There is no person in her place security who hasn't heard of Nmap, the predominant network scanning tool. In this article we will try to analyze the utility of this tool and show you the possible ways you can install it on your computer. Unfortunately, because it is impossible to see all the commands we can use in Nmap one by one, we will try to show the main ones.
Some of the features of Nmap include detection host (Host Discovery), the port scan of each host, service and OS fingerprinting of each host, as well as a basic vulnerability detection. Additionally, there is the option of using ZeNmap, that is, the Nmap graphics version.
How to install it
Nmap can be used on an operating system Windows. However, it is advisable to use the operating system Linux as Nmap works faster and better with it. Some of the limitations that someone who uses Nmap in a Windows environment might face are:
- It is not possible to scan for the machine on which Nmap is running.
- Only Ethernet interfaces are supported.
- Some scans take much longer to complete than the corresponding time it would take to complete in a Linux environment.
Here we should note that at Kali Linux, you can find Nmap pre-installed.
Windows
- Visit the address https://Nmap.org/download.html and download the latest version of self-installer.
- Run the .exe file you just downloaded and accept the terms of use
3. Select the components you want to install.
4. Finally, select the installation folder.
5. The installation will be completed in a few minutes.
Linux
The installation process of Nmap for Linux versions is very simple. Just open the terminal and depending on your Linux flavor type the corresponding command to install the Nmap package:
- CentOS
| yum install nmap |
- Debian
| apt-get install nmap |
- Ubuntu
| sudo apt-get install nmap |
How Nmap works
In order to better understand exactly how Nmap works, the different types Scan that offers, with SYN scan being the most common choice, we need to understand how the following works:
3 Way Handhake (Tripartite handshake)
When communicating with a TCP service, the connection is made via the 3 Way Handhake. This consists of the following steps:
- Step 1: computer A sends a TCP segment SYN on computer B on the door that is connected to the corresponding service (eg 80 HTTP, 25 SMTP, 22 SSH)
- Step 2: computer B receives the SYN, and responds in part SYN ACK,
- Step 3: computer A receives the SYN ACK and responds in part ACK
In the steps above, the firewall (firewall) may be a stand-alone device or may work as a local device software in the computers. As is well known, the job of a firewall is to protect a system from unwanted traffic and packets.
Open, closed and filtered doors
In the case of Nmap scan, there may be 3 possible results at the terminal of the scan run:
- Filtered port: Occurs when this door has not responded at all. The SYN packet is blocked by the firewall.
- Closed port: Occurs when there is no service running on that door and the firewall has allowed the connection to pass. It may also mean that there is no firewall.
- Open port: Occurs when there is a service running on this door that is accessible from the outside.
Types of Nmap scan
There are different types of scans that can be performed using Nmap. Some of them are:
- TCP Scan: Used to control and complete the three way handshake between the target and the target computer. This type of scan can be very easily detected because the service is logged and can activate the Intrusion Detection System.
- UDP Scan: Used to check if there is an accessible UDP port waiting for incoming connections to the target computer. Unlike TCP, the UDP does not have a mechanism to respond to and confirm the download of the packet, which is why in these scans we find cases false positive. It is much slower than TCPs because machines tend to delay their responses to such traffic as a precautionary measure.
- SYN Scan: Unlike a regular TCP scan, Nmap creates and sends its own SYN packet, that is, the first packet sent for the purpose of establishing a TCP connection. What is important to explain here is that the connection is never complete, but the target computer's responses are analyzed by Nmap.
- ACK Scan: ACK scans are used by Nmap to "understand" whether a door is open, closed or filtered. This is quite useful in cases where the attacker is trying to determine the presence of the firewall and the rules associated with it.
- FIN Scan: It works like a SYN scan, except it sends TCP FIN packets. Most computers respond with RST packets when receiving FIN. This way, the attacker can bypass several firewalls but can be detected by IDS.
- NULL Scan: In this case the packages that are sent contain null headers, so they are not valid packages.
- XMAS Scan: This scan is named because the flags of all packets are enabled and more specifically the PSH, URG and FIN flags.
