NMAP for Beginners: Tutorial
Well hello there my fellow Hackers and people reading this article, hope you are doing great! Been a long time I am publishing another blog. But this time, We will be touching the surface of one of the most important tool in cyber security, known as NMAP (Network Mapper).
NMAP is free and open source utility for mapping network and security auditing. It is used in CTFs, penetration test, network discovery, etc. A really flexible, powerful and well documented tool.
NMAP can :
- Map the whole network.
- Discover alive hosts (end-points) on network.
- Detect software version, OS running on the system.
- Have scripts for detecting vulnerabilities, firewall bypass, etc.
- Detect IPv6 networks.
- Scan targets which have ICMP (ping) disabled on the systems (generally Windows OS don’t respond to pings).
Cheat Sheet — NMAP :
nmap -h: open the help menu for the nmap tool.nmap IP: scan top 1000 open ports on the machine.nmap -p<1-65535> IP: scan for open ports from range of 1 to 65535 on the machine.nmap -T<1–5> IP: makes scan faster.nmap -p- IP: Alternatively, we can use-p-to scan all 65535 ports.nmap -O IP: detect operating system running on the system.nmap -sV IP: detect software version running on the system.nmap -sC IP: performs a script scan using the default set of scripts.nmap -sS IP: default scan, performs stealth scan on system.nmap -sT IP: default scan when SYN scan is not an option, performs full TCP scan on system.nmap -sU IP: performs UDP scan on system.nmap -A IP: performs Aggressive scan (Enable OS detection, version detection, script scanning, and traceroute) on the system.nmap --script=vuln IP: runs a specific script on system.- We can use these flags with nmap altogether to scan the system/ network,
nmap -A -T4 -p<1-65535> IP- Alternatively, we can use separate switches which perform same operations on system as command specified above,
nmap -sC -sV -p<1-65535> -O -T4 IPUsage of NMAP :
Keeping these switches in mind, we can now focus on practical part of nmap where we will see what output we get after running these commands with combination of switches.
Let’s perform basic nmap command, nmap IP
Now, let’s perform another basic scan on particular port using -p switch,
Time for us to perform service enumeration using -sV switch on a particular port,
Now, let’s perform script scanning on this port using -sC switch,
Let’s run a OS scan using -O switch,
Note: For OS scans, root privileges must be enabled.
Let’s run aggressive scan on system using -A switch, -T4 switch faster scan, -p- to scan all 65535 ports (can’t include the whole screenshot because output is lengthy),
Before I end typing out this article, I would like to highlight the fact that enumerating services with nma using -sV switch is really crucial as it helps us (as a good attackers) to ready our weapon (in our case, exploit of specific version) and to exploit the machine.
I would suggest you to sit for some time and experiment with all these remaining switches that I can’t cover in this blog and I haven’t specified all switches. It is just some of many around. You can do man nmap to open manual for nmap and try looking for theory for switches and try out them either separately or combination of them.
