Nmap – The Initial Tool for Ethical Hacking
Caution: Before initiating Nmap scans, obtain explicit permission to avoid legal and ethical pitfalls. Clearly define your scanning scope, including authorized IPs, subnets or hosts, to prevent accidental breaches of your authorized range.?This is strictly for educational purposes and to hint on technical possibilities.
Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap allows network admins to find which devices are running on their network, discover open ports and services, and detect vulnerabilities as well as hosts and network information. Nmap is used by mid and large companies as well as smaller-sized organizations for semi-automated and manual port auditing, host monitoring, penetration testing, red and blue team exercises, and similar tasks. On Windows, running Nmap with an administrator account is always good practice. The ability to quickly recognize all the devices including servers, routers, switches, mobile devices, etc. on single or multiple networks. Nmap can also detect application versions with reasonable accuracy to help detect existing vulnerabilities making it easier to plan additional approaches during penetration testing. During security auditing and vulnerability scanning, you can use Nmap to attack systems using existing scripts from the Nmap Scripting Engine. Nmap has a graphical user interface called Zenmap. It helps you develop visual mappings of a network for better usability and reporting. Nmap works by sending and receiving network packets, and checking against its fingerprint database and other methods, to quickly detect hosts and IP addresses over a network. It then performs analysis on the data to quickly respond with results on your console. Most Nmap scans will require you to perform them with root-based (admin) access on Linux and Unix. Hackers and pen testers typically add specific options to cover their tracks.Decoy scans add the -D option flag (Nmap -p 123 -D decoyIP targetIP), to hide the attacking IP address and send source-spoofed packets to the target in addition to the scanning machine packets. The additional packets make port scan detection harder for defenders. Attackers can also run zombie scans, also known as idle scans. This side-channel attack attempts to send forged SYN packets to the target using the IP address of the “zombie” endpoint on the network. This method attempts to fool the intrusion detection system (IDS) into mistaking the innocent zombie computer for the attacker.??
It is an efficient tool to help us handle repetitive tasks and answer the following questions like which systems are up? What services are running on these systems? Nmap is used to discover live hosts. ?ARP scan: This scan uses ARP requests to discover live hosts.
ICMP scan: This scan uses ICMP requests to identify live hosts?
TCP/UDP ping scan: This scan sends packets to TCP ports and UDP ports to determine live hosts.
Port scanning is a fundamental technique used in network security to identify open ports and available services on a host network. This process is akin to checking what doors and windows are unlocked in a building to understand potential entry points. Ports are virtual points for data exchange between computers on a network, each identified by a number from 1 to 65,535. Common examples include port 80 for HTTP traffic and port 443 for HTTPS. There are two main types: TCP ports, which ensure reliable data transmission, and UDP ports, used for faster but less reliable communication. Ports are crucial for network security as they determine which services are accessible, making understanding and managing them vital in protecting networks. Once Nmap knows which hosts are active, it proceeds to scan specific ports to determine their status (open, closed or filtered.) Open ports indicate active services that are listening for connections, while closed ports have no application actively accepting connections. Filtered ports are those that a firewall or network filtering device protects. Nmap can probe open ports to determine what application or service is running on them, along with its version. This is crucial for identifying potential vulnerabilities specific to software versions. The choice of scan type is crucial. Stealthier scans like SYN (-sS) are preferred in sensitive environments to reduce detection and maintain network stability. More aggressive scans are often used in controlled environments to extract comprehensive details, employing techniques like ACK scan (-sA) or Nmap Scripting Engine (--script) for in-depth insights.?
?The rate at which scans are conducted plays a significant role in mitigating the impact on network resources. Use options like timing template (-T) and (--scan-delay) to control the speed of the scan. Optimization extends to the scan’s execution, where options to skip ping (-Pn), forgo DNS resolution (-n), and rate parameters (--min-rate), (--max-retries) are instrumental in tailoring the scan’s performance to the specificities of the target environment. Documenting and analyzing scan results should be taken seriously. Nmap’s versatility in output formats — from normal to XML (-oX) and grepable (-oG) options — provides a spectrum of possibilities. Choose the format that best suits your security analysis workflows, tools and documentation practices.?
Ping scan — Scans the list of devices up and running on a given subnet.?
nmap -sp 192.168.1.1/24?
Scan a single host — Scans a single host for 1000 well-known ports. These ports are the ones used by popular services like SQL, SNTP, apache, and others.?
?nmap scanme.nmap.org?
Stealth scanning is performed by sending an SYN packet and analyzing the response. If SYN/ACK is received, it means the port is open, and you can open a TCP connection.?
?nmap -sS scanme.nmap.org?
?Version scanning?
Finding application versions is a crucial part in penetration testing.?
Nmap -v?
It makes your life easier since you can find an existing vulnerability from the Common Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can then use it to attack a machine using an exploitation tool like Metasploit.?
?nmap -sV scanme.nmap.org?
Nmap can provide information about the underlying operating system using TCP/IP fingerprinting. Nmap will also try to find the system uptime during an OS scan.?
nmap -sV scanme.nmap.org?
?Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and traceroute. You can use the -A argument to perform an aggressive scan.?
?nmap -A scanme.nmap.org?
?Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real handy when you are managing vast network infrastructure. ?Write all the IP addresses in a single row to scan all of the hosts at the same time.?
nmap 192.164.1.1 192.164.0.2 192.164.0.2?
Use the asterisk (*) to scan all the subnets at once.?
nmap 192.164.1.*?
Add commas to separate the addresses endings instead of typing the entire domains.?
nmap 192.164.0.1,2,3,4?
Use a hyphen to specify a range of IP addresses?
nmap 192.164.0.0–255?
Port scanning is one of the most fundamental features of Nmap. You can scan for ports in several ways. Using the -p param to scan for a single port?
nmap -p 973 192.164.0.1?
If you specify the type of port, you can scan for information about a particular type of connection, for example for a TCP connection.?
nmap -p T:7777, 973 192.164.0.1?
A range of ports can be scanned by separating them with a hyphen.?
nmap -p 76–973 192.164.0.1?
You can also use the -top-ports flag to specify the top n ports to scan.?
nmap --top-ports 10 scanme.nmap.org?
The verbose output provides additional information about the scan being performed. It is useful to monitor step by step actions Nmap performs on a network, especially if you are an outsider scanning a client’s network.?
nmap -v scanme.nmap.org?
?Nmap scans can also be exported to a text file. It will be slightly different from the original command line output, but it will capture all the essential scan results.?
?nmap -oN output.txt scanme.nmap.org?
?Nmap scans can also be exported to XML. It is also the preferred file format of most pen-testing tools, making it easily parsable when importing scan results.?
?nmap -oX output.xml scanme.nmap.org
You can also export the scan results in all the available formats at once using the -oA command.?
nmap -oA output scanme.nmap.org?
Zenmap is a graphical user interface for Nmap. It is a free and open-source software that helps you get up and running with Nmap.?
Basic Nmap Scan against IP or host?
nmap 1.1.1.1?
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:?
?nmap ip_address.com????
The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network.?
The drawback of this ICMP-only type of scan is that remote hosts often block IP-based ping packets?
Scan specific ports or scan entire port ranges on a local or remote server?
nmap -p 1-65535 localhost?
In this example, we scanned all 65535 ports for our localhost computer.?
Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. nmap -p 80,443 8.8.8.8?
This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.?
An alternative is to simply use this kind of range is nmap 8.8.8.1-14?
This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.?
You can even use wildcards to scan the entire C class IP range using nmap 8.8.8.*?
If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:?
nmap -p 8.8.8.* --exclude 8.8.8.1???
Scan the most popular ports?
Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:?
?nmap --top-ports 20 192.168.1.106?
Replace “20” with the desired number. Output example:?
?nmap --top-ports 20 localhost?
The “-iL” parameter lets you read from that file, and scan all those hosts for you:?
nmap -iL list.txt?
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:?
?nmap -oN output.txt ip_address.com?
Nmap has the ability to export files into XML format as well, see the next example:?
nmap -oX output.xml ip_address.com?
