Nmap is an open-source tool that allows us to find out which ports are up or down, what services are running on the ports, and which operating system is used on the ports.
It sends various packets to the device and decides according to the response.
It also has useful features such as Firewall Detection, Vulnerability Scanning Exploitation, and NSE Scripts.
Installation
The package repositories of Redhat, Debian, and Arch-based Linux distributions contain the Nmap tool. It comes preinstalled in Kali linux.
Redhat:
#yum install nmap
Debian:
#apt-get install nmap
Arch:
#pacman -S nmap
Target Specification
We need to specify a target, to use the Nmap simply. The target can be a web address, IP address, or network address.
#nmap systemconf.com
#nmap 192.168.0.1
#nmap 192.168.0.0/16
If you use Nmap without specifying any options, Nmap will scan the 1000 most commonly used ports with the SYN scan.
- For scanning the entire network
nmap 192.168.1.0/24
- For scanning from a file
nmap -iL ip.txt
- For scanning exclude target
nmap 192.168.1.0/24 --exclude 192.168.1.1
Host Discovery
Sometimes, the devices do not respond to the ping scan, so we need to do a different scan technique
to find out if the host is up.
Nmap gives us the option to do host discovery with ICMP echo request and SYN / ACK / UDP packets.
If we don’t specify any parameters, Nmap will make the host discovery by requesting ICMP echo request, TCP SYN packet to port 443, TCP ACK packet to port 80 and ICMP timestamp request for host discovery.
Parameters
- -sL: Lists all IP addresses without sending any packages.
- -sn: Disables port scan after the host discovery.
- -Pn: Skips host discovery. You can use this option to speed up port scanning.
- -PS: Makes a host discovery by sending TCP SYN packets to specified ports. Can be used for firewall avoiding.
nmap -PS 22,80,443 192.168.1.0/24
- -PA: Makes a host discovery by sending TCP ACK packets to specified ports.Can be used for firewall avoiding.
nmap -PA 22,80,443 192.168.1.0/24
- -PU: Makes a host discovery by sending UDP packets to specified ports. Can be used for firewall avoiding. Also, the possibility of error is high because the package is not guaranteed to receive.
nmap -PU 22,80,443 192.168.1.0/24
- -PE/ -PM/ -PP : Makes a host discovery by sending ICMP packets
- -PR: Sends ARP request to the whole network if ARP response comes it means the device is up.
- -n: We can use this parameter if we don’t want to DNS resolution.
Port Scanning
Nmap divides ports into six states: open, closed, filtered, unfiltered, open|filtered, or closed|filtered.
- open: The port is open and running a service on this port.
- closed: The port is closed. But it is accessible and there is no service on the port.
- filtered: Unknown whether the port is open or closed. There is filtering.
- unfiltered: This response returns from the Ack scan. The port is accessible. Unknown whether the port is open or closed.
- open | filtered: The response is when the Nmap cannot understand whether that port is open or filtered.
- closed|filtered: The response is when the Nmap cannot understand whether that port is closed or filtered.