Nmap | basic usage tutorial

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

It was originally written by Gordon Lyon and it can answer the following questions easily:

1. What computers did you find running on the local network?
2. What IP addresses did you find running on the local network?
3. What is the operating system of your target machine?
4. Find out what ports are open on the machine that you just scanned?
5. Find out if the system is infected with malware or virus.
6. Search for unauthorized servers or network service on your network.
7. Find and remove computers which don't meet the organization's minimum level of security.

Sample setup (LAB)

                                                                             +---------+

                         +---------+                                  | Network |                            +--------+

                          |  server1 |-----------------------+  swtich   +------------------| server2  |  

                         +---------+                                   |   (sw0)   |                            +--------+

                                                                            +----+----+

                                                                                    |

                                                                                    |

                                                                    +---------+----------+

                                                                    | wks01 Linux/OSX   |

                                                                    +--------------------+

Where,

• wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
• server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
• server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
• All three systems are connected via switch.

How do I install nmap?

Its pretty simple google it .. the documentation can be found on their official website.

Scan a single host or an IP address (IPv4)

### Scan a single ip address ###

nmap 192.168.1.1

## Scan a host name ###

nmap testsite.com

## Scan a host name with more info###

nmap -v testsite.com

Sample outputs:

open ports are 22 and 80 are given as output along with the hardware address.

Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254

nmap -v -A 192.168.1.1

nmap -A -iL /tmp/scanlist.txt 

This script will let you help detect or atleast predict the Operating system running on the victims machine.

Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:

nmap -sP 192.168.1.0/24

Sample output:

Host 192.168.1.1 is up (0.00035s latency).

MAC Address: BC:AE:C5:C3:16:93 (Unknown)

Host 192.168.1.2 is up (0.0038s latency).

MAC Address: 74:44:01:40:57:FB (Unknown)

Host 192.168.1.5 is up.

Host nas03 (192.168.1.12) is up (0.0091s latency).

MAC Address: 00:11:32:11:15:FC (Synology Incorporated)

Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)

nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST

************************INTERFACES************************

DEV    (SHORT)  IP/MASK          TYPE        UP MAC

lo     (lo)     127.0.0.1/8      loopback    up

eth0   (eth0)   192.168.1.5/24   ethernet    up B8:AC:6F:65:31:E5

vmnet1 (vmnet1) 192.168.121.1/24 ethernet    up 00:50:56:C0:00:01

vmnet8 (vmnet8) 192.168.179.1/24 ethernet    up 00:50:56:C0:00:08

ppp0   (ppp0)   10.1.19.69/32    point2point up

**************************ROUTES**************************

DST/MASK         DEV    GATEWAY

10.0.31.178/32   ppp0

209.133.67.35/32 eth0   192.168.1.2

192.168.1.0/0    eth0

192.168.121.0/0  vmnet1

192.168.179.0/0  vmnet8

169.254.0.0/0    eth0

10.0.0.0/0       ppp0

0.0.0.0/0        eth0   192.168.1.2

How do I detect remote operating system?

nmap -O 192.168.1.1

nmap -O  --osscan-guess 192.168.1.1

nmap -v -O --osscan-guess 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:29 IST

NSE: Loaded 0 scripts for scanning.

Initiating ARP Ping Scan at 01:29

Scanning 192.168.1.1 [1 port]

Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 01:29

Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed

Initiating SYN Stealth Scan at 01:29

Scanning 192.168.1.1 [1000 ports]

Discovered open port 80/tcp on 192.168.1.1

Discovered open port 22/tcp on 192.168.1.1

Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)

Initiating OS detection (try #1) against 192.168.1.1

Retrying OS detection (try #2) against 192.168.1.1

Retrying OS detection (try #3) against 192.168.1.1

Retrying OS detection (try #4) against 192.168.1.1

Retrying OS detection (try #5) against 192.168.1.1

Host 192.168.1.1 is up (0.00049s latency).

Interesting ports on 192.168.1.1:

Not shown: 998 closed ports

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

MAC Address: BC:AE:C5:C3:16:93 (Unknown)

Device type: WAP|general purpose|router|printer|broadband router

Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)

Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA

OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7

OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5

OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W

OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S

OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R

OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=

OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID

OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=200 (Good luck!)

IP ID Sequence Generation: All zeros

Read data files from: /usr/share/nmap

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds

           Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

"sofar nmap is one of the best portscanner and network pentesting tool ... there are lots of other features in 

nmap which i could not point out everything on my blog ... so do visit nmap.org for more documentation."