SIEM tools, firewalls, and other defensive tools, can receive alerts from systems and the scanned system will log the successful TCP requests from the many Nmap port scans. More sophisticated IDS/IDP tools might also detect malformed TCP requests, such as the Nmap stealthy requests that do not complete a TCP connection. Disruptive scans that cause system or service failure will definitely be detected by systems as well as by affected users. ?
Scan + OS and service detection with fast execution?
Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. ?
nmap -A -T4 ip_address.com?
Detect service/daemon versions. This can be done by using -sV parameters?
?nmap -sV localhost?
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services.?
?nmap -sT 192.168.1.1?
nmap -sU localhost?
Allows “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language. For example, if you want to run a full vulnerability test against your target, you can use these parameters:?
nmap -Pn --script vuln 192.168.1.105?
Nmap features never seem to end, and thanks to the NSE, that even allows us to launch flood attacks against our network to test how effective our mitigation methods are.?Exploiting vulnerability by launching a flood attack in a forever loop:?
nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true?
Testing brute force attacks?
NSE is really fascinating -- it contains scripts for everything you can imagine. three examples of BFA against WordPress, MSSQL, and FTP server:?
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105?
??WordPress brute force attack:?
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105?
Brute force attack against MS-SQL:?
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105?
??
Detecting malware infections on remote hosts?
Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.?
A common malware scan can be done using:?
?nmap -sV --script=http-malware-host 192.168.1.105?
?Or using Google’s Malware check:?
?nmap -p80 --script http-google-malware ip_address.com?
Scan in verbose mode (-v), enable OS detection, version detection, script scanning, and traceroute (-A), with version detection (-sV) against the target IP (192.168.1.1):?
nmap -v -A -sV 192.168.1.1?
Using TCP mode (–tcp) to probe port 22 (-p 22) using the SYN flag (–flags syn) with a TTL of 2 (–ttl 2) on the remote host (192.168.1.1):?
?nping --tcp -p 22 --flags syn --ttl 2 192.168.1.1?
Compare yesterday’s port scan (yesterday.xml) with the scan from today (today.xml):?
ndiff yesterday.xml today.xml?
Be verbose (-v), running /bin/bash on connect (–exec “/bin/bash”), only allowing 1 IP address (–allow 192.168.1.123), listen on TCP port 4444 (-l 4444), and keep the listener open on disconnect (–keep-open):?
?ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open?
ndiff?
Ndiff is a tool to aid in the comparison of Nmap scans. It takes two Nmap XML output files and prints the differences between them them: hosts coming up and down, ports becoming open or closed, and things like that. It can produce output in human-readable text or machine-readable XML formats.?
ndiff?
Utility to compare the results of Nmap scans?
ndiff -h?
Network exploration tool and security / port scanner?
nmap -h?
?
nping?
Network packet generation tool / ping utility?
nping –h?
?
nmap -sP -PE 192.168.100.1/24?
nmap -sP -PP 172.26.1.4?
nmap -sP -PM 172.26.1.4??
Keep in mind that ICMP messages may be blocked by some firewalls, so some of this techniques may not always work?,
With a TCP SYN scan, Nmap sends an SYN packet to a given port on the target. If the machine replies with an SYN/ACK or RST packet for the specified port, Nmap knows the host is up. Lack of a response for a certain period leads to marking the host as down.?
nmap -sP -PS 21 IP?
?During a TCP ACK scan, Nmap sends an empty TCP packet with the ACK flag set to port 80. If the host is up, it will answer with an RST packet since the connection doesn’t exist. If the host is down, there will be no response. The port can be defined by the user.?
nmap -sP -PA IP?
If a list of live IP addresses already exists, host discovery is not necessary and you can move to the next step, finding open ports.?
nmap -Pn IP?
There are multiple techniques you can use for port scanning:?
Stealth Scan, also known as SYN scan or half-open scan, is the default and most popular technique. Its stealth comes from not performing a 3-way handshake to complete the connection and the packet exchange is as follows:?
The scanner sends an SYN packet.If the port is open, the machine replies with SYN/ACK;?
