Mmap is
a powerfull scanner available in Linux system. We can findout, all
the ways a computer communicates with other computers on a network.
Features of Nmap :-
1. Flexible :-
advanced techniques for mapping out networks filled with IP
filters, firewalls, routers.
This
includes many port scanning TCP and UDP, and OS detection, version
detection.
2. Powerful :- Nmap
has been used to scan huge networks of literally hundreds of
thousands of
machines.
3. Portable :- Most
operating systems are supported, including Linux, Microsoft Windows,
FreeBSD, OpenBSD, Solaris, Mac OS X, HP-UX, NetBSD, Sun OS.
4. Easy :- Easy
to operting Nmap .E.g – <nmap – A -V target>. You can used
Zenmap is a GUI.
5. free :- It
is a free Nmap.
6. Popular :-
Thousands of people download
Nmap every day. and it is included with many
operating systems (Redhat Linux, Debian Linux,
Gentoo, FreeBSD, OpenBSD, etc).
Advantage of Nmap
:-
1.
Find computers on a network.
2.
Find open ports on those computers.
3.
Find out, what services are using those ports.
4.
Find out, what operating system is on the computers.
5.
Find out, detection application name and version number.
6.
Raw Socket (sending) :-
The system API for sending custom
packets is called raw sockets.
Unfortunately this sockets can't be used to listen for raw
packets on the wire.
7.
NSE :- Let
a programmer choose what to do with the services it finds. The
programmer can write
Nmap Scripting Engine programs in the Lua
Programming language.
8. Three way
handshake on tcp/ip.
a) SYN (Synchronous)
:- The active open is performed by the client sending a SYN to
the server.
the client sets the segment's sequence number to a
random value A.
b) SYN-ACK
(acknowledgment) :- In response, the server replies with a
SYN-ACK. The
acknowledgment number is set to one more than the
received sequence
number (A + 1), and the sequence number that the
server chooses for the
packet is another random number, B.
c) ACK
(acknowledgment) :- Finally, the client sends an ACK back to the
server. The sequence
number is set to the received acknowledgement value
i.e. A + 1, and the
acknowledgement number is set to one more than the
received sequence
number i.e. B + 1.
9. Graphical
interface Nmap.
Zenmap used.
Syntax :-
nmap [Scan Type(s)] [Options] {target
specification}
TARGET SPECIFICATION:
-iL
|
Input from list of hosts/networks
|
-iR
|
Choose random targets
|
--exclude <host1[,host2][,host3],...>
|
Exclude hosts/networks
|
--excludefile <exclude_file>
|
Exclude list from file
|
HOST DISCOVERY:
-sL
|
List Scan - list targets to scan
|
-sP
|
Ping Scan - go no further than determining if
host is online
|
-P0
|
Treat all hosts as online -- skip host
discovery
|
-PS/PA/PU [portlist]
|
TCP SYN/ACK or UDP discovery to given ports
|
-PE/PP/PM
|
ICMP echo, timestamp, and netmask request
discovery probes
|
-n/-R
|
Never do DNS resolution/Always resolve
[default: sometimes]
|
--dns-servers <serv1[,serv2],...>
|
Specify custom DNS servers
|
--system-dns
|
Use OS's DNS resolver
|
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM
|
TCP SYN/Connect()/ACK/Window/Maimon scans
|
-sN/sF/sX
|
TCP Null, FIN, and Xmas scans
|
--scanflags <flags>
|
Customize TCP scan flags
|
-sI <zombie host[:probeport]>
|
Idlescan
|
-sO
|
IP protocol scan
|
-b <ftp relay host>
|
FTP bounce scan
|
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>
|
Only scan specified ports Ex: -p22;
-p1-65535; -p U:53,111,137,T:21-25,80,139,8080
|
-F
|
Fast - Scan only the ports listed in the
nmap-services file)
|
-r
|
Scan ports consecutively - don't randomize
|
SERVICE/VERSION DETECTION:
-sV
|
Probe open ports to determine service/version
info
|
--version-intensity <level>
|
Set from 0 (light) to 9 (try all probes)
|
--version-light
|
Limit to most likely probes (intensity 2)
|
--version-all
|
Try every single probe (intensity 9)
|
--version-trace
|
Show detailed version scan activity (for
debugging)
|
OS DETECTION:
-O
|
Enable OS detection
|
--osscan-limit
|
Limit OS detection to promising targets
|
--osscan-guess
|
Guess OS more aggressively
|
TIMING AND PERFORMANCE:
Options which take <time> are in
milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h'
(hours) to the value (e.g. 30m).
