NMAP is an Open Source Tool For Network Discovery And Security Auditing.
In real life, it’s most often used to locate available hosts and services on a network, determine the operating systems and versions utilised by machines on a network and pinpoint a network’s open ports.
While it’s a valuable tool used by security professionals for performing a network inventory or a vulnerability assessment.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.
In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
NMAP is popular, flexible, powerful, portable, easy to use, free software, well documented , supports by many vibrant community of developers and users and has acclaimed many awards.
One very important aspect of NMAP to remember is that these scans should be ran with Root or Administrator access depending on the type of system you are using. This is required because the scans send raw packets which require privileged system access.
Also Read- NMAP Commands Cheatsheet
Nmap features include:
- Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
- Port scanning – Enumerating the open ports on target hosts.
- Version detection – Interrogating network services on remote devices to determine application name and version number.
- OS detection – Determining the operating system and hardware characteristics of network devices.
- Scriptable interaction with the target
Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses
Let’s get started with installation and how to use nmap:
- Install nmap on your kali machine,type command
sudo apt install nmap
- In order to run the ifconfig command, we need to have net-tools installed on machine, type command
sudo apt install net-tools
- In order to get information about the network(s), type command
- We can take help from manual to specify the type of scan, type command
- Scan network for connected devices
- Scan a single IP
- Scan a host
- Scan a port
- Scan using TCP connect
Some more basic commands which we can use are :-
- Target Selection
- Scan a range of IPs – nmap 172.16.44.10-200
- Scan a subnet – nmap 172.16.44.0/24
- Scan targets from Text file – nmap -iL ips.txt
- Port Selection
- Scan a range of ports – nmap -p 1-100 172.16.44.141
- Scan 100 common ports – nmap -F 172.16.44.141
- Scan all ports – nmap -p- 172.16.44.141
- Specify UDP or TCP scan- nmap -p U:137,T:139 172.16.44.141
- Scan Types
- Scan using TCP SYN scan – nmap -sS 172.16.44.141
- Scan UDP ports – nmap -sU -p 123,161,162 172.16.44.141
- Scan Selected ports (Ignore Discovery) – nmap -Pn -F 172.16.44.141
- Service and OS Detection
- Detect OS and Services – nmap -A 172.16.44.141
- Standard service detection – nmap -sV 172.16.44.141
- Aggressive service detection – nmap -sV –version-intensity 5 172.16.44.141
- Output Formats
- Save default output to file – nmap -oN result.txt 172.16.44.141
- Save results as XML – nmap -oX resultxml.xml 172.16.44.141
- Save formatted results (Grep) – nmap -oG formattable.txt 172.16.44.141
- Save in all formats – nmap -oA allformats 172.16.44.141
- Scripting Engine
- Scan using default safe scripts – nmap -sV -sC 172.16.44.141
- Get help for a script – nmap –script-help=ssl-heartbleed
- Scan using a specific script – nmap -sV -p 443 -script=ssl-heartbleed 172.16.44.141
- Update script database – nmap –script-updatedb
- Some Useful NSE Scripts
- Scan for UDP DDOS reflectors – nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr 172.16.44.2/24
- Gather page titles from HTTP Servers – nmap –script=http-title 172.16.44.141
- Get HTTP headers of web services – nmap –script=http-headers 172.16.44.141
- Find web apps from known paths – nmap –script=http-enum 172.16.44.141
- Find exposed Netbios servers – nmap -sU –script nbtstat.nse -p 137 172.16.44.141
We can perform many types of scan using NMAP and upgrade the scanning techniques. The thing to remember is that running different types of scans may produce different results as firewalls may limit the responses allowed from the specific hosts it protects.
This utility is very useful and powerful tool if we know how to use it properly in the network.