If the port is closed the machine sends RST; If no response is received after several retries, the port is marked as filtered. Once the scanner receives SYN/ACK from the machine, it sends the RST packet and marks it as an open port.?
nmap -sT IP?
Testing for a specific vulnerability on a remote target is possible via the –script command:?
nmap --script=<nse script> -p <port> IP?
You can use this command to check for anonymous login permission on an FTP server:??
nmap --script= ftp-anon.nse -p 21 192.168.226.130?
The cache of NSE scripts offers the possibility to check for specific vulnerabilities that have already been reported. For instance, there is a script that checks for a backdoor in the VSFTPD server:?
?nmap --script= ftp-anon.nse -p 21 192.168.226.13?
The null scan does not set any flag; all six flag bits are set to zero. You can choose this scan using the -sN option. A TCP packet with no flags set will not trigger any response when it reaches an open port, as shown in the figure below. Therefore, from Nmap’s perspective, a lack of reply in a null scan indicates that either the port is open or a firewall is blocking the packet.?However, we expect the target server to respond with an RST packet if the port is closed. Consequently, we can use the lack of RST response to figure out the ports that are not closed: open or filtered.?The null scan relies on the lack of a response to infer that the port is not closed, it cannot indicate with certainty that these ports are open; there is a possibility that the ports are not responding due to a firewall rule.?
nmap -sN MACHINE_IP?
?The FIN scan sends a TCP packet with the FIN flag set. You can choose this scan type using the -sF option. Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port. However, the target system should respond with an RST if the port is closed. Consequently, we will be able to know which ports are closed and use this knowledge to infer the ports that are open or filtered. It’s worth noting some firewalls will ‘silently’ drop the traffic without sending an RST.?
nmap -sF MACHINE_IP?
?The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. You can select Xmas scan with the option -sX.?
?Like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open or filtered?
nmap -sX MACHINE_IP?
?In this scan, the FIN and ACK bits are set. The target should send an RST packet as a response. However, certain BSD-derived systems drop the packet if it is an open port exposing the open ports. This scan won’t work on most targets encountered in modern networks; however, we include it in this room to better understand the port scanning mechanism and the hacking mindset. To select this scan type, use the -sM option.?Most target systems respond with an RST packet regardless of whether the TCP port is open. In such a case, we won’t be able to discover the open ports. The figure below shows the expected behavior in the cases of both open and closed TCP ports.?
nmap -sM 10.10.252.27?
TCP ACK Scan?
领英推荐
Let’s start with the TCP ACK scan. As the name implies, an ACK scan will send a TCP packet with the ACK flag set. Use the -sA option to choose this scan. As we show in the figure below, the target would respond to the ACK with RST regardless of the state of the port. This behaviour happens because a TCP packet with the ACK flag set should be sent only in response to a received TCP packet to acknowledge the receipt of some data, unlike our case.?
nmap -sA MACHINE_IP?
?The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open. You can select this scan type with the option -sW. As shown in the figure below, we expect to get an RST packet in reply to our “uninvited” ACK packets, regardless of whether the port is open or closed.?
nmap -sW MACHINE_IP?
?if you want Nmap to provide more details regarding its reasoning and conclusions. Consider the two scans below to the system?
nmap -sS 10.10.252.27?
nmap -sS --reason 10.10.252.27?
?For more detailed output, you can consider using -v for verbose output or -vv for even more verbosity?
nmap -sS -vv 10.10.252.27?
?If -vv does not satisfy your curiosity, you can use -d for debugging details or -dd for even more details. You can guarantee that using -d will create an output that extends beyond a single screen. Nmap can scan a target domain or IP address for all vulnerabilities in the default script library for the “vuln” category with the appropriately named Vuln command:?
nmap --script vuln <target domain or IP Address> -v?
?When using any of the bulk scans, the results can become overwhelming and some users will want to exclude low CVSS score vulnerabilities. To only show vulnerabilities within a certain range, add the following flag to the command where “x.x” is the CVSS score (ex: 6.5).?
?--script-args=mincvss=x.x?
