Nmap examples. Network scanner Nmap and its capabilities. Scan Specific Ports

Ever wondered how attackers know what ports are open on a system and what services are available on those ports? How do they do this without asking questions to the server administrator? You can do this and much more using a little utility called nmap. nmap is short for "N etwork Map per", in Russian it can be called "network map builder". Nmap is truly a huge set of tools “in one bottle” for scanning networks. It can be used to search and identify services running on a network, determine the type of operating system used, the type of firewall, or simply to quickly determine hosts on the network. In short, it won’t hurt to know how to use this thing. Nmap is a very famous utility, literally. Once you get to know her, you may recognize her from some movie scenes. In this post, I will show you the basics of working with Nmap and show you some examples of how to use it.

Most modern distributions have Nmap in their standard repositories. If this does not apply to the system you are using, you can get the utility source codes and some binary assemblies from the project downloads page.

The syntax for calling the utility from the command line is as follows:

Nmap<опции>target

Let's say you need to try to determine the type and version of the running OS on the remote system target.host.com. Run Nmap with the option "-O"(using this option requires administrator privileges):

# nmap -O target.host.com

Polling the remote system will take some time and after it completes, you will receive output similar to the one below:

Starting Nmap 5.21 (http://nmap.org) at 2010-02-27 23:52 EST Nmap scan report for 10.0.0.1 Host is up (0.0015s latency). Not shown: 997 closed ports PORT STATE SERVICE 53/tcp open domain 5009/tcp open airport-admin 10000/tcp open snet-sensor-mgmt MAC Address: 00:11:24:6B:43:E2 (Apple Computer) Device type : WAP|printer Running: Apple embedded, Canon embedded, Kyocera embedded, Xerox embedded OS details: VxWorks: Apple AirPort Extreme v5.7 or AirPort Express v6.3; Canon imageRUNNER printer (5055, C3045, C3380, or C5185); Kyocera FS-4020DN printer; or Xerox Phaser 8860MFP printer Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds

As you can see, Nmap provided quite a lot of information. In the example presented, Nmap performed a series of tests, based on which it tried to determine the type and version of the OS used on the host. The above Nmap output is the result of scanning the Apple Airport Extreme router. In addition to the fact that Nmap told us the type of the expected OS, it also displayed information about the network remoteness of the device, the MAC address and manufacturer of the network interface, a list of open ports and the time spent scanning.

Below is the output of another scan, on a host running Ubuntu 9.10:

Starting Nmap 5.21 (http://nmap.org) at 2010-02-28 00:00 EST Nmap scan report for 10.0.0.6 Host is up (0.0039s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:17:08:2A:D6:F0 (Hewlett Packard) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.19 - 2.6.31 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

Here we see that the manufacturer of the network interface is HP, the operating system is Linux with a kernel version around 2.6.19-2.6.31. In general, it is usually impossible to accurately determine the Linux kernel version using Nmap.

Warning

In the examples above, I scanned my own router and one of the workstations on my network, as I have every right to do so. In principle, you can scan any host you want, however, it is not a good idea to scan other people's networks and hosts without the permission of their owners. If you need something to experiment with, the community is ready to provide it for you at scanme.nmap.org. This host is specifically designed for Nmap testing, unless you intend to test DoS attacks on it.

Some administrators are unsympathetic to unexpected scans of their networks, so stay within the limits and scan hosts that you are allowed to scan. Additionally, some of Nmap's aggressive scanning methods may exceed your ISP's rules, so be careful.

Scan multiple hosts

You can scan more than one host in one run of Nmap. If you are using IP addresses as scan targets, you can pass them to Nmap as ranges, for example: 10.0.0.1-6 or 10.0.0.0/24 . The first method determines the range of IP addresses from 10.0.0.1 to 10.0.0.6, and the second - from 10.0.0.1 to 10.0.0.254, i.e. the entire subnet 10.0.0.0 with a mask of 24 in CIDR notation. For example, if you want to scan hosts with IP addresses 10.0.0.1-10.0.0.42, the command would be:

# nmap -O 10.0.0.1-42

If you are using hostnames instead of addresses, then simply list the names separated by spaces:

# nmap -O host1.target.com host2.target.com

Finding open ports

If you run Nmap without options, passing it only the name of the target host, Nmap will scan the target for open network ports and services listening on them. For example:

$ nmap target.hostname.com Interesting ports on target.hostname.com (10.0.0.88): Not shown: 1711 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.228 seconds

Here you can see that ports 22, 80 and 3306 are open on the target host with the names of services running on these ports listed, ssh, http and mysql, respectively. Nmap recognizes six port states: open(open) closed(closed) filtered(port is unavailable, most likely filtered by a firewall), unfiltered(port is available, but the status could not be determined), open|filtered(opened or filtered by a firewall), and closed|filtered(closed or filtered by a firewall).

