Scribd
Upload
495 views6 pages

Network Scanning Using Nmap

Nmap is a free and open-source tool used for network discovery and security auditing. It can determine what hosts are available on a network, the services they offer, and the operating systems they are running. Nmap uses raw IP packets to analyze targets and find open ports, services, software versions, type of packet filters/firewalls, and other details. It supports many scan types and options to customize the depth and type of scan performed.

Uploaded by

millanu6275
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
495 views6 pages

Network Scanning Using Nmap

Nmap is a free and open-source tool used for network discovery and security auditing. It can determine what hosts are available on a network, the services they offer, and the operating systems they are running. Nmap uses raw IP packets to analyze targets and find open ports, services, software versions, type of packet filters/firewalls, and other details. It supports many scan types and options to customize the depth and type of scan performed.

Uploaded by

millanu6275
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Nmap (Network Mapper)

Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing. Nmap uses
raw IP packets in novel ways to determine what hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems (and OS versions) they are running and so on.
Nmap has also a graphical interface version called Zenmap.

1. How to use nmap command


From a command line, you can issue the namp command with -h option for help and see how the nmap
command is used. As can be seen, we need to specify a target (hostname, IP address, or network range).
root@kali:~# nmap -h
Nmap 7.40 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given
ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--some output omitted----
2. Listing open ports on a remote host (Service detection)

This describes the simplest way of using Nmap to determine the port states on a remote host, a process used to
identify running services commonly referred as port scanning.

 Open a terminal.
 Type nmap command followed by an IP address or hostname of the device to be scanned

The scan results should appear on the screen, showing the interesting ports and their states. The ports marked as
open are of special interest as they represent services running on the target host.

Port states:
Nmap categorizes ports into the following states:

 Open: This indicates that an application is listening for connections on this port.
 Closed: This indicates that the probes were received but there is no application listening on this port.

Page 1 of 6
 Filtered: This indicates that the probes were not received and the state could not be established. It also
indicates that the probes are being dropped by some kind of filtering.
 Unfiltered: This indicates that the probes were received but a state could not be established.

For example, from the following output, we can see which ports are opened at 10.10.41.232host.

N.B: The target IP addresses will be different in your lab session! Also remember that the corresponding scan
output may be different on which target you are scanning.

root@kali:~# nmap 10.10.41.232

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-29 15:30 +0530


Nmap scan report for 10.10.41.232
Host is up (0.00022s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1583/tcp open simbaexpress
1688/tcp open nsjtp-data
3306/tcp open mysql
3351/tcp open btrieve
55555/tcp open unknown
MAC Address: 1C:39:47:C1:82:D3 (Compal Information (kunshan))

Nmap done: 1 IP address (1 host up) scanned in 16.77 seconds


root@kali:~#

Use the output of the scan to answer the following questions.


Is the host a file server?______ No, no FTP port is open
Does the host allow remote connection through SSH or telnet?____ No, no such service is running
Is the host a web server? ____ yes, http is running on port 80
Is any data base program running on this host? ___ yes, mysql is running on port 3306 port number
3. Service Version Detection
Version detection is one of the most popular features of Nmap. Knowing the exact version of a service is highly
valuable for penetration testers who use this service to look for security vulnerabilities, and for system
administrators who wish to monitor their networks for any unauthorized changes.
If you issue nmap -h command and scroll down to “SERVICE/VERSION DETECTION” part, you can see that -sV
option is used to determine service/version info. The flag -sV enables service detection, which returns additional
service and version information. The result of this command is a table containing an additional column named
VERSION, displaying the specific service version, if identified.

