Nmap
Working with Nmap Command
1. To scan a System with Hostname and IP address. First, Scan using Hostname
nmap www.geeksforgeeks.org
Now let’s Scan using IP Address
nmap 172.217.27.174
The nmap command allows scanning a system in various ways. In this we are performing a scan using the hostname as “geeksforgeeks” and IP address “172.217.27.174”, to find all open ports, services, and MAC addresses on the system.
2. To scan using “-v” option.
nmap -v www.geeksforgeeks.org
It is used to get more detailed information about the remote machines.
3. To scan multiple hosts
nmap 103.76.228.244 157.240.198.35 172.217.27.174
We can scan multiple hosts by writing IP addresses or hostnames with nmap.
4. To scan whole subnet
nmap 103.76.228.*
We can scan a whole subnet or IP range with nmap by providing “*” with it. It will scan a whole subnet and give the information about those hosts which are Up in the Network.
5. To scan to detect firewall settings.
sudo nmap -sA 103.76.228.244
Detecting firewall settings can be useful during penetration testing and vulnerability scans. To detect it we use “-sA” option. This will provide you with information about firewall being active on the host. It uses an ACK scan to receive the information.
6. To identify Hostnames
sudo nmap -sL 103.76.228.244
We use “sL” option to find hostnames for the given host by completing a DNS query for each one. In addition to this “-n” command can be used to skip DNS resolution, while the “-R” command can be used to always resolve DNS.
7. To scan from a file
nmap -iL input.txt
If we have a long list of addresses that we need to scan, we can directly import a file through the command line. It will produce a scan for the given IP addresses.
8. To get some help
nmap -h
If we have a long list of addresses that we need to scan, we can directly import a file through the command line. It will produce a scan for the given IP addresses.
8. To get some help
nmap -h
We use the “-h” option if we have any questions about nmap or any of the given commands. It shows the help section for nmap command, including giving information regarding the available flags. 9. Here -A Indicates Aggressive it will let Us Know The Extra Information’s like OS Detection (-O), version detection, script scanning (-sC), and traceroute (–traceroute) even it provides a lot of valuable information About The Host. nmap -A <Domain Name>
10. Using This Command we can even Discover our Target Hosting Service or Identify Additional Targets According to our Needs For Quickly Tracing the Path.
nmap --trace out <Domain Name>
11. Here It Will Display The Operating System Where The Domain or Ip Address is Running But Will Not Display Exact Operating System Available On Computer. It Will Only Display The Chance of Operating System Available in The Computer. This Will Just Guess the Running Operating System (OS) in the Host.
nmap -O <Domain Name>
Port Scanning with Nmap
Nmap is an industry standard for port scanning. Entire books have been
written just about using Nmap, and the manual page may seem a bit daunting.
We will cover the basics of port scanning here and come back to the
tool in later chapters.
Firewalls with intrusion-detection and prevention systems have made
great strides in detecting and blocking scan traffic, so you might run an
Nmap scan and receive no results at all. Though you could be hired to perform
an external pentest against a network range with no live hosts, it’s more
likely that you’re being blocked by a firewall. On the other hand, your Nmap
results might instead say that every host is alive, and will be listening on every
port if your scan is detected.
A SYN Scan
Let’s start by running a SYN scan against our target machines. A SYN scan
is a TCP scan that does not finish the TCP handshake. A TCP connection
starts with a three-way handshake: SYN 4 SYN-ACK 4 ACK, as shown in
In a SYN scan, Nmap sends the SYN and waits for the SYN-ACK if the
port is open but never sends the ACK to complete the connection. If the
SYN packet receives no SYN-ACK response, the port is not available; either
it’s closed or the connection is being filtered. This way, Nmap finds out if a
port is open without ever fully connecting to the target machine. The syntax
for a SYN scan is the -sS flag.
Next, as you can see in Listing 5-6, we specify the IP address(s) or range
to scan. Finally, we use the -o option to output our Nmap results to a file. The
-oA option tells Nmap to log our results in all formats: .nmap, .gnmap (greppable
Nmap), and XML. Nmap format, like the output that Nmap prints
to the screen in Listing 5-6, is nicely formatted and easy to read. Greppable
Nmap (as the name implies) is formatted to be used with the grep utility to
search for specific information. XML format is a standard used to import
Nmap results into other tools. Listing 5-6 shows the results of the SYN scan.