If you need more detailed information, use the single or double option "-v", For example:

$ nmap -vv host.target.com Initiating Ping Scan at 11:44 Scanning 10.0.0.28 Completed Ping Scan at 11:44, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:44 Completed Parallel DNS resolution of 1 host. at 11:44, 0.00s elapsed Initiating Connect Scan at 11:44 Scanning host.target.com (10.0.0.28) Discovered open port 22/tcp on 10.0.0.28 Discovered open port 80/tcp on 10.0.0.28 Discovered open port 3306 /tcp on 10.0.0.28 Completed Connect Scan at 11:44, 0.08s elapsed (1714 total ports) Host host.target.com (10.0.0.28) appears to be up ... good. Interesting ports on host.target.com (10.0.0.28): Not shown: 1711 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.104 seconds

Scanning services

If you need to find out in as much detail as possible what kind of service is hanging out on a particular port, try using the options "-sV". These options force Nmap to perform a more aggressive scan, instead of scanning ports normally, by polling for services located on a particular port. Also, this method sometimes allows you to more accurately determine the type and version of the OS used on the target system.

$ nmap -sV target.host.com Starting Nmap 5.21 (http://nmap.org) at 2010-02-28 00:15 EST Nmap scan report for test.host.net (XX.XXX.XXX.XX) Host is up (0.090s latency). Not shown: 965 closed ports, 33 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4- 2ubuntu5.10 with Suhosin-Patch) Service Info: OS: Linux Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.43 seconds

As can be seen from the output above, Nmap identified the servers SSH-4.7 and Apache-2.2.8, located on ports 22 and 80. Also, from the names of the software versions, it can be determined that the server is running Ubuntu Linux. This scanning method can come in handy when you need to identify outdated versions of software running on your hosts that may be susceptible to known threats.

Who lives on my network?

Not sure what you know about all the inhabitants of your network? Try running Nmap with parameters "-sP" and it will perform a normal ping scan, identifying only responding hosts, without resorting to port scanning. For example, to determine “live” in the 10.0.0.0/24 subnet, a simple command is enough:

$ nmap -sP 10.0.0.0/24

Or, as mentioned above, you can specify a range of hosts rather than the entire subnet. For example:

$ nmap -sP 10.0.0.1-16

Zenmap

If working in command line mode is not your thing, you can use the GUI utility, which makes it easier to build the command line Nmap, and also has some bonuses like building a graphical network map.

Zenmap comes with pre-installed scan profiles that you can simply select from a drop-down list without having to dive into the intricacies of Nmap's options. Zenmap is a great tool for those who are just getting started with Nmap or just want to play with it. If your job requires you to use Nmap often, then, of course, be sure to study the documentation for it and spend time experimenting.

Results

In future articles about Nmap, we will delve deeper into this incredibly powerful tool. In the meantime, I hope this article will provide some incentive to study it for those who have not yet done so.

The responsibilities of a network administrator include many things, and network auditing is one of the main ones. Auditing a network is not difficult if it is small. But what if the size of the network you administer makes it impossible to manually walk through each device or host in order to find out whether it is working or not, what OS is installed on it, which ports are open and which are not? If you find yourself in such a situation, then a program that has become virtually a standard in the world of OpenSource network audit utilities will help you a lot - Zenmap.

Zenmap is a graphical front end for the popular utility Nmap. Nmap is a console-based OpenSouce tool for network security analysis and auditing. Despite the fact that Nmap itself is a very powerful utility, when working on large networks, many administrators have little desire to use console tools alone. As some of them say: “A picture is worth a thousand words.” And in the case of Zenmap, they are certainly right, because with it you can get an interactive graphical map of your network.