- RPC Scan: Used for detecting machines that respond to Remote Procedure Call (RPC) services. These services allow remote commands to be executed on a machine.
How to use it
To see all available commands on the tool, type Nmap in a terminal:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 | root@kali:~# Nmap Nmap 7.80 ( https://Nmap.org) Usage: Nmap [Scan Type(s)] [Options] {{target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, .. Ex: scanme.Nmap.org, Microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3], ...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from fillet HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as on-line -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP threw out, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: Sometimes] --dns-servers <serv1[,serv2], ...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS / sT / sA / sW / sM: TCP SYN / Connect () / ACK / Window / Maimon scans -sU: UDP Scan -sN / sF / sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host [: probeport]>: Idle scan -sY / sZ: SCTP INIT / COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U: 53,111,137, T: 21-25,80,139,8080, S: 9 --exclude-ports <port ranges>: Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don 't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports are more common than usual <ratio> SERVICE/DETECTION VERSION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (and "light", too) to 9 (try all probes) --version-and "light", too: Limit to most likely probes (intensity 2) --version-ALL: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (forum debugging) SCRIPT SCAN: -sC: equivalent to --script=default --script= <Lua scripts>: <Lua scripts> is a separate comma list of directories, script-files or script-categories --script-args= <n1=v1,[n2=v2, ...]>: provide arguments to scripts --script-args-fillet=filename: provide NSE script args in a fillet --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help= <Lua scripts>: Show help about scripts. <Lua scripts> is a comma-separated list of script-files or script-categories. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/Max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/Max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/Max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --Max-retries <pickings>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/ -Max-scan-delay <time>: Adjustable delay between probes --min-rates <number>: Send packets no slower than <number> per second --Max-rates <number>: Send packets no faster than <number> per second FIREWALL/EVASION AND SPOOFING IDS: -f; --my you <wave>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME], ...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/ -source-port <portnum>: Use given port number --proxies <url1,[url2], ...>: Relay connections via HTTP/SOCKS4 proxies --date <hex string>: Apply a custom payload to sent packets --date-string <string>: Append a custom ASCII string to sent packets --date-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <wave>: Set IP time-to-live field --spoof-mac <mac address/prefix/local name>: Spoof your MAC address --badsum: Send packets with a TCP bogus/UDP/SCTP checksum OUTPUT: -oN/-oX/-oS/-oG <fillet>: Scan output is normal, XML, s| <rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more forum greater effect) -d: Increase debugging level (use -dd or more forum greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (forum debugging) --append-output: Append to rather than clobber specified output files --summarizes <filename>: Resume an aborted scan --Stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.org forum more portable XML --No.-Stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data fillet location --send-eth/ -send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: Nmap -v -A scanme.Nmap.org Nmap -v -sn 192.168.0.0/16 10.0.0.0/8 Nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (https://Nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES |
root @ kali: ~ # Nmap Nmap 7.80 (https://Nmap.org) Usage: Nmap [Scan Type (s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.Nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts / networks -iR <num hosts>: Choose random targets --exclude <host1 [, host2] [, host3], ...>: Exclude hosts / networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online - skip host discovery -PS / PA / PU / PY [portlist]: TCP SYN / ACK, UDP or SCTP discovery to given ports -PE / PP / PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping - n / -R: Never do DNS resolution / Always resolve [default: sometimes] --dns-servers <serv1 [, serv2], ...