-T[0-5]
|
Set timing template (higher is faster)
|
--min-hostgroup/max-hostgroup <size>
|
Parallel host scan group sizes
|
--min-parallelism/max-parallelism <time>
|
Probe parallelization
|
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout
<time>
|
Specifies probe round trip time.
|
--max-retries <tries>
|
Caps number of port scan probe retransmissions.
|
--host-timeout <time>
|
Give up on target after this long
|
--scan-delay/--max-scan-delay <time>
|
Adjust delay between probes
|
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>
|
fragment packets (optionally w/given MTU)
|
-D <decoy1,decoy2[,ME],...>
|
Cloak a scan with decoys
|
-S <IP_Address>
|
Spoof source address
|
-e <iface>
|
Use specified interface
|
-g/--source-port <portnum>
|
Use given port number
|
--data-length <num>
|
Append random data to sent packets
|
--ttl <val>
|
Set IP time-to-live field
|
--spoof-mac <mac address/prefix/vendor name>
|
Spoof your MAC address
|
--badsum
|
Send packets with a bogus TCP/UDP checksum
|
OUTPUT:
-oN/-oX/-oS/-oG <file>
|
Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
|
-oA <basename>
|
Output in the three major formats at once
|
-v
|
Increase verbosity level (use twice for more
effect)
|
-d[level]
|
Set or increase debugging level (Up to 9 is
meaningful)
|
--packet-trace
|
Show all packets sent and received
|
--iflist
|
Print host interfaces and routes (for
debugging)
|
--log-errors
|
Log errors/warnings to the normal-format output
file
|
--append-output
|
Append to rather than clobber specified output
files
|
--resume <filename>
|
Resume an aborted scan
|
--stylesheet <path/URL>
|
XSL stylesheet to transform XML output to HTML
|
--webxml
|
Reference stylesheet from Insecure.Org for more
portable XML
|
--no-stylesheet
|
Prevent associating of XSL stylesheet w/XML
output
|
MISC:
-6
|
Enable IPv6 scanning
|
-A
|
Enables OS detection and Version detection
|
--datadir <dirname>
|
Specify custom Nmap data file location
|
--send-eth/--send-ip
|
Send using raw ethernet frames or IP packets
|
--privileged
|
Assume that the user is fully privileged
|
-V
|
Print version number
|
1.IP
Scanning with range
#
nmap -sP 192.168.0.0/24
#
nmap -sP 192.168.0.1-254
2.Port
Scanning with range port 100 – port 200
#
nmap 192.168.0.11 -p100-200
#
nmap -p21,22,80 192.168.0.123
3.Scanning
Operating system on target IP
#
nmap -O 192.168.0.11
4.nmap
Faster Execution faster scan, use -T4
#
nmap -A -T4 192.168.0.11
5.Version
detection
# nmap
-A -T4 -F 192.168.0.123
#
nmap -A -T4 192.168.0.123
6.Choose
between TCP and UDP protocol
#
nmap
-p T:3000-4000
192.168.0.123
7.Chek
Only UDP
#
nmap -sU 192.168.0.123
8.check Only TCP SYN
(half-open) scanning
#
nmap -sS 192.168.0.123
# nmap -sS
192.168.0.0/24
9.nmap TCP FIN
scanning
#
nmap -v -sF 192.168.0.0/24
10.nmap
TCP Xmas tree scanning
Useful
to see if firewall protecting against this kind of attack or not:
#
nmap -v -sX 192.168.0.0/24
11.nmap
TCP Windows scanning
#
nmap -v -sW 192.168.0.0/24
12.nmap
TCP RPC scanning
#
nmap -v -sR 192.168.0.0/24
13.nmap
remote software version scanning
#
nmap -v -sV 192.168.0.0/24
-:
Graphical interface :-