Installation and launch

Installing Zenmap on most modern distributions is not difficult if you use the standard package manager and install it from the repositories. Also, of course, you can build Zenmap yourself, although I personally don’t see much point in this. Well, don’t forget that Zenmap is a GUI for Nmap, which, of course, must be present in the system (in the case of installation through the package manager, it will tell you about it).

It is best to launch Zenmap from under root, since Nmap requires superuser rights to function fully:

Sudo zenmap

Usage

Once you launch Zenmap, you'll see a fairly simple user interface:

Let's start. The first thing we need is target(target) scanning. Let's imagine that you need to scan a network with IP addresses by mask 192.168.100.* . Enter this template in the Target field. Next, you need in the drop-down list Profile select the appropriate scanning profile from those offered. I want to warn you right away that scanning using "Intense scan" can do bad things to some network devices, such as switches or routers. Be careful with him. After selecting the appropriate profile, the contents of the field will also change "Command", which contains the nmap command with parameters. If necessary, you can always adjust it “to suit yourself”.

Once the target has been identified and a scan profile has been selected, you can press "Scan" and go have coffee (or not, it all depends on the size of the task assigned to nmap and the speed of your network). Once the scan is completed, you will see a list of found hosts in the left pane.

In the right panel you see five bookmarks:

  • Nmap Output: a bookmark that opens by default, in which you can see the text output of nmap;
  • Ports/Hosts: here you can see which ports are open and on which hosts;
  • Topology: This tab displays your network topology in graphical form;
  • Host Details: Here you can see detailed information about the scan results of the host selected in the left panel;
  • Scans: this tab contains all your previous scanning commands, history that is.

Topology

By going to the bookmark Topology, you will find the most interesting part of Zenmap. The topology of the network under study is displayed here in the form of a cluster of circles with host names or their IP addresses. If the network under study is large enough, then it is almost impossible to make out anything in this pile of circles.

Click on the button Controls at the top and using the buttons that appear on the right Zoom And Ring gap customize the display in a way that suits you. Also, using the checkboxes in the section View, you can select the host information to be displayed on the map.

As stated above, the graphical topology presented in Zenmap is interactive. By clicking on a host you can make it the central part of the map, and in the section Navigation you can rotate the entire map as you please. These features are especially useful when your network is large enough that you need to work with a specific part of the topology. To get detailed information about a host, just right-click on it:

Scan profiles

In Zenmap you can use predefined profiles, or you can create your own. To create a new profile or edit an existing one, open the menu Profile and then select New Profile or Command or Edit Selected Profile respectively. In the window that appears, configure everything as you need.

Of course, if you changed an existing profile, you will need to restart the scan again, taking into account the changes made.

Conclusion

Zenmap is an incredibly powerful utility that enables network administrators to audit networks of virtually any size. A great thing, easy to use and, in addition, OpenSource. Be sure to delve into the profile editor and configure everything in the best way for yourself, and then you will be able to fully appreciate the full power of this tool.

TCP Scan.

Using the TCP connect method, nmap will scan the range of ports (1-65535) of a computer with an IP address, the -sV option is used to obtain versions of running services:

$ nmap -sV xxx.xxx.xxx.xxx -p 1-65535

It is also worth noting that we have SERVICE and STATE in the field.

The SERVICE field always displays the value from the /etc/services file corresponding to the port number. This does not mean that the service specified in the SERVICE field will be available on this port. run the Web server on port 22, and SSH on port 80, but nmap will still write that port 22 is ssh, and 80 is HTTP.

In the STATE field - In one case, the ssh port is open, in the other - filtered. The Filtered value means that the port rejects or drops traffic. This does not indicate whether there is service on this port or not.

T "Paranoid|Sneaky|Polite|Normal|Aggressive|Insane" - temporary modes. With "Paranoid" scanning will take a very long time, but then you have a greater chance of remaining undetected by scan detectors. And vice versa, use “Insane” when scanning fast or weakly protected networks.

ON/-oM "logfile" - output results to logfile in normal (-oN) or machine (-oM) form.

OS "logfile" - this option allows you to resume scanning if it was interrupted for some reason and the result was written to (the -oN "logfile" or -oM "logfile" option was enabled). To continue working, you need to run Nmap specifying only this function and the file in which the previous scan was recorded ("logfile").

