets --exclude <host1 [, host2] [, host3], ...>: Exclude hosts / networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online - skip host discovery -PS / PA / PU / PY [portlist]: TCP SYN / ACK, UDP or SCTP discovery to given ports -PE / PP / PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping - n / -R: Never do DNS resolution / Always resolve [default: sometimes] --dns-servers <serv1 [, serv2], ...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver - traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS / sT / sA / sW / sM: TCP SYN / Connect () / ACK / Window / Maimon scans -sU: UDP Scan -sN / sF / sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host [: probeport]>: Idle sc an -sY / sZ: SCTP INIT / COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: - p22; -p1-65535; -p U: 53,111,137, T: 21-25,80,139,8080, S: 9 --exclude-ports <port ranges>: Exclude specified ports from scanning -F: Fast mode - Scan fewer ports than default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports are more common than <ratio> SERVICE / VERSION DETECTION: -sV: Probe open ports to determine service / version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script = default --script = <Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories - script-args = <n1 = v1, [n2 = v2, ...]>: provide arguments to scripts - script-args-file = filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help = <Lua scripts>: Show help about scripts. <Lua scripts> is a comma-separated list of script-files or script-categories. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or app 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (eg 30m). -T <0-5>: Set timing template (higher is faster) --min-hostgroup / max-hostgroup <size>: Parallel host scan group sizes --min-parallelism / max-parallelism <numprobes>: Probe parallelization - -min-rtt-timeout / max-rtt-timeout / initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up target after this long --scan-delay / - max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL / IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w / given MTU) -D <decoy1, decoy2 [, ME], ...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface >: Use specified interface -g / - source-port <portnum>: Use given port number --proxies <url1, [url2], ...>: Relay connections via HTTP / SOCKS4 proxies - data <hex string> : Append a custom payload to sent packets --data-string <string>: Append a custom ASCII string to sent packets --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address / prefix / vendor name>: Spoof your MAC address --badsum: Send packets with a TCP bogus / UDP / SCTP checksum OUTPUT: -oN / -oX / -oS / -oG <file>: Output scan in normal, XML, s | <rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports - packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) - append-output: Append to more than specified clobber output files --resume <filename>: Resume an aborted scan --stylesheet <path / URL>: XSL stylesheet to convert XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w / XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location - send-eth / - send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that th e user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: Nmap -v -A scanme.Nmap.org Nmap -v -sn 192.168.0.0 / 16 10.0.0.0 / 8 Nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (https://Nmap.org/book/man .html) FOR MORE OPTIONS AND EXAMPLES

In the tables below we will look at the different commands you can use for Nmap.

Scanning Techniques

Host Detection

Door detection

Service and operating system detection

Performance

The -T [0-5] parameter determines the speed but also the detection of Nmap by a possible IDS presence, starting with T0 which is the slowest but stealth option at the same time and reaching the fastest T5 option and detectable respectively.

We look forward to your feedback on the Nmap tool. How did you like it;