Page 2 of 6
N.B: The target IP addresses will be different in your lab session! Also remember that the corresponding scan
output may be different on which target you are scanning.

root@kali:~# nmap -sV 10.10.41.232

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-29 15:34 +0530


Nmap scan report for 10.10.41.232
Host is up (0.00039s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.23 (PHP/5.6.25)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http VMware VirtualCenter Web service
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds
(workgroup: WORKGROUP)
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC,
SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC,
SOAP)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1583/tcp open psql Pervasive.SQL Server - Relational Engine
(encrypted)
1688/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
3351/tcp open psql-btrieve Pervasive.SQL Server - Btrieve Engine
55555/tcp open unknown
MAC Address: 1C:39:47:C1:82:D3 (Compal Information (kunshan))
Service Info: Hosts: localhost, USER-PC; OS: Windows; CPE:
cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.39 seconds
root@kali:~#
The output shown above includes a VERSION column which shows the service and version for a service running at
a particular port number.

Page 3 of 6
What service is running at port 80? ____ Apache
What version of Apache is installed on the target host? _____ Apache httpd 2.4.23
What PHP version is installed on the remote host? _____ PHP 5.6.25
4. Finding live hosts in a network
Finding live hosts in a network is often used by penetration testers to enumerate active targets, and by system
administrators to count or monitor the number of active hosts. This describes how to perform a ping scan to find
live hosts in a network by using Nmap. Nmap uses the -sP flag for ping scanning. The /24 is a notation for the
whole subnet (10.10.13.1 – 10.10.13.255). Alternatively the -sn flag also serves the same purpose.
N.B: The number of hosts that are live in the network will vary per each scan as new computers may be added or
other computers may leave the network.
root@kali:~# nmap -sn 10.10.13.1/24

Starting Nmap 7.01 ( https://nmap.org ) at 2019-05-29 16:14 EAT


Nmap scan report for 10.10.13.1
Host is up (0.0066s latency).
Nmap scan report for 10.10.13.194
Host is up (0.00044s latency).
Nmap scan report for 10.10.13.204
Host is up (0.00027s latency).
Nmap scan report for 10.10.13.206
Host is up (0.0017s latency).
Nmap scan report for 10.10.13.237
Host is up (0.00022s latency).
Nmap scan report for 10.10.13.249
Host is up (0.00082s latency).
Nmap scan report for 10.10.13.251
Host is up (0.00081s latency).
Nmap scan report for 10.10.13.252
Host is up (0.00067s latency).
Nmap scan report for 10.10.13.253
Host is up (0.00043s latency).
Nmap scan report for 10.10.13.254
Host is up (0.00025s latency).
Nmap done: 256 IP addresses (10 hosts up) scanned in 2.31 seconds
root@kali:~#
Or we can specify a range of IP addresses to be scanned. As can we see from the output shown below, only two
hosts are live and connected to the network with their IP addresses falling in the range specified.

Page 4 of 6
N.B: The number of hosts that are live in the network will vary per each scan as new computers may be added or
other computers may leave the network.
root@kali:~# nmap -sP 10.10.13.1-200

Starting Nmap 7.01 ( https://nmap.org ) at 2019-05-29 16:17 EAT


Nmap scan report for 10.10.13.1
Host is up (0.013s latency).
Nmap scan report for 10.10.13.194
Host is up (0.00055s latency).
Nmap done: 200 IP addresses (2 hosts up) scanned in 28.66 seconds
root@kali:~#

5. Detecting operating system of hosts in the network


Determining the operating system of a host is essential to every penetration tester for many reasons including
listing possible security vulnerabilities, determining the available system calls to set the specific exploit payloads,
and for many other OS-dependent tasks. Use nmap with -O flag to detect OS.
N.B: The output of the scan may be different depending on the target address.
root@kali:~# nmap -O 10.10.41.232

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-29 16:00 +0530


Nmap scan report for 10.10.41.232
Host is up (0.00017s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1583/tcp open simbaexpress
1688/tcp open nsjtp-data
3306/tcp open mysql
3351/tcp open btrieve

Page 5 of 6
55555/tcp open unknown
MAC Address: 1C:39:47:C1:82:D3 (Compal Information (kunshan))
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1
cpe:/o:microsoft:windows_server_2008::sp1
cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8
cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows
Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.93 seconds
root@kali:~#

Page 6 of 6

You might also like