Scan Separate IP Address:

$nmap 192.168.1.1

Scan server by Host name:

$ nmap server.shellhacks.com

Increase Level of detail scan results:

$ nmap -v server.shellhacks.com $ nmap -vv server.shellhacks.com

2. Scanning Multiple IP Addresses

Scan Multiple IP Addresses:

$nmap 192.168.1.1 192.168.1.2 192.168.1.3 $namp 192.168.1.1,2,3

Scan Subnet:

$ nmap 192.168.1.0/24 $ nmap 192.168.1.*

Scan IP Address Range (192.168.1.0 - 192.168.1.200):

$nmap 192.168.1.0-200

3. Search for Active Computers on the Network

Scan the network for search Active Hosts:

$ nmap -sn 192.168.1.0/24

4. Scan Host List from File

Scanning a list of hosts/networks from File:

$ nmap -iL input.txt

File format:

# Entries can be in any of the formats that Nmap works with # from the command line (IP addresses, hostnames, CIDR, IPv6, or octet # ranges). Entries must be separated by one or more spaces, tabs #, or newlines. $ cat input.txt server.shellhacks.com 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200

5. Excluding IP/Hosts/Networks from Scanning

Exclude Goals from Nmap scan:

$ nmap 192.168.1.0/24 --exclude 192.168.1.1 $ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3

Exclude List hosts taken from the file:

$ nmap 192.168.1.0/24 --excludefile exclude.txt

The file format with excluded hosts is similar to the one above.

6. Scan Specific Ports

Scan One Port:

$ nmap -p 80 192.168.1.1

Scan Multiple Ports:

$ nmap -p 80.443 192.168.1.1

Scan Port Range:

$ nmap -p 80-1000 192.168.1.1

Scan All Ports:

$ nmap -p "*" 192.168.1.1

Scan several of the most Common Ports:

$ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1

7. Determination of Supported IP Protocols

Determine which IP Protocols(TCP, UDP, ICMP, etc.) supports scanned host:

$ nmap -sO 192.168.1.1

8. TCP/UDP Port Scanning

Scan all TCP Ports:

$ nmap -sT 192.168.1.1

Scan specific TCP Ports:

$ nmap -p T:80 192.168.1.1

Scan all UDP Ports:

$ nmap -sU 192.168.1.1

Scan specific UDP Ports:

$ nmap -p U:53 192.168.1.1

Combining scanning of different ports:

$ nmap -p U:53,79,113,T:21-25,80,443,8080 192.168.1.1

9. Quick Scan

Activate Fast Mode scan:

$ nmap -F 192.168.1.1

* Scans fewer ports than with regular scanning.

10. Show Cause of Port Status

Show Reason, by which Nmap believes that the port is in a certain state:

$ nmap --reason 192.168.1.1

11. Show Only Open Ports

Show Only Open Ports(or possibly open):

$ nmap --open 192.168.1.1

12. OS Definition

One of Nmap's most well-known functionality is its remote OS detection based on analysis of the TCP/IP stack.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After running many tests, Nmap compares the results to its database and, if a match is found, displays information about the OS.

Turn on OS Definition:

$ nmap -O 192.168.1.1

13. Determining the Version of Services

Turn on Determining the Version of Services:

$ nmap -sV 192.168.1.1

* Determines the versions of programs running on the remote server.

14. Firewall Detection

Find out if your computer is protected by any Batch Filters or Firewall:

$ nmap -sA 192.168.1.1

15. MAC Address Substitution

Substitute MAC Addresses:

$ nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

Change MAC Address Random MAC:

$ nmap --spoof-mac 0 192.168.1.1

16. Scan Firewall for Vulnerabilities

These three types of scans use a subtle loophole in the TCP RFC to differentiate between open and closed ports.

When scanning an RFC-compliant system, any packet that does not have the SYN, RST, or ACK bit set will result in an RST response if the port is closed, or no response if the port is open.

Because none of these bits are set, then any combination of the remaining three (FIN, PSH and URG) will be correct.

TCP Null scanning:

$ nmap -sN 192.168.1.1

* No bits are set (Flags in TCP header 0).

TCP Fin scanning:

$ nmap -sF 192.168.1.1

* Only the TCP FIN bit is set.

TCP Xmas scanning:

$ nmap -sX 192.168.1.1

* The FIN, PSH and URG flags are set (the package lights up like a Christmas tree).

Hosts using a firewall may not respond to standard ICMP pings.