Not e It is always a good idea to take good notes of everything we do on our pentest.
Tools such as Dradis are designed specifically to track pentest data, but as long
as you have notes of everything you did when you get to the reporting phase,
you will be okay. I personally am more of a pen-and-paper user, or at best, a
creating-a-long-Word-document-with-all-of-my-results type. The methods used for tracking
results vary from pentester to pentester. Outputting your Nmap results to files is a
good way to make sure you have a record of your scan. Also, you can use the Linux
command script to record everything printed to your terminal—another good way to
keep track of everything you have done.
root@kali:~# nmap -sS 192.168.20.10-12 -oA booknmap
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 07:28 EST
Nmap scan report for 192.168.20.10
Host is up (0.00056s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp v
25/tcp open smtp y
80/tcp open http w
106/tcp open pop3pw y
110/tcp open pop3 y
135/tcp open msrpc
139/tcp open netbios-ssn x
443/tcp open https w
445/tcp open microsoft-ds x
1025/tcp open NFS-or-IIS
3306/tcp open mysql z
5000/tcp open upnp
MAC Address: 00:0C:29:A5:C1:24 (VMware)
Nmap scan report for 192.168.20.11
Host is up (0.00031s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp v
22/tcp open ssh
80/tcp open http w
111/tcp open rpcbind
139/tcp open netbios-ssn x
445/tcp open microsoft-ds x
2049/tcp open nfs
MAC Address: 00:0C:29:FD:0E:40 (VMware)
Nmap scan report for 192.168.20.12
Host is up (0.0014s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http u
135/tcp open msrpc
MAC Address: 00:0C:29:62:D5:C8 (VMware)
Nmap done: 3 IP addresses (3 hosts up) scanned in 1070.40 seconds
As you can see, Nmap returns a handful of ports on the Windows XP
and Linux boxes. We will see as we move through the next few chapters that
nearly all of these ports contain vulnerabilities. Hopefully, that won’t be the
case on your pentests, but in an attempt to introduce you to many types of
vulnerabilities you will encounter in the field, our pentesting lab has been
condensed into these three machines.
That said, just because a port is open does not mean that vulnerabilities
are present. Rather it leaves us with the possibility that vulnerable software
might be running on these ports. Our Windows 7 machine is listening only
on port 80 u, the traditional port for HTTP web servers, and port 139
for remote procedure call. There may be exploitable software listening
on ports that are not allowed through the Windows firewall, and there
may be vulnerable software running locally on the machine, but at the
moment we can’t attempt to exploit anything directly over the network
except the web server.
This basic Nmap scan has already helped us focus our pentesting efforts.
Both the Windows XP and Linux targets are running FTP servers v, web
servers w, and SMB servers x. The Windows XP machine is also running a
mail server that has opened several ports y and a MySQL server z.
A Version Scan
Our SYN scan was stealthy, but it didn’t tell us much about the software that
is actually running on the listening ports. Compared to the detailed version
information we got by connecting to port 25 with Netcat, the SYN scan’s
results are a bit lackluster. We can use a full TCP scan (nmap -sT) or go a
step further and use Nmap’s version scan (nmap -sV) to get more data. With
the version scan shown in Listing 5-7, Nmap completes the connection and
then attempts to determine what software is running and, if possible, the
version, using techniques such as banner grabbing.
root@kali:~# nmap -sV 192.168.20.10-12 -oA bookversionnmap
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 08:29 EST
Nmap scan report for 192.168.20.10
Host is up (0.00046s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.32 beta
25/tcp open smtp SLmail smtpd 5.5.0.4433
79/tcp open finger SLMail fingerd
80/tcp open http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k
mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
106/tcp open pop3pw SLMail pop3pw
110/tcp open pop3 BVRP Software SLMAIL pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k
mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
5000/tcp open upnp Microsoft Windows UPnP
MAC Address: 00:0C:29:A5:C1:24 (Vmware)
Service Info: Host: georgia.com; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 192.168.20.11
Host is up (0.00065s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4 u
22/tcp open ssh OpenSSH 5.1p1 Debian 3ubuntu1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.9 ((Ubuntu) PHP/5.2.6-2ubuntu4.6 with
Suhosin-Patch)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
MAC Address: 00:0C:29:FD:0E:40 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Nmap scan report for 192.168.20.12
Host is up (0.0010s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:62:D5:C8 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 20.56 seconds
UDP Scans
Both Nmap’s SYN and version scans are TCP scans that do not query UDP
ports. Because UDP is connectionless, the scanning logic is a bit different.
In a UDP scan (-sU), Nmap sends a UDP packet to a port. Depending on
the port, the packet sent is protocol specific. If it receives a response, the
port is considered open. If the port is closed, Nmap will receive an ICMP
Port Unreachable message. If Nmap receives no response whatsoever, then
either the port is open and the program listening does not respond to
Nmap’s query, or the traffic is being filtered. Thus, Nmap is not always able
to distinguish between an open UDP port and one that is filtered by a firewall.
See Listing 5-8 for a UDP scan example.
root@kali:~# nmap -sU 192.168.20.10-12 -oA bookudp
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 08:39 EST
Stats: 0:11:43 elapsed; 0 hosts completed (3 up), 3 undergoing UDP Scan
UDP Scan Timing: About 89.42% done; ETC: 08:52 (0:01:23 remaining)
Nmap scan report for 192.168.20.10
Host is up (0.00027s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
69/udp open|filtered tftp u
123/udp open ntp
135/udp open msrpc
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1026/udp open win-rpc
1065/udp open|filtered syscomlan
1900/udp open|filtered upnp
MAC Address: 00:0C:29:A5:C1:24 (VMware)
Nmap scan report for 192.168.20.11
Host is up (0.00031s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
2049/udp open nfs v
5353/udp open zeroconf
MAC Address: 00:0C:29:FD:0E:40 (VMware)
Nmap scan report for 192.168.20.12
Host is up (0.072s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: 00:0C:29:62:D5:C8 (VMware)
Nmap done: 3 IP addresses (3 hosts up) scanned in 1073.86 seconds
For example, on the Windows XP system, the TFTP port (UDP 69) may
be open or filtered u. On the Linux target, Nmap was able to glean that
the Network File System port is listening v. Because only two TCP ports
responded on the Windows 7 box, it’s fair to assume that a firewall is in
place, in this case the built-in Windows firewall. Likewise, the Windows firewall
is filtering all traffic except to one UDP port. (If the Windows firewall
were not in place, our UDP scan might give us more information.)
Scanning a Specific Port
By default, Nmap scans only the 1,000 ports it considers the most “interesting,”
not the 65,535 possible TCP or UDP ports. The default Nmap scan will
catch common running services, but in some cases it will miss a listening port
or two. To scan specific ports, use the -p flag with Nmap. For example, to
scan port 3232 on the Windows XP target, see Listing 5-9.
root@Kali:~# nmap -sS -p 3232 192.168.20.10
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 09:03 EST
Nmap scan report for 192.168.20.10
Host is up (0.00031s latency).
PORT STATE SERVICE
3232/tcp open unknown
MAC Address: 00:0C:29:A5:C1:24 (VMware)
Listing 5-9: Running an Nmap scan on a specific port
Sure enough, when we tell Nmap to scan 3232, it returns open, which
shows that this port is worth checking out, in addition to the default Nmap
scanned ports. However, if we try to probe the port a bit more aggressively
with a version scan (see Listing 5-10), the service listening on the port
crashes, as shown in Figure 5-8.
Not e A good rule of thumb is to specify ports 1 through 65535 on your pentests, just to
make sure there’s nothing listening on those other “uninteresting” ports.
root@kali:~# nmap -p 3232 -sV 192.168.20.10
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-28 10:19 EDT
Nmap scan report for 192.168.20.10
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
3232/tcp open unknown
1 service unrecognized despite returning datau. If you know the service/
version, please submit the following fingerprint at http://www.insecure.org/
cgi-bin/servicefp-submit.cgi : v
SF-Port3232-TCP:V=6.25%I=7%D=4/28%Time=517D2FFC%P=i686-pc-linux-gnu%r(GetR
SF:equest,B8,”HTTP/1.1\x20200\x20OK\r\nServer:\x20Zervit\x200.4\r\nwX-Pow
SF:ered-By:\x20Carbono\r\nConnection:\x20close\r\nAccept-Ranges:\x20bytes\
SF:r\nContent-Type:\x20text/html\r\nContent-Length:\x2036\r\n\r\n\r\ SF:n\r\nhi\r\n\r\n”);
MAC Address: 00:0C:29:13:FA:E3 (VMware)
Published @ March 23, 2022 6:06 am