Shashikant shah

Sunday, 4 November 2012

Install NMAP (Network Mapper) and Zenmap




Mmap is a powerfull scanner available in Linux system. We can findout, all the ways a computer communicates with other computers on a network.

Features of Nmap :-

1. Flexible :- advanced techniques for mapping out networks filled with IP filters, firewalls, routers.
This includes many port scanning TCP and UDP, and OS detection, version detection.

2. Powerful :- Nmap has been used to scan huge networks of literally hundreds of thousands of
machines.

3. Portable :- Most operating systems are supported, including Linux, Microsoft Windows,
FreeBSD, OpenBSD, Solaris, Mac OS X, HP-UX, NetBSD, Sun OS.

4. Easy :- Easy to operting Nmap .E.g – <nmap – A -V target>. You can used Zenmap is a GUI.

5. free :- It is a free Nmap.

6. Popular :- Thousands of people download Nmap every day. and it is included with many
operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc).


Advantage of Nmap :-

1. Find computers on a network.

2. Find open ports on those computers.

3. Find out, what services are using those ports.

4. Find out, what operating system is on the computers.

5. Find out, detection application name and version number.

6. Raw Socket (sending) :- The system API for sending custom packets is called raw sockets.
Unfortunately this sockets can't be used to listen for raw packets on the wire.

7. NSE :- Let a programmer choose what to do with the services it finds. The programmer can write
Nmap Scripting Engine programs in the Lua Programming language.

8. Three way handshake on tcp/ip.

a) SYN (Synchronous) :- The active open is performed by the client sending a SYN to the server.
the client sets the segment's sequence number to a random value A.

b) SYN-ACK (acknowledgment) :- In response, the server replies with a SYN-ACK. The
acknowledgment number is set to one more than the received sequence
number (A + 1), and the sequence number that the server chooses for the
packet is another random number, B.

c) ACK (acknowledgment) :- Finally, the client sends an ACK back to the server. The sequence
number is set to the received acknowledgement value i.e. A + 1, and the
acknowledgement number is set to one more than the received sequence
number i.e. B + 1.

9. Graphical interface Nmap.

Zenmap used.

Syntax :-
 
nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
-iL
Input from list of hosts/networks
-iR
Choose random targets
--exclude <host1[,host2][,host3],...>
Exclude hosts/networks
--excludefile <exclude_file>
Exclude list from file

HOST DISCOVERY:
-sL
List Scan - list targets to scan
-sP
Ping Scan - go no further than determining if host is online
-P0
Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]
TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM
ICMP echo, timestamp, and netmask request discovery probes
-n/-R
Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>
Specify custom DNS servers
--system-dns
Use OS's DNS resolver


SCAN TECHNIQUES:
-sS/sT/sA/sW/sM
TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX
TCP Null, FIN, and Xmas scans
--scanflags <flags>
Customize TCP scan flags
-sI <zombie host[:probeport]>
Idlescan
-sO
IP protocol scan
-b <ftp relay host>
FTP bounce scan


PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>
Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F
Fast - Scan only the ports listed in the nmap-services file)
-r
Scan ports consecutively - don't randomize


SERVICE/VERSION DETECTION:
-sV
Probe open ports to determine service/version info
--version-intensity <level>
Set from 0 (light) to 9 (try all probes)
--version-light
Limit to most likely probes (intensity 2)
--version-all
Try every single probe (intensity 9)
--version-trace
Show detailed version scan activity (for debugging)


OS DETECTION:
-O
Enable OS detection
--osscan-limit
Limit OS detection to promising targets
--osscan-guess
Guess OS more aggressively


TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]
Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>
Parallel host scan group sizes
--min-parallelism/max-parallelism <time>
Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
Specifies probe round trip time.
--max-retries <tries>
Caps number of port scan probe retransmissions.
--host-timeout <time>
Give up on target after this long
--scan-delay/--max-scan-delay <time>
Adjust delay between probes


FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>
fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>
Cloak a scan with decoys
-S <IP_Address>
Spoof source address
-e <iface>
Use specified interface
-g/--source-port <portnum>
Use given port number
--data-length <num>
Append random data to sent packets
--ttl <val>
Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>
Spoof your MAC address
--badsum
Send packets with a bogus TCP/UDP checksum


OUTPUT:
-oN/-oX/-oS/-oG <file>
Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA <basename>
Output in the three major formats at once
-v
Increase verbosity level (use twice for more effect)
-d[level]
Set or increase debugging level (Up to 9 is meaningful)
--packet-trace
Show all packets sent and received
--iflist
Print host interfaces and routes (for debugging)
--log-errors
Log errors/warnings to the normal-format output file
--append-output
Append to rather than clobber specified output files
--resume <filename>
Resume an aborted scan
--stylesheet <path/URL>
XSL stylesheet to transform XML output to HTML
--webxml
Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet
Prevent associating of XSL stylesheet w/XML output

MISC:
-6
Enable IPv6 scanning
-A
Enables OS detection and Version detection
--datadir <dirname>
Specify custom Nmap data file location
--send-eth/--send-ip
Send using raw ethernet frames or IP packets
--privileged
Assume that the user is fully privileged
-V
Print version number


1.IP Scanning with range

# nmap -sP 192.168.0.0/24

# nmap -sP 192.168.0.1-254

2.Port Scanning with range port 100 – port 200

# nmap 192.168.0.11 -p100-200

# nmap -p21,22,80 192.168.0.123

3.Scanning Operating system on target IP

# nmap -O 192.168.0.11

4.nmap Faster Execution faster scan, use -T4

# nmap -A -T4 192.168.0.11

5.Version detection

# nmap -A -T4 -F 192.168.0.123

# nmap -A -T4 192.168.0.123

6.Choose between TCP and UDP protocol

# nmap -p T:3000-4000 192.168.0.123

7.Chek Only UDP

# nmap -sU 192.168.0.123

8.check Only TCP SYN (half-open) scanning

# nmap -sS 192.168.0.123
# nmap -sS 192.168.0.0/24


9.nmap TCP FIN scanning

# nmap -v -sF 192.168.0.0/24

10.nmap TCP Xmas tree scanning
Useful to see if firewall protecting against this kind of attack or not:

# nmap -v -sX 192.168.0.0/24

11.nmap TCP Windows scanning

# nmap -v -sW 192.168.0.0/24

12.nmap TCP RPC scanning

# nmap -v -sR 192.168.0.0/24

13.nmap remote software version scanning

# nmap -v -sV 192.168.0.0/24


-: Graphical interface :-

Application -> SystemTools -> NmapFE

OR

Same version nmap and zenmap.

# wget nmap.org/dist/zenmap-6.01-1.noarch.rpm

rpm -ivh zenamp-6.01-1.noarch.rpm



No comments:

Post a Comment