Try the following methods for discovering connected hosts if your firewall is blocking standard ICMP pings:

# TCP SYN Ping $ nmap -sn -PS 192.168.1.0/24 # TCP ACK Ping $ nmap -sn -PA 192.168.1.0/24 # UDP Ping $ nmap -sn -PU 192.168.1.0/24 # IP Protocol Ping $ nmap -sn -PO 192.168.1.0/24 # ARP Ping $ nmap -sn -PR 192.168.1.0/24

The last three commands must be run as root.

17. Covert Scan

TCP SYN scanning:

$ nmap -sS 192.168.0.1

* Known as half-open scanning because it does not open full TCP connections.

18. Disabling Host Discovery (No Ping)

Do not ping hosts before scanning:

$ nmap -Pn 192.168.1.1

19. Disabling DNS Use

Never reverse DNS name resolution for every active IP address discovered:

$ nmap -n 192.168.1.1

20. Saving Nmap Scan Results to a File

$ nmap 192.168.1.1 > output.txt $ nmap -oN output.txt 192.168.1.1

$ nmap -oX output.xml 192.168.1.1

Anonymous Port Scanning: Nmap + Tor + ProxyChains

Installing Tor + Nmap + ProxyChains

To perform anonymous port scanning we need to install the following programs:

Tor

Install Tor client from standard repositories:

$ sudo apt-get install tor

Nmap

Install Nmap:

$ sudo apt-get install nmap

ProxyChains

Install ProxyChains:

$ sudo apt-get install proxychains

ProxyChains by default it is already configured to work with Tor.

You can verify this by looking at /etc/proxychains.conf.

The last lines of the config should look like this:

# add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050

Anonymous Port Scanning via Tor

Run the following command to anonymous scanning Nmap-om via the network Tor:

$ proxychains nmap -sT -PN -n -sV -p 80,443,21,22 217.xx.xx.xx ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.00 (http://nmap.org ) at 2014-03-24 17:34 EET |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:443-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:21-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:22-<--denied Nmap scan report for 217.xx.xx.xx Host is up (0.14s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.26 ((CentOS)) 443/tcp open ssl/http Apache httpd 2.2.26 ((CentOS))

In the scan logs we can see a ‘chain’ that goes from Tor-proxy (127.0.0.1:9050) to the scanned host (217.xx.xx.xx).

Nmap via Tor: Bypass Node Blocking

We may encounter a situation where scanning fails due to the fact that Tor's output nodes are blocked (banned by the scanned host).

A way out of this situation may be to add an ordinary public proxy server.

This is done by editing /etc/proxychains.conf and adding a new entry at the end (also make sure the option random_chain disabled).

# add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 socks4 115.71.237.212 1080

A new 'chain' goes through Tor-proxy (127.0.0.1:9050) to the one we specified public proxy server(115.71.237.212:1080), and then to the scanned host (217.xx.xx.xx).

$ proxychains nmap -sT -PN -n -sV -p 21 217.xx.xx.xx ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.00 (http://nmap.org) at 2014- 03-25 11:05 EET |S-chain|-<>-127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK |S-chain|-<>-127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK Nmap scan report for 217.xx.xx.xx Host is up (1.2s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd

In the examples above, I run Nmap with the following options:

tor-resolve, to resolve a hostname to an IP address, over the Tor network:
OptionDescription

Below you will find 20 basic examples of using the Nmap command.

You will learn how to use Nmap from command line in Linux to search for active hosts on the network and scan open ports.

You will see how remotely detect the operating system using TCP/IP stack fingerprints and how find out the software version running on a remote server.

I will also show you how to do this using Nmap covert scanning, How define firewall And How change MAC address.

1. Scan a Single Host or IP Address

Scan Separate IP Address:

$nmap 192.168.1.1

Scan server by Host name:

$ nmap server.site

Increase Level of detail scan results:

$ nmap -v server..site

2. Scanning Multiple IP Addresses

Scan Multiple IP Addresses:

$nmap 192.168.1.1 192.168.1.2 192.168.1.3 $namp 192.168.1.1,2,3

Scan Subnet:

$ nmap 192.168.1.0/24 $ nmap 192.168.1.*

Scan IP Address Range (192.168.1.0 — 192.168.1.200):

$nmap 192.168.1.0-200

3. Search for Active Computers on the Network

Useful advice: Scan your network with just one ping command! Find all active computers!

Scan the network for search Active Hosts:

$ nmap -sn 192.168.1.0/24

4. Scan Host List from File

Scanning a list of hosts/networks from File:

$ nmap -iL input.txt

File format:

# Entries can be in any of the formats that Nmap works with # from the command line (IP addresses, hostnames, CIDR, IPv6, or octet # ranges). Entries must be separated by one or more spaces, tabs #, or newlines. $ cat input.txt server.site 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200

5. Excluding IP/Hosts/Networks from Scanning

Exclude Goals from Nmap scan:

$ nmap 192.168.1.0/24 --exclude 192.168.1.1 $ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3

Exclude List hosts taken from the file:

$ nmap 192.168.1.0/24 --excludefile exclude.txt

The file format with excluded hosts is similar to the one above.

6. Scan Specific Ports

Scan One Port:

$ nmap -p 80 192.168.1.1

Scan Multiple Ports:

$ nmap -p 80.443 192.168.1.1

Scan Port Range:

$ nmap -p 80-1000 192.168.1.1

Scan All Ports:

$ nmap -p "*" 192.168.1.1

Scan several of the most Common Ports:

$ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1

7. Determination of Supported IP Protocols

Determine which IP Protocols(TCP, UDP, ICMP, etc.) supports scanned host:

$ nmap -sO 192.168.1.1

8. TCP/UDP Port Scanning

Scan all TCP Ports:

$ nmap -sT 192.168.1.1

Scan specific TCP Ports:

$ nmap -p T:80 192.168.1.1

Scan all UDP Ports:

$ nmap -sU 192.168.1.1

Scan specific UDP Ports:

$ nmap -p U:53 192.168.1.1

Combining scanning of different ports:

$ nmap -p U:53,79,113,T:21-25,80,443,8080 192.168.1.1

9. Quick Scan

Activate Fast Mode scan:

$ nmap -F 192.168.1.1

* Scans fewer ports than with regular scanning.

10. Show Cause of Port Status

Show Reason, by which Nmap believes that the port is in a certain state:

$ nmap --reason 192.168.1.1

11. Show Only Open Ports

Show Only Open Ports(or possibly open):

$ nmap --open 192.168.1.1

12. OS Definition

One of the most famous features of Nmap is its remote detection of the OS based on analysis of the TCP/IP stack.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After running many tests, Nmap compares the results to its database and, if a match is found, displays information about the OS.

Turn on OS Definition:

$ nmap -O 192.168.1.1

13. Determining the Version of Services

Turn on Determining the Version of Services:

$ nmap -sV 192.168.1.1

* Determines the versions of programs running on the remote server.

14. Firewall Detection

Find out if your computer is protected by any Batch Filters or Firewall:

$ nmap -sA 192.168.1.1

15. MAC Address Substitution

Substitute MAC Addresses:

$ nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

Change MAC Address Random MAC:

$ nmap --spoof-mac 0 192.168.1.1

16. Scan Firewall for Vulnerabilities

These three types of scans use a subtle loophole in the TCP RFC to differentiate between open and closed ports.

When scanning an RFC-compliant system, any packet that does not have the SYN, RST, or ACK bit set will result in an RST response if the port is closed, or no response if the port is open.

Because none of these bits are set, then any combination of the remaining three (FIN, PSH and URG) will be correct.

TCP Null scanning:

$ nmap -sN 192.168.1.1

* No bits are set (Flags in TCP header 0).

TCP Fin scanning:

$ nmap -sF 192.168.1.1

* Only the TCP FIN bit is set.

TCP Xmas scanning:

$ nmap -sX 192.168.1.1

* The FIN, PSH and URG flags are set (the package lights up like a Christmas tree).

17. Covert Scan

Useful advice: Stay anonymous while scanning ports! Use Nmap + Tor + ProxyChains! Safe and easy penetration testing!

TCP SYN scanning:

$ nmap -sS 192.168.0.1

* Known as half-open scanning because it does not open full TCP connections.

18. Disabling Host Discovery (No Ping)

Do not ping hosts before scanning:

$ nmap -Pn 192.168.1.1

19. Disabling DNS Use

Useful advice: Need to tighten up your Linux security? Encrypt DNS traffic to protect against spoofing!

Never reverse DNS name resolution for every active IP address discovered.