Nmap in windows
Introduction to Nmap:-
Nmap (Network Mapper) is a utility for network exploration or security or security auditing . It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification).
Internet security companies can use Nmap to scan a system and understand what weaknesses exist that a hacker could potentially exploit. As the program is open-source and free, it is one of the more common tools used for scanning networks for open ports and other weaknesses.
How to use Nmap in windows?
Launch a command prompt.
Typing nmap [hostname] or nmap [ip_address] will initiate a default scan. A default scan uses 1000 common TCP ports and has Host Discovery enabled.
Host Discovery performs a check to see if the host is online. In a large IP range, this is useful for identifying only active or interesting hosts, rather than scanning every single port on every single IP in the range (a lot of which may not even be there).
Brief summary:-
| STATE | Description |
| Open | The target port actively responds to TCP/UDP/SCTP requests. |
| Closed | The target port is active but not listening. |
| Filtered | A firewall or packet filtering device is preventing the port state being returned. |
| Unfiltered | The target port is reachable but Nmap cannot determine if it is open or closed. |
| Open/Filtered | Nmap cannot determine if the target port is open or filtered. |
| Closed/Filtered | Nmap cannot determine if the target port is closed or filtered |
The “–open” parameter
In any of the commands below, you can specify the “–open” parameter in your Nmap command to have Nmap only show you ports with an “Open” state.
| nmap –open [ip_address] |
Scanning a single port
| nmap -p 80 [ip_address] |
This command will initiate a default scan against the target host and look for port 80.
Scanning a specific range of ports
| nmap -p 1-200 [ip_address] |
This command will initiate a default scan against the target host and look for ports between the range of 1-200.
Scanning the entire port range
| nmap -p- [ip_address] |
This command will initiate a scan against the target host looking for all ports (1-65535).
Scanning the top 100 ports (fast scan)
| nmap -F [ip_address] |
This command will initiate a fast scan against the target host looking only for the top 100 common TCP ports.
Scanning multiple TCP/UDP ports
| nmap -p U:53,67-68,T:21-25,80,135 [ip_address] |
This command will initiate a scan against the target host looking only for specified UDP and TCP ports.
Scanning for specific service names
| nmap -p http,ssh,msrpc,microsoft-ds [ip_address] |
This command will initiate a scan against the target host looking for ports associated with specified service names.
TCP SYN scan (default)
| nmap -sS [ip_address] |
This command will initiate a TCP SYN scan against the target host. A TCP SYN scan sends a SYN packet to the target host and waits for a response. If it receives an ACK packet back, this indicates the port is open. If an RST packet is received, this indicates the port is closed. If no response is received after multiple transmissions, the port is considered filtered (a device or application between the source and the target is filtering the packets).
TCP connect scan
| nmap -sT [ip_address] |
This command will initiate a TCP connect scan against the target host. A TCP connect scan is the default scan performed if a TCP SYN scan is not possible. This type of scan requests that the underlying operating system try to connect with the target host/port using the ‘connect’ system call.
UDP port scan
| nmap -sU [ip_address] |
This command will initiate a UDP port scan against the target host. A UDP scan sends a UDP packet to the target port(s). If a response is received, the port is classified as Open. If no response is received after multiple transmissions, the port is classified as open/filtered.
SCTP INIT scan
| nmap -sY [ip_address] |
This command will initiate an SCTP INIT scan against the target host. An SCTP INIT scan is similar to the TCP SYN scan but specific to the SCTP protocol. An INIT chunk is sent to the target port(s). If an INIT-ACK chunk is received back, the port is classified as open. If an ABORT chunk is received, the port is classified as closed. If no response is received after multiple transmissions, the port is classified as filtered.
Zenmap
The Nmap installation package comes with a front-end GUI for Nmap called Zenmap, used to control Nmap from a user interface rather than a command-line.
One of the key benefits of using the GUI front-end version is the ability to save scanning profiles. You can configure a profile to include customized scanning options, scan targets, ping options, scripts, and performance options.
You may wish to create a new profile before initiating a scan. To do this, go to Profile > New Profile or Command.
A default list of scan profiles is included and the description and options for each can be reviewed from Profile > Edit Selected Profile.
To kick off a scan, enter the target to be scanned and choose a scan profile before clicking ‘Scan’.
When the scan is complete, the results will be displayed in the ‘Nmap Output’ tab with a further breakdown available in the Ports/Hosts, Topology, Host Details, and Scans tabs.
Go to the Ports/Hosts tab for a detailed list of all the open ports found on the target host.
Zenmap saves a history of your scans and allows you to compare two scans side-by-side. To do this, go to Tools > Compare Results. This is useful for eyeballing whether two hosts have the same list of open ports.
Nmap cheatsheets:-
host discovery and identification
| Basic scanning | nmap <target> |
| Launch a ping scan (subnet) | nmap -sn <target> Ex: nmap -sn 192.168.1.0/24 |
| Scan a list of targets | nmap -iL [targets.txt] |
| Ping scan with traceroute | nmap -sn –traceroute acme.org example.org |
| TCP SYN ping | nmap -PS <target> |
| UDP ping | nmap -PU <target> |
| Scan IPv6 target | nmap -6 <target> |
| Specify NSE script | nmap -sn –script dns-brute example.org |
| Manually assign DNS servers | nmap –dns-servers <servers> <target> |
| ARP discovery | nmap -PR <target> Ex: nmap -PR 192.168.1.0/24 |
| UDP discovery on specified port | nmap -PU53 <target> |
| No DNS resolution | nmap -n <target> |
| Select network interface | nmap -e <interface> <target> |
| Skip host discovery | nmap -Pn <target> |
Version detection
| Service detection | nmap -sV <target> Ex: nmap -sV scanme.nmap.org |
| OS detection | nmap -O <target> |
| Attempt OS guessing | nmap -O –osscan-guess <target> |
| Increasing version detection | nmap -sV –version-intensity 0-9> <target> |
| Troubleshoot version scans | nmap -sV –version-trace <target> |
| Aggressive detection mode | nmap -A <target> |

Comments
Post a Comment