|
| 1 | +--- |
| 2 | +category: tool |
| 3 | +tool: Nmap |
| 4 | +contributors: |
| 5 | + - [ "Sebastian Oberdorfer" , "https://github.com/SOberdorfer" ] |
| 6 | +filename: LearnNmap.txt |
| 7 | +--- |
| 8 | + |
| 9 | +### Learn Nmap in Y Minutes |
| 10 | + |
| 11 | +So, you’re connected to a network and want to know what else is connected to it. |
| 12 | +Maybe you’re trying to find that mystery device eating up bandwidth or check |
| 13 | +if there are services running you didn’t know about, or you just want to verify |
| 14 | +what ports are exposed on your machine? |
| 15 | + |
| 16 | +Meet your swiss-army network knife named **Nmap**! |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +### Introduction |
| 21 | + |
| 22 | +**Nmap 101** |
| 23 | +Nmap is an open-source network scanning tool built by Gordon Lyon. Designed to |
| 24 | +help you find devices, open ports and services across your network. |
| 25 | +It’s a swiss-army knife for network admins, security folks, dev's and anyone |
| 26 | +curious about what’s living on their network. |
| 27 | + |
| 28 | +**When to Use It** |
| 29 | + |
| 30 | +- **Finding Devices**: What’s connected, and what’s running? |
| 31 | +- **Network Troubleshooting**: Resolve DNS or connection issues. |
| 32 | +- **Vulnerability Detection**: Spotting potentially risky services. |
| 33 | +- **Network Security**: Evaluate exposed ports. |
| 34 | + |
| 35 | +**When *Not* to Use It** |
| 36 | + |
| 37 | +- **Public Networks**: Scanning Starbucks WiFi might land you in hot tea. |
| 38 | +- **Corporate Networks**: Scanning your corporate network without permission, is |
| 39 | + potentially not allowed. |
| 40 | +- **Global Web**: In some cases scanning across the web can be illegal. |
| 41 | + |
| 42 | +Certain scans are intrusive and can trigger security alarms, so stick to **only |
| 43 | +** |
| 44 | +scanning networks or systems where you have permission. Unauthorized scanning |
| 45 | +can be considered illegal under cybersecurity laws in many regions, and |
| 46 | +companies |
| 47 | +might view it as a hacking attempt. |
| 48 | + |
| 49 | +Use Nmap extensively and wisely. |
| 50 | + |
| 51 | +--- |
| 52 | + |
| 53 | +### Installation |
| 54 | + |
| 55 | +Installation is straightforward, thoroughly explained on [nmap.org - install](https://nmap.org/book/install.html) |
| 56 | + |
| 57 | +--- |
| 58 | + |
| 59 | +### The Basics |
| 60 | + |
| 61 | +These are low-key scans that safe to use since they don’t do deep probing. |
| 62 | + |
| 63 | +- **Ping Scan**: |
| 64 | + A low-impact scan just to check if devices are online. Typically fine on |
| 65 | + trusted networks. |
| 66 | + - Scan a single device |
| 67 | + ```bash |
| 68 | + nmap -sn 192.168.1.1 |
| 69 | + ``` |
| 70 | + - Scan a range of devices |
| 71 | + ```bash |
| 72 | + nmap -sn 192.168.1.1-100 |
| 73 | + ``` |
| 74 | + - Scan a CIDR range of devices |
| 75 | + ```bash |
| 76 | + nmap -sn 192.168.1.0/24 # Range 192.168.1.0 to 192.168.1.255 |
| 77 | + nmap -sn 192.168.0.0/16 # Range 192.168.0.0 to 192.168.255.255 |
| 78 | + nmap -sn 192.0.0.0/8 # Range 192.0.0.0 to 192.255.255.255 |
| 79 | + ``` |
| 80 | + |
| 81 | +- **Fast Scan**: |
| 82 | + Quickly checks the 100 most common ports. Great for a quick peek without |
| 83 | + probing all 65,535 ports. |
| 84 | + ```bash |
| 85 | + nmap -F 192.168.1.1 |
| 86 | + ``` |
| 87 | + |
| 88 | +- **Operating System Detection**: |
| 89 | + OS detection requires some extra probing, which might be detectable by |
| 90 | + Intrusion Detection Systems (IDS). |
| 91 | + ```bash |
| 92 | + nmap -O 192.168.1.1 |
| 93 | + ``` |
| 94 | + |
| 95 | +- **Output to File** |
| 96 | + Specific scanning and saving the output to a file, enables you to scan more |
| 97 | + thorough without overloading your network. |
| 98 | + - Plain text |
| 99 | + ```bash |
| 100 | + nmap -oN output.txt 192.168.1.1 |
| 101 | + ``` |
| 102 | + - XML, handy for using elsewhere |
| 103 | + ```bash |
| 104 | + nmap -oX output.xml 192.168.1.1 |
| 105 | + ``` |
| 106 | + |
| 107 | +--- |
| 108 | + |
| 109 | +### Moving Up: More Insightful Scans |
| 110 | + |
| 111 | +These scans dig a bit deeper, so they may trigger alarms on security systems. |
| 112 | +Use these only on networks where you have explicit permission to scan. |
| 113 | + |
| 114 | +- **Service Version Detection**: |
| 115 | + Tries to identify versions of services on open ports. Useful but more |
| 116 | + invasive. |
| 117 | + ```bash |
| 118 | + nmap -sV 192.168.1.1 |
| 119 | + ``` |
| 120 | + |
| 121 | +- **Aggressive Scan**: |
| 122 | + The aggressive scan mode (`-A`) combines multiple checks, like OS detection, |
| 123 | + version detection and traceroute. This is likely to be flagged on |
| 124 | + any network and can be considered illegal on networks you don’t own. |
| 125 | + ```bash |
| 126 | + nmap -A 192.168.1.1 |
| 127 | + ``` |
| 128 | + |
| 129 | +- **Scanning Specific Ports**: |
| 130 | + Narrowing scans to specific ports is generally fine. |
| 131 | + - Scan a specific port |
| 132 | + ```bash |
| 133 | + nmap -p 80 192.168.1.1 |
| 134 | + ``` |
| 135 | + - Scan a range of ports |
| 136 | + ```bash |
| 137 | + nmap -p 1-100 192.168.1.1 |
| 138 | + ``` |
| 139 | + |
| 140 | +--- |
| 141 | + |
| 142 | +### Advanced Scans: When You’re the Power User |
| 143 | + |
| 144 | +So, you’re getting into the advanced stuff—maybe testing your own firewall or |
| 145 | +finding rogue services. |
| 146 | +The following scans are loud and intrusive that definitely trigger security |
| 147 | +defenses. |
| 148 | + |
| 149 | +- **Scripted Scans (NSE)** |
| 150 | + Nmap’s script engine is like a toolbox of plugins. Need to check for a |
| 151 | + specific vulnerability? There’s likely an NSE script for it. |
| 152 | + ```bash |
| 153 | + nmap --script=http-vuln-cve2021-12345 192.168.1.1 |
| 154 | + ``` |
| 155 | + |
| 156 | +- **Aggressive and fastest Scans**: |
| 157 | + `-T5` turns up to knob to 11. `-A` scans all ports. |
| 158 | + Use it sparse and only if you really need full visibility. |
| 159 | + ```bash |
| 160 | + nmap -T5 -A 192.168.1.1 |
| 161 | + ``` |
| 162 | + |
| 163 | +- **TCP and UDP Combined Scans**: |
| 164 | + Combining TCP and UDP scans (`-sS` for SYN scans and `-sU` for UDP) gives |
| 165 | + complete coverage but increases the scan’s footprint, making it detectable. |
| 166 | + ```bash |
| 167 | + nmap -sS -sU 192.168.1.1 |
| 168 | + ``` |
| 169 | + |
| 170 | +- **Spoofing and Decoy Scans**: |
| 171 | + Using decoys (`-D`) or spoofed IP addresses to hide your real IP can be seen |
| 172 | + as deceptive. These scans are easily flagged by IDS and could lead to legal |
| 173 | + repercussions if you’re not authorized. |
| 174 | + ```bash |
| 175 | + # 10 random IP decoys |
| 176 | + nmap -D RND:10 192.168.1.1 |
| 177 | + ``` |
| 178 | + |
| 179 | +--- |
| 180 | + |
| 181 | +### Practical Tips and Tricks |
| 182 | + |
| 183 | +**Timing Templates** |
| 184 | +Nmap has timing options from `-T0` (paranoid) to `-T5` (insane). Stick with |
| 185 | +`-T2` or `-T3` for a good balance between speed and not making too much noise. |
| 186 | +More |
| 187 | +on [nmap - timing-templates](https://nmap.org/book/performance-timing-templates.html) |
| 188 | + |
| 189 | +**Check Out Nmap’s Scripts** |
| 190 | +NSE scripts make Nmap super versatile. From DNS enumeration to vulnerability |
| 191 | +checks, there’s probably a script for whatever you need. |
| 192 | +More on [nmap - Nmap Scripting Engine](https://nmap.org/book/man-nse.html) |
| 193 | + |
| 194 | +**Use aggressive scans and decoys only on networks you own** or with formal |
| 195 | +authorization, such as during a penetration test with client permission. If |
| 196 | +you’re running scans at work, talk to the network admins first. |
| 197 | + |
| 198 | +**Know When to Stop** |
| 199 | +Once you’ve got the info you need, wrap it up. It’s easy to get scan-happy. |
| 200 | + |
| 201 | +--- |
| 202 | + |
| 203 | +Happy scanning! |
0 commit comments