Updated April 10, 2023
Introduction to Nmap usage
The Nmap stands for Network Mapper. It’s a Linux command-line tool that scans a network for IP addresses and ports, as well as detects installed applications. Nmap helps network administrators to discover which systems are attached to their network, locate available ports and services, and search for vulnerabilities.
Nmap is chosen by security professionals over other scanning methods for a variety of purposes. To begin, Nmap allows you to easily map out a network using basic commands and configurations. Easy commands such as checking whether a host is up and complex scripting are both supported by the Nmap scripting engine.
Features
Nmap also has the following features:
Ability to rapidly identify all devices on a single or multiple networks, including mobile devices, routers, servers, switches, and so on.
DNS servers, Web servers, and other popular applications are among the services that can be identified on a system. Nmap can also detect application versions with accuracy, which can help in the detection of existing vulnerabilities.
Nmap can look up details about a device’s operating system. It will include specific details such as operating system models, making it easier to schedule further penetration testing approaches. You can use Nmap to attack networks using existing scripts from the Nmap Scripting Engine for vulnerability scanning and security auditing.
The graphical user interface for Nmap is called Zenmap. It helps in the development of network visual mappings for improved accessibility, reporting, and monitoring.
List of Commands
Here is a list of various commands to use Nmap.
Basic Scans
The first step in network mapping is to scan the list of active devices on the network.
1. Ping scan — Scans the list of active devices on a given subnet.
> nmap -sp 192.168.1.1/26
2. Scan a single host — Searches for 1000 well-known ports on a single host. This is the ports that common services such as SNTP, SQL, Apache, and others use.
> nmap scanme.nmap.org
Stealth scan
Sending a SYN packet and processing the result is how stealth scanning is done. the port is open when SYN/ACK is received, then a TCP link can be started.
A stealth scan, on the other hand, never completes the three-way handshake, making it difficult for the target to identify the scanning device.
> nmap -sS scanme.nmap.org
To perform a stealth scan, -sS command is used. stealth scanning is less aggressive and slower than other scanning types, so users may have to wait a while for a response.
Version scanning
In penetration testing, finding versions of the application is important. It makes your life easy so you can find an existing vulnerability for a certain version of the service in the Common Vulnerabilities and Exploits (CVE) database. Then, using an exploitation technique like Metasploit, you can use it to target a computer.
> nmap -sV scanme.nmap.org
the ‘-sV’ command is used to run a version scan. Nmap can generate a list of services along with their respective versions. Version scans aren’t always 100 % correct, but it helps to gain access to a system.
Scanning the Operating System
Nmap can provide an understanding of the underlying operating system using TCP/IP fingerprinting. During an OS scan, Nmap can also attempt to evaluate the device uptime.
> nmap -sV scanme.nmap.org
Aggressive Scanning
Nmap has an aggressive mode that allows it to detect the operating system, search scripts, version, and traceroutes. To execute an offensive scan -A parameter is used.
> nmap -A scanme.nmap.org
Multiple Hosts Scanning
Nmap has the ability to scan many hosts at the same time. When you’re in charge of a large network system, this function comes in handy.
There are various approaches to scan multiple hosts
To scan all of the hosts simultaneously, write all of the IP addresses in a single row.
> nmap 192.164.1.1 192.164.1.2 192.164.1.3
After that to scan all of the subnets at the same time, Use the asterisk *
> nmap 192.164.1.*
Then Add commas to separate the addresses endings. Because of this there is no need to type the entire domains.
> nmap 192.164.1.1,2,3,4
To specify a range of IP addresses, add a hyphen.
> nmap 192.164.1.0–255
Port Scanning
Nmap’s port scanning is one of the most basic features. There are many ways to scan for ports.
To scan for a single port, add -p parameter.
> nmap -p 413 192.164.0.4
-top-ports flag is used to specify the top n ports to scan.
> nmap –top-ports 10 scanme.nmap.org
Scanning from a File
A large number of IP addresses can be scanned by importing a file that contains the list of IP addresses.
> nmap -iL /input_ips.txt
Nmap Help
Nmap provides a built-in help command which lists all of the available flags and options. Given the large number of command-line arguments provided by Nmap, it is often useful.
nmap -h
Conclusion
In this article, we have seen various commands for easy and quick scanning of networks, ports, hosts, operating systems, and firewalls.
Recommended Articles
This is a guide to Nmap usage. Here we discuss the Introduction, list of various commands to use Nmap. You may also have a look at the following articles to learn more –