It was originally written by Gordon Lyon and it can answer the following questions easily:
- What computers did you find running on the local network?
- What IP addresses did you find running on the local network?
- What is the operating system of your target machine?
- Find out what ports are open on the machine that you just scanned?
- Find out if the system is infected with malware or virus.
- Search for unauthorized servers or network service on your network.
- Find and remove computers which don’t meet the organization’s minimum level of security.
- scan single host:
nmap ip_addresseg:nmap 192.168.0.10
- scan multiple host in range:
nmap start_Ip_address-end_IP_addresseg: nmap 192.168.0.10-30
- scan whole network:
nmap network_address /mask_lengtheg:nmap 192.168.0.0/24
- If a server deny the ping reply for security reason, you can add -sS to bypass this feature and is good for stealth skinning. add -Pn ensure that no ping request is sent with the scam. lastly add a -O which tells the nmap to attempt to determine the operating system.
- SYN packet discovery (-PS) – Best against stateful firewalls
- ACK packet discovery (-PA) – Best against stateless firewalls
- Protocol Ping (-PO): default is to send 3 probes, for protocols 1 (ICMP),2 (IGMP), and 4 (IP-in-IP)
- specify how many port you want to scan: -top-ports and -port-ratio.Top-port <n> scans the most commonly open <n> ports for each protocol requestedport-ratio <n> (where n is between 0 and 1) scans all ports with a frequency of at least the given level.
TCP effectiveness of –top-port values• top-ports 10: 48%• top-ports 50: 65%• top-ports 100: 73%• top-ports 250: 83%• top-ports 500: 89%• top-ports 1000: 93%• top-ports 2000: 96%• top-ports 3674: 100%
UDP effectiveness of –topport values
• topports 10: 50%
• topports 50: 86%
• topports 100: 90%
• topports 250: 94%
• topports 500: 97%
• topports 1017: 100%
• Note: p UDP data not yet available
- Scan at a specified speed: -min-rate and -max-rate : eg. nmap -min-rate 500 scanme.nmap.org
- Scan for MAC address of host :－sP
- Closed ports better than open one, because they are more likely to respond
- Port 53 often worthwhile due to firewall exceptions for DNS
- UDP scan usually take longer time but it do worth your effort.
nmap -sUV -F -T4 scanme.nmap.org, when you hit the Enter, it show you the progress of the scanning.
ICMP host discovery method (-PE, -PM, -PP)
- Some systems intentionally allow echo requests, but block the others
- Others block echo requests explicitly, but forget about netmask/timestamp requests
- Solution: Use both -echo request and one of the other two.
create a report in (html, xml) format
1. First, to export the nmap scan result to a xml file:
nmap -v -A ip_address -oX file_name.xml
-v: verbose, display the process.
-A: append the output to a file instead of overwrite it.
-oX: write the output in xml format.
2. use xsltproc to convert the xml file into a html file ( if you don’t have xsltproc installed in your system, use apt-get install xsltproc):
xsltproc file_name.xml -o /var/www/html/file_name.html
the reason I use the /var/www/html to store the html is you can browse it by input the 127.0.0.1/file_name.html to browse it from a browser.
service apache2 start if your web service is not running. Alternatively, you can browse it by double click it in the other folder as well.