It was originally written by Gordon Lyon and it can answer the following questions easily:

  1. What computers did you find running on the local network?
  2. What IP addresses did you find running on the local network?
  3. What is the operating system of your target machine?
  4. Find out what ports are open on the machine that you just scanned?
  5. Find out if the system is infected with malware or virus.
  6. Search for unauthorized servers or network service on your network.
  7. Find and remove computers which don’t meet the organization’s minimum level of security.

 

scan network

 

  1. scan single host: nmap ip_address  eg:nmap 192.168.0.10
  2. scan multiple host in range: nmap start_Ip_address-end_IP_address  eg: nmap 192.168.0.10-30
  3. scan whole network: nmap network_address /mask_length eg:nmap 192.168.0.0/24

 

switches
  • If a server deny the ping reply for security reason, you can add -sS to bypass this feature and is good for stealth skinning. add -Pn ensure that no ping request is sent with the scam. lastly add a -O which tells the nmap to attempt to determine the operating system.
  • SYN packet discovery (-PS) – Best against stateful firewalls
  • ACK packet discovery (-PA) – Best against stateless firewalls
  • Protocol Ping (-PO): default is to send 3 probes, for protocols 1 (ICMP),2 (IGMP), and 4 (IP-in-IP)
  • specify how many port you want to scan: -top-ports and -port-ratio.Top-port <n> scans the most commonly open <n> ports for each protocol requestedport-ratio <n> (where n is between 0 and 1) scans all ports with a frequency of at least the given level.
    TCP effectiveness of –top-­port values
    • ­­top­-ports 10: 48%
    • ­­top­-ports 50: 65%
    •­­ top­-ports 100: 73%
    •­­ top­-ports 250: 83%
    • ­­top­-ports 500: 89%
    • ­­top­-ports 1000: 93%
    • ­­top­-ports 2000: 96%
    • ­­top­-ports 3674: 100%
    UDP effectiveness of –top­port values
    • ­­top­ports 10: 50%
    • ­­top­ports 50: 86%
    • ­­top­ports 100: 90%
    • ­­top­ports 250: 94%
    • ­­top­ports 500: 97%
    • ­­top­ports 1017: 100%
    Note: ­p­ UDP data not yet available
  • Scan at a specified speed: -min-rate and -max-rate : eg. nmap -min-rate 500 scanme.nmap.org
  • Scan for MAC address of host :-sP

 

Tips
  • Closed ports better than open one, because they are more likely to respond
  • Port 53 often worthwhile due to firewall exceptions for DNS
  • UDP scan usually take longer time but it do worth your effort.
    Fast scan: nmap -sUV -F -T4 scanme.nmap.org , when you hit the Enter, it show you the progress of the scanning.

ICMP host discovery method (-PE, -PM, -PP)
  • Some systems intentionally allow echo requests, but block the others
  • Others block echo requests explicitly, but forget about netmask/timestamp requests
  • Solution: Use both -echo request and one of the other two.

 

create a report in (html, xml) format

 

1. First, to export the nmap scan result to a xml file:

nmap -v -A ip_address -oX file_name.xml

-v: verbose, display the process.

-A: append the output to a file instead of overwrite it.

-oX: write the output in xml format.

2. use xsltproc to convert the xml file into a html file ( if you don’t have xsltproc installed in your system, use apt-get install xsltproc):

xsltproc file_name.xml -o /var/www/html/file_name.html

the reason I use the /var/www/html to store the html is you can browse it by input the 127.0.0.1/file_name.html to browse it from a browser.

use service apache2 start if your web service is not running. Alternatively, you can browse it by double click it in the other folder as well.

Basic scan

nmap -vv -O -P0 -sTUV –top-ports 1000 -oA target $target

Which does all of the following:

  • very verbose
  • get the operating system
  • tcp, udp, and version information
  • top 1,000 TCP and UDP ports
  • output in nmap, greppable, and XML format

 

Related Resource: