# nmap -a -t4 scanme nmap

nmap

• Fyodor (www.insecure.org)
• Network Mapper
• Port scanner
• OS fingerprinter
• Scans a particular target for all open ports
• Very invasive and very powerful

nmap Uses

• Network exploration tool and port scanner
• Security audits
• Network inventory
• Upgrade schedules
• Monitoring host/service uptime

• # nmap -A -T4 scanme.nmap.org playground
• Starting nmap ( http://www.insecure.org/nmap/ )
• Interesting ports on scanme.nmap.org (205.217.153.62):
• (The 1663 ports scanned but not shown below are in state: filtered)
• PORT STATE SERVICE VERSION
• 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
• 53/tcp open domain
• 70/tcp closed gopher
• 80/tcp open http Apache httpd 2.0.52 ((Fedora))
• 113/tcp closed auth
• Device type: general purpose
• Running: Linux 2.4.X|2.5.X|2.6.X
• OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
• Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)
• Interesting ports on playground.nmap.org (192.168.0.40):
• (The 1659 ports scanned but not shown below are in state: closed)
• PORT STATE SERVICE VERSION
• 135/tcp open msrpc Microsoft Windows RPC
• 139/tcp open netbios-ssn
• 389/tcp open ldap?
• 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
• 1002/tcp open windows-icfw?
• 1025/tcp open msrpc Microsoft Windows RPC
• 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper
• 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900)
• 5900/tcp open vnc VNC (protocol 3.8)
• MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
• Device type: general purpose
• Running: Microsoft Windows NT/2K/XP
• OS details: Microsoft Windows XP Pro RC1+ through final release
• Service Info: OSs: Windows, Windows XP
• Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

• Example nmap Scan

• # nmap
• Usage: nmap [Scan Type(s)] [Options] {target specification}
• TARGET SPECIFICATION:
• Can pass hostnames, IP addresses, networks, etc.
• Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
• -Nmap 3.95 ( http://www.insecure.org/nmap/ )
• iL : Input from list of hosts/networks
• -iR : Choose random targets
• --exclude : Exclude hosts/networks
• --excludefile : Exclude list from file
• HOST DISCOVERY:
• -sL: List Scan - simply list targets to scan
• -sP: Ping Scan - go no further than determining if host is online
• -P0: Treat all hosts as online -- skip host discovery
• -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
• -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
• -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
• SCAN TECHNIQUES:
• -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
• -sN/sF/sX: TCP Null, FIN, and Xmas scans
• --scanflags : Customize TCP scan flags
• -sI : Idlescan
• -sO: IP protocol scan
• -b : FTP bounce scan
• PORT SPECIFICATION AND SCAN ORDER:
• -p
  : Only scan specified ports
• Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
• -F: Fast - Scan only the ports listed in the nmap-services file)
• -r: Scan ports consecutively - don't randomize

• nmap Options Summary and Syntax

• SERVICE/VERSION DETECTION:
• -sV: Probe open ports to determine service/version info
• --version_light: Limit to most likely probes for faster identification
• --version_all: Try every single probe for version detection
• --version_trace: Show detailed version scan activity (for debugging)
• OS DETECTION:
• -O: Enable OS detection
• --osscan_limit: Limit OS detection to promising targets
• --osscan_guess: Guess OS more aggressively
• TIMING AND PERFORMANCE:
• -T[0-5]: Set timing template (higher is faster)
• --min_hostgroup/max_hostgroup : Parallel host scan group sizes
• --min_parallelism/max_parallelism : Probe parallelization
• --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout : Specifies
• probe round trip time.
• --host_timeout : Give up on target after this long
• --scan_delay/--max_scan_delay : Adjust delay between probes
• FIREWALL/IDS EVASION AND SPOOFING:
• -f; --mtu : fragment packets (optionally w/given MTU)
• -D : Cloak a scan with decoys
• -S : Spoof source address
• -e : Use specified interface
• -g/--source_port
  : Use given port number
• --data_length : Append random data to sent packets
• --ttl : Set IP time-to-live field
• --spoof_mac : Spoof your MAC address

• nmap Syntax (cont)

• nmap Syntax (cont)

• OUTPUT:
• -oN/-oX/-oS/-oG : Output scan in normal, XML, s|
• and Grepable format, respectively, to the given filename.
• -oA : Output in the three major formats at once
• -v: Increase verbosity level (use twice for more effect)
• -d[level]: Set or increase debugging level (Up to 9 is meaningful)
• --packet_trace: Show all packets sent and received
• --iflist: Print host interfaces and routes (for debugging)
• --append_output: Append to rather than clobber specified output files
• --resume : Resume an aborted scan
• --stylesheet
  : XSL stylesheet to transform XML output to HTML
• --webxml: Reference stylesheet from Insecure.Org for more portable XML
• --no_stylesheet: Prevent associating of XSL stylesheet w/XML output
• MISC:
• -6: Enable IPv6 scanning
• -A: Enables OS detection and Version detection
• --datadir : Specify custom Nmap data file location
• --send_eth/--send_ip: Send using raw ethernet frames or IP packets
• --privileged: Assume that the user is fully privileged
• -V: Print version number
• -h: Print this help summary page.
• EXAMPLES:
• nmap -v -A scanme.nmap.org
• nmap -v -sP 192.168.0.0/16 10.0.0.0/8
• nmap -v -iR 10000 -P0 -p 80
• SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES