The Nmap suite includes an advanced graphical user interface and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Substitute dnf for yum if you are on Red Hat Enterprise Linux 7 or newer. After installing Nmap, you can run the nmap command without arguments to display all of its options. You also should consult the Nmap man page by running man nmap.
Nmap is a very powerful system inventory and port scanning tool that can be used for good and bad purposes. It depends on which hat you are wearing. The best way to learn Nmap is to read man pages, use examples shown in the man pages, and experiment with the NSE scripts. Also, try Zenmap. If you are interested in knowing more about port scanning and the science behind it, see the Nmap documentation.
In an earlier post, I had shown you the most widely-used and valuable reconnaissance tool in the hacker's toolbox, nmap. There are a number of other recon tools that are also helpful such as hping and xprobe, but nmap is the standard by which all others are judged. I STRONGLY recommend that you master nmap if you are to truly call yourself a hacker.
I've already shown you some of the basics of nmap, like performing port scans using the TCP (-sT) and SYN (-sS) scans, as well as performing OS (-O) detection. In addition, I showed you how to change the speed of the scans to evade intrusion detection systems.
The same applies to spoofing our IP when using nmap. We CAN spoof our IP address (-S) in nmap, but as a result, any response and any info we are trying to gather will return to the spoofed IP. Not very useful, if we are scanning for info gathering.
When you use nmap to scan a system or network, by default, it send out a ping to see if the host is up and if it gets a response, it then sends the specified packets to scan the system. If the ping is blocked or dropped, nmap gives up and says, "host is down."
To get around firewalls and routers that block or drop the ping, we need to suppress nmap's default behavior of sending out that initial ping and get past the firewall that is blocking us. We can do this by using the -P0 switch:
When nmap runs a port scan, it retrieves the port info (open/closed/filtered) and then gives us the default service that is running on that port. As one can run ANY service on any port, that may not be adequate information. If our attack requires a particular service on a particular port, gathering the default information may not be enough.
Note in the output from the UDP scan above that some ports are reported as open/filtered. This indicates that nmap cannot determine whether the port is open or it is filtered by a device such as a firewall.
Nmap has a switch that will return the reason why it has placed a particular port in a particular state. For instance, we can run the same UDP scan as above with the --reason switch and nmap will return the same results, but this time will give us the reason it has determined the particular state of the port.
Notice in the screenshot above that I have highlighted the "reason" that nmap has found that port 123 is either open or filtered. Nmap tells us that it received "no response," so it doesn't know if that port is open or filtered.
Many times we want to scan a list of IP addresses and not an entire subnet. We can use any text editor and create a list of IP addresses and "feed" it to nmap. Here, I am using Leafpad, which is built into Kali (any text editor will work), to put together a list of IP addresses I want to scan.
If we are scanning multiple IP addresses, we probably want to save the output to a file for later reference. Although nmap has many ways and formats to save the output, I prefer the -oN (output normal) switch.
Nmap is one of those tools that EVERY hacker must master to be proficient at this trade. With this post, we have advanced your nmap skills another step, but we still have much to learn, so keep coming back, my novice hackers!
As JanC already hinted at, the snap version of nmap has an issue with opening network devices when it is run as root. After removing the snap version and installing the aptitude version it worked as expected.
NmapFE, originally written by Kanchan, was Nmap's official GUI for Nmap versions 2.2 to 4.22.[19] For Nmap 4.50 (originally in the 4.22SOC development series) NmapFE was replaced with Zenmap, a new official graphical user interface based on UMIT, developed by Adriano Monteiro Marques.
There are several NSE scripts in nmap that can be used for a wide range of security testing in the network. These scripts are also helpful in the discovery of new networks. The -sV parameter used in the commands above is used as a service detection parameter.
Also, if you are port scanning a host and the latter has an HTTP(S) service running on it, nmap will use Mozilla/5.0 (compatible; Nmap Scripting Engine; ) as default user agent. Your action will thus be easily detected, especially if an administrator or a robot are taking measures if such an user agent appears in the logs. Hopefully, nmap allows us to change that string easily: just pass -script-args http.useragent="user agent you want". Source
nmap can normally be installed direct from your systems standard repositories. Below are examples of installing nmap using Debian/Ubuntu, CentOS/RHEL and openSUSE Linux distributions. To install nmap, simply follow the instructions that match your operating system.
To install nmap on a Debian based system issue the commands below. The first command is used to update your system with the latest versions of available packages. This command is then followed by the install command. Reply "Y" when asked to install the relevant package and any dependencies.
In the scanning process, nmap transmits packets to the target machine in a specific time period (interval). We can use the namp -T switch to increase or decrease the time period. However, the -T option requires an attribute, we should use 1,2,3,4 as needed. T4 has fast speed than T1, T2, and T3.
Compared to other nmap scans, an IP Protocol scan has a major difference. It's looking for other IP protocols utilized by the Target system, such as ICMP, TCP, and UDP. The additional IP protocol, such as EGP, or IGP.
The ICMP echo request ping sends an ICMP echo request to the IP address of the destination machine. In the normal type of ICMP echo request, a combination of TCP and ACK pings is sent. Using option -PE, the ICMP echo request can be specified as the nmap ping method without coupling TCP ACK ping.
The verbose mode of nmap allows us to get more information from the scan output. The verbose option does not affect on what happens during the scan; it only modifies the amount of information that nmap shows on its output.
df19127ead