NMAP  - top - How to perform Information Gathering in Kali using NMAP

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

In addition to the classic -line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Also Read  : scanless Tool for using Websites to Perform Port Scans on your Behalf

Nmap is …

  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detectionversion detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/ with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

 TOP NMAP COMMEANDS:

1: To find out nmap version, run:

 # nmap --version

Sample outputs:

Nmap version 5.51 ( http://nmap.org )

2: To scan an IP address or a host name (FQDN), run:


 # nmap 1.2.3.4
 # nmap localhost
 # nmap 192.168.1.1

3:  Information out of the remote system:


 # nmap -v -A scanme.nmap.org
 # nmap -v -A 192.168.1.1

Sample outputs:

 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-19 16:38 IST
 NSE: Loaded 30 scripts for scanning.
 Initiating ARP Ping Scan at 16:38
 Scanning 192.168.1.1 [1 port]
 Completed ARP Ping Scan at 16:38, 0.04s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 16:38
 Completed Parallel DNS resolution of 1 host. at 16:38, 0.00s elapsed
 Initiating SYN Stealth Scan at 16:38
 Scanning 192.168.1.1 [1000 ports]
  open port 80/tcp on 192.168.1.1
  open port 22/tcp on 192.168.1.1
 Completed SYN Stealth Scan at 16:38, 0.27s elapsed (1000 total ports)

4:  Scan multiple IP address or subnet (IPv4):


 nmap 192.168.1.1 192.168.1.2 192.168.1.3
 ## works with same subnet i.e. 192.168.1.0/24
 nmap 192.168.1.1,2,3

You can scan a range of IP address too:

nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

Finally, you scan an entire subnet:

nmap 192.168.1.0/24

5: Find out if a host/network is protected by a firewall:

 nmap -sA 192.168.1.254
 nmap -sA server1.gbhackers.com

6: Turn on OS and version detection scanning script (IPv4):

 nmap -A 192.168.1.254
 nmap -v -A 192.168.1.1
 nmap -A -iL /tmp/scanlist.txt 

7:  Scan a host when protected by the firewall:

 nmap -PN 192.168.1.1
 nmap -PN server1.gbhackers.com

8: Scan an IPv6 host/address:


 The -6 option enable IPv6 scanning. The syntax is:

 nmap -6 IPv6-Address-Here
 nmap -6 server1.gbhackers.com
 nmap -6 2607:f0d0:1002:51::4
 nmap -v A -6 2607:f0d0:1002:51::4

9:  How do I perform a fast scan:

 nmap -F 192.168.1.1

10: Display the reason a port is in a particular state:


 nmap --reason 192.168.1.1
 nmap --reason server1.gbhackers.com

11: Only show open (or possibly open) ports:

 nmap --open 192.168.1.1
 nmap --open server1.gbhackers.com

12: Show all packets sent and received:

 nmap --packet-trace 192.168.1.1
 nmap --packet-trace server1.gbhackers.com

13: Show host interfaces and routes:

This is useful for debugging (ip command or route command or netstat command like
 output using nmap)

 nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST
 ************************INTERFACES************************
 DEV (SHORT) IP/MASK TYPE UP MAC
 lo (lo) 127.0.0.1/8 loopback up
 eth0 (eth0) 192.168.1.5/24 ethernet up B8:AC:6F:65:31:E5
 vmnet1 (vmnet1) 192.168.121.1/24 ethernet up 00:50:56:C0:00:01
 vmnet8 (vmnet8) 192.168.179.1/24 ethernet up 00:50:56:C0:00:08
 ppp0 (ppp0) 10.1.19.69/32 point2point up

**************************ROUTES**************************
 DST/MASK DEV GATEWAY
 10.0.31.178/32 ppp0
 209.133.67.35/32 eth0 192.168.1.2
 192.168.1.0/0 eth0
 192.168.121.0/0 vmnet1
 192.168.179.0/0 vmnet8
 169.254.0.0/0 eth0
 10.0.0.0/0 ppp0
 0.0.0.0/0 eth0 192.168.1.2


14: How do I scan specific ports:

 nmap -p [port] hostName
 ## Scan port 80
  nmap -p 80 192.168.1.1

## Scan TCP port 80
 nmap -p T:80 192.168.1.1

## Scan UDP port 53
 nmap -p U:53 192.168.1.1

## Scan two ports ##
 nmap -p 80,443 192.168.1.1

## Scan port ranges ##
 nmap -p 80-200 192.168.1.1

##  all options ##
 nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
 nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
 nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

## Scan all ports with * wildcard ##
 nmap -p "*" 192.168.1.1

## Scan top ports i.e. scan $number most common ports ##
 nmap --top-ports 5 192.168.1.1
 nmap --top-ports 10 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 IST
 Interesting ports on 192.168.1.1:
 PORT STATE SERVICE
 21/tcp closed ftp
 22/tcp open ssh
 23/tcp closed telnet
 25/tcp closed smtp
 80/tcp open http
 110/tcp closed pop3
 139/tcp closed netbios-ssn
 443/tcp closed 
 445/tcp closed microsoft-ds
 3389/tcp closed ms-term-serv
 MAC Address: BC:AE:C5:C3:16:93 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here