NMAP (Network Mapper) is a powerful open-source tool used for network exploration and security auditing. It was designed to rapidly scan large networks, but it also works fine against single hosts. NMAP uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Installation
NMAP can be installed on various operating systems, including Windows, Linux, and macOS. You can download it from the official NMAP website (https://nmap.org/download.html).
For Linux, you can also use the package manager to install NMAP. For example, on Ubuntu or Debian, you can use the following command:
sudo apt-get install nmap
On CentOS or RHEL, you can use:
sudo yum install nmap
Understanding NMAP Commands
NMAP commands are structured as follows:
nmap [Scan Type] [Options] {target specification}
- Scan Type: This determines the type of scan NMAP will perform. For example,
-sS
for SYN scan,-sU
for UDP scan, etc. - Options: These are additional parameters that modify the behavior of NMAP. For example,
-p-
to scan all ports,-v
for verbose output, etc. - Target Specification: This is where you specify the IP addresses or hostnames of the targets you want to scan.
Basic Scanning Techniques
Ping Scan
A ping scan is used to check if a host is online. It does not scan ports and is therefore quick and non-intrusive.
nmap -sn 192.168.1.1
Port Scan
A port scan checks for open ports on a host. The most common type of port scan is the SYN scan (-sS
), which is fast and unobtrusive.
nmap -sS 192.168.1.1
Version Scan
A version scan (-sV
) is used to determine the version of the services running on open ports.
nmap -sV 192.168.1.1
OS Scan
An OS scan (-O
) attempts to determine the operating system of the host.
nmap -O 192.168.1.1
More Scanning Techniques
Stealth Scan
A stealth scan (-sS
) is a type of port scan that is less likely to be detected by intrusion detection systems.
nmap -sS 192.168.1.1
UDP Scan
A UDP scan (-sU
) is used to check for open UDP ports. This scan is slower and more likely to be detected than a SYN scan.
nmap -sU 192.168.1.1
Comprehensive Scan
A comprehensive scan combines several scanning techniques to gather as much information as possible about a host.
nmap -sS -sU -T4 -A -v 192.168.1.1
NMAP Scripting Engine
NMAP’s Scripting Engine (NSE) allows users to write scripts to automate a wide variety of networking tasks. Thesescripts are written in the Lua programming language and can be used for tasks such as network discovery, vulnerability detection, exploitation, and more.
To use a script, you can use the --script
option followed by the name of the script. For example, the ssl-enum-ciphers
script can be used to enumerate a server’s SSL cipher suite:
nmap --script ssl-enum-ciphers -p 443 192.168.1.1
NMAP comes with a large number of scripts included, but you can also write your own. The scripts are located in the /usr/share/nmap/scripts/
directory on Linux systems.
Firewall Evasion
NMAP includes several techniques for evading firewalls and intrusion detection systems. These techniques can be used to perform scans on networks where standard scans are detected and blocked.
- Fragmentation (
-f
): This option causes NMAP to send packets that are smaller than the usual size, which can help evade certain types of detection.
nmap -f 192.168.1.1
- Decoy Scan (
-D
): This option allows NMAP to spoof the source IP address of the scan, making it appear as if the scan is coming from other hosts.
nmap -D RND:10 192.168.1.1
- Idle Scan (
-sI
): This is a type of scan where NMAP uses a “zombie” host to perform the scan, making it difficult to detect where the scan is actually coming from.
nmap -sI [Zombie IP] 192.168.1.1
Aggressive Scan
An aggressive scan (-A
) combines several options to perform a more detailed scan. It includes OS detection, version detection, script scanning, and traceroute.
nmap -A 192.168.1.1
Timing Templates
NMAP offers timing templates (-T
) that can be used to speed up or slow down the scan. The options range from 0 (paranoid) to 5 (insane).
nmap -T4 192.168.1.1
Specific Port Scan
To scan a specific port or range of ports, you can use the -p
option. For example, to scan port 80:
nmap -p 80 192.168.1.1
Or to scan a range of ports:
nmap -p 1-100 192.168.1.1
Fast Scan
The fast scan (-F
) option scans fewer ports than the default scan, making it quicker.
nmap -F 192.168.1.1
Scan All Ports
To scan all 65535 ports, you can use the -p-
option.
nmap -p- 192.168.1.1
TCP SYN/Connect/ACK/Window/Maimon Scans
These are different types of TCP scans that can be performed with NMAP.
nmap -sS 192.168.1.1 # SYN scan
nmap -sT 192.168.1.1 # Connect scan
nmap -sA 192.168.1.1 # ACK scan
nmap -sW 192.168.1.1 # Window scan
nmap -sM 192.168.1.1 # Maimon scan
IP Protocol Scan
The IP protocol scan (-sO
) checks to see which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target.
nmap -sO 192.168.1.1
FTP Bounce Attack Scan
The FTP bounce attack scan (-b
) involves using a vulnerable FTP server to port-scan other hosts.
nmap -b [FTP Server IP] 192.168.1.1
Detecting Firewall Settings
The FIN scan (-sF
), NULL scan (-sN
), and Xmas scan (-sX
) can be used to detect firewall settings.
nmap -sF 192.168.1.1 # FIN scan
nmap -sN 192.168.1.1 # NULL scan
nmap -sX 192.168.1.1 # Xmas scan
Saving Scan Results
You can save scan results to a file using the -oN
(normal), -oX
(XML), -oG
(grepable), or -oA
(all) options.
nmap -oN output.txt 192.168.1.1 # Save as normal
nmap -oX output.xml 192.168.1.1 # Save as XML
nmap -oG output.txt 192.168.1.1 # Save as grepable
nmap -oA output 192.168.1.1 # Save in all formats
Scanning Multiple Targets
You can scan multiple targets by separating them with a space.
nmap 192.168.1.1 192.168.1.2
Scanning a List of Targets
You can also scan a list of targets from a file using the -iL
option.
nmap -iL targets.txt
Excluding Targets
To exclude certain targets from a scan, you can use the --exclude
option.
nmap 192.168.1.1/24 --exclude 192.168.1.5
Or to exclude targets listed in a file, you can use the --excludefile
option.
nmap 192.168.1.1/24 --excludefile excluded.txt
Service Version Detection
To detect service versions, you can use the -sV
option.
nmap -sV 192.168.1.1
Verbose Output
For more detailed output, you can use the -v
option.
nmap -v 192.168.1.1
Debugging
For even more detailed output, you can use the -d
option.
nmap -d 192.168.1.1
Packet Tracing
To trace packets, you can use the --packet-trace
option.
nmap --packet-trace 192.168.1.1
NMAP is a powerful tool for network discovery and security auditing. It provides a wide range of features that can be used to explore and analyze networks, identify vulnerabilities, and much more. However, it’s important to remember that while NMAP is a powerful tool, it should only be used responsibly and ethically. Always get proper authorization before scanning a network.
This tutorial has covered the basics of using NMAP, but there is much more to learn. The official NMAP documentation (https://nmap.org/book/man.html) is a great resource for further study.