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver - traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS / sT / sA / sW / sM: TCP SYN / Connect () / ACK / Window / Maimon scans -sU: UDP Scan -sN / sF / sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host [: probeport]>: Idle sc an -sY / sZ: SCTP INIT / COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: - p22; -p1-65535; -p U: 53,111,137, T: 21-25,80,139,8080, S: 9 --exclude-ports <port ranges>: Exclude specified ports from scanning -F: Fast mode - Scan fewer ports than default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports are more common than <ratio> SERVICE / VERSION DETECTION: -sV: Probe open ports to determine service / version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script = default --script = <Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories - script-args = <n1 = v1, [n2 = v2, ...]>: provide arguments to scripts - script-args-file = filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help = <Lua scripts>: Show help about scripts. <Lua scripts> is a comma-separated list of script-files or script-categories. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or app 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (eg 30m). -T <0-5>: Set timing template (higher is faster) --min-hostgroup / max-hostgroup <size>: Parallel host scan group sizes --min-parallelism / max-parallelism <numprobes>: Probe parallelization - -min-rtt-timeout / max-rtt-timeout / initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up target after this long --scan-delay / - max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL / IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w / given MTU) -D <decoy1, decoy2 [, ME], ...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface >: Use specified interface -g / - source-port <portnum>: Use given port number --proxies <url1, [url2], ...>: Relay connections via HTTP / SOCKS4 proxies - data <hex string> : Append a custom payload to sent packets --data-string <string>: Append a custom ASCII string to sent packets --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address / prefix / vendor name>: Spoof your MAC address --badsum: Send packets with a TCP bogus / UDP / SCTP checksum OUTPUT: -oN / -oX / -oS / -oG <file>: Output scan in normal, XML, s | <rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports - packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) - append-output: Append to more than specified clobber output files --resume <filename>: Resume an aborted scan --stylesheet <path / URL>: XSL stylesheet to convert XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w / XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location - send-eth / - send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that th e user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: Nmap -v -A scanme.Nmap.org Nmap -v -sn 192.168.0.0 / 16 10.0.0.0 / 8 Nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (https://Nmap.org/book/man .html) FOR MORE OPTIONS AND EXAMPLESIn the tables below we will look at the different commands you can use for Nmap.
Scanning Techniques
| Parameter | Description | Example |
| -sS | TCP SYN port scan | Nmap -sS 192.168.100.100 |
| -sT | TCP connect port scan | Nmap -sT 192.168.100.100 |
| -sU | UDP port scan | Nmap -sU 192.168.100.100 |
| -sA | TCP ack port scan | Nmap -sA 192.168.100.100 |
Host Detection
| Parameter | Description | Example |
| -Pn | Port scan only | Nmap -Pn 192.168.100.100 |
| -sn | Host crawl only | Nmap -sn 192.168.100.100 |
| -PR | ARP Detection on Local Area Network | Nmap -PR 192.168.100.100 |
| -n | Disable DNS process | Nmap -n 192.168.100.100 |
Door detection
| Parameter | Description | Example |
| -p | Specific door or width | Nmap -p 192.168.100.100 |
| -p- | Detection of all doors | Nmap -p- 192.168.100.100 |
| -F | Quick scan | Nmap -F 192.168.100.100 |
Service and operating system detection
| Parameter | Description | Example |
| -sV | Detection of active services version | Nmap -sV 192.168.100.100 |
| -A | Aggressive scan | Nmap -A 192.168.100.100 |
| -O | Operating System Detection | Nmap -O 192.168.100.100 |
Performance
The -T [0-5] parameter determines the speed but also the detection of Nmap by a possible IDS presence, starting with T0 which is the slowest but stealth option at the same time and reaching the fastest T5 option and detectable respectively.
| Parameter | Example |
| -T0 | Nmap -Τ0 192.168.100.100 |
| -T1 | Nmap -Τ1 192.168.100.100 |
| -T2 | Nmap -Τ2 192.168.100.100 |
| -T3 | Nmap -Τ3 192.168.100.100 |
| -T4 | Nmap -Τ4 192.168.100.100 |
| -T5 | Nmap -Τ5 192.168.100.100 |
We look forward to your feedback on the Nmap tool. How did you like it;
How useful was this post?
Average rating 5 / 5. Vote count: 1
Share
Do you have an opinion? Leave your comment.
The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by
The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by
Top mobile apps that will have significant growth in the future
Greek
Arabic
Chinese (Simplified)
English
French
German
Italian
Russian
Comment Policy:
SecNews.gr does not immediately post comments. Malicious comments, comments that include ads, or comments with insults are deleted without any warning. We do not endorse the views expressed by our readers.