NMAP Tutorial : How to use Nmap from Basic to Advanced

Nmap ("Network Mapper") is a free and open-source utility for security evaluating. Nmap utilizes raw IP packets in novel approaches to figure out what is accessible on the system, what administrations (application name and form) those hosts are putting forth, what working OS (and OS variants) they are running, what sort of bundle channels/firewalls are being used, and many different qualities.

Scan a range of IP Address

This is the command to scan a range of IPs. Scanning a range of IPs is useful when trying to determine where a network attack may be occurring. Being able to scan multiple IPs also saves valuable time when tracing a network attack:


Scan a subnet

This command scans a subnet. Scanning a subnet will allow the scan to monitor multiple hosts. This command is useful when checking on multiple networks as well.


Nmap port selection

To utilize Nmap effectively, you will need to understand how to use the port selection options. The port selection options determine what ports will be scanned and whether the scan order is random or in sequential order.

nmap -p 80

Scan Multiple Ports:

nmap -p 1-100


Nmap Port Scan types:

Privileged access is required to play out the default SYN examines. If privileges are inadequate a TCP connect scan will be used.

A TCP connect requires a full TCP connection with be set up and in this way is a slower examination. Disregarding revelation is regularly required the same number of firewalls or hosts won't react to PING, so could be missed except if you select the - Pn parameter.

Obviously, this can make examine times any longer as you could end up sending filter tests to hosts that are not there.

1. Scan using TCP connect    : nmap -sT

2. Scan using TCP SYN scan (default) 
   : nmap -sS

3. Scan UDP ports    : nmap -sU -p 123,161,162

4. Scan selected ports - ignore discovery    : nmap -Pn -F

Service and NMAP OS Detection

Service and Nmap OS detection depend on various strategies to decide the working framework or service running on a specific port.

The more forceful service identification is frequently useful if there are services running on bizarre ports.

Then again the lighter adaptation of the service will be a lot quicker as it doesn't generally endeavor to identify the service just snatching the standard of the open service.

1. NMAP OS detection and Services     : nmap -A

2. Standard service detection
:   nmap -sV
3. Lighter banner grabbing detection
: nmap -sV --version-intensity 0

4. More aggressive Service Detection
: nmap -sV --version-intensity 5

HTTP Service Information

1. Gather page titles from HTTP services:     nmap --script=http-title

2. Get HTTP headers of web services:     nmap --script=http-headers

3. Find web apps from known paths:     nmap --script=http-enum

There are numerous HTTP data gathering scripts, here are not many that are basic but supportive while analyzing bigger systems. It helps in rapidly distinguishing what the HTTP benefit is that is running on the open port.

Note the HTTP-enum script is especially loud.

It is like Nikto in that it will endeavor to specify known ways of web applications and scripts. This will unavoidably create several 404 HTTP responses in the webserver mistake and access logs. 

Post a Comment