The complete command to exclude vulnerabilities below 6.5 would be:?
Nmap --script vuln --script-args mincvss=6.5 <target>?
Two common examples of the complete command are:?
XML File: Nmap –script vuln -oX file.xml <target>?
Browser Friendly XML File: Nmap –script vuln –webxml -oX file.xml <target>?
Once the directory is known to Nmap, Vulscan is available to be called by the –script flag to run additional vulnerability checks using the following syntax:?
TCP Null Scan? nmap -sN machine_ip?
TCP FIN Scan nmap -sF machine_ip?
TCP Xmas Scan nmap -sX machine_ip?
TCP Maimon Scan nmap -sM machine_ip?
TCP ACK Scan nmap -sA machine_ip?
TCP Window Scan nmap -sW machine_ip?
Custom TCP Scan nmap --scanflags URGACKPSHRSTSYNFIN machine_ip?
Spoofed Source IP nmap -S SPOOFED_IP MACHINE_IP?
Decoy Scan nmap -D DECOY_IP, MACHINE_IP?
Idle(Zombie) Scan nmap -sI ZOMBIE_IP MACHINE_IP?
fragment IP data into 8 bytes -f?
Fragment IP data into 16 bytes -ff?
option purpose?
--source-port PORT_NUM? specify source port number
--data-length NUM????????? append random data to reach given length?
--reason explains how NMAP made its conclusion?
-v verbose?
-vv very verbose?
-d debugging?
-dd more details for debugging?
??
??
Nmap utilizes a complex system of scripts that communicate with every part of the network. The scripts act as communication tools between the network components and their human users. The scripts that Nmap uses are capable of vulnerability detection, backdoor detection, vulnerability exploitation, and network discovery. Advanced techniques designed to uncover vulnerabilities, bypass security measures, and gather valuable insights about target systems. Let's look at these techniques: Enables users to identify outdated services susceptible to known security vulnerabilities. By querying a comprehensive vulnerability database, Nmap provides valuable insights into potential weaknesses within target systems. Nmap utilizes a complex system of scripts that communicate with every part of the network. The scripts act as communication tools between the network components and their human users. The scripts that Nmap uses are capable of vulnerability detection, backdoor detection, vulnerability exploitation, and network discovery. It is also possible to scan all network ports, although that would potentially take a lot of time and eat up quite a bit of available bandwidth. Plus, depending on the type of passive defenses that are in use on the network, such a massive port scan would likely trigger security alerts. As such, most people use Nmap for more limited deployments or divide different parts of their network up for scheduled scanning over time.?
?Vulnerability Detection?
nmap -sV --script=vulners machine_ip?
nmap -sV --script=vulners 192.168.23.25?
Idle scanning represents a stealthy approach to port scanning, leveraging a "zombie" host to obfuscate the origin of scan requests. By monitoring changes in the zombie host's IP identification number (IP ID) in response to packets sent to the target, Nmap infers the state of the target's ports without direct interaction.?
Idle Scanning?
nmap -sI machine_ip?
Firewall Testing (Source Port Spoofing): This technique involves testing firewall rules by sending packets with unusual source ports. By spoofing the source port, security professionals can evaluate the effectiveness of firewall configurations and identify potential weaknesses in network defenses.?
nmap --source-port machine_ip?? ?
nmap --source-port 53 192.168.23.55?
Nmap's service-specific probes enable detailed examination of services, such as the Server Message Block (SMB) protocol commonly used in Windows environments. By leveraging specialized scripts, analysts can identify vulnerabilities and assess the security posture of target systems.?
Service-Specific Probes (SMB Example)?
nmap -sV -p 139,445 --script=smb-vuln*?
nmap -sV -p 139,445 --script=smb-ms17-010 192.168.23.134?
Web Application Scanning (HTTP title grab)?
nmap -sV -p 80 --script=http-title 192.168.23.131?
Web application scanning with Nmap allows users to gather information about web servers, potentially aiding in vulnerability identification and exploitation.?By analyzing HTTP response headers, Nmap extracts valuable insights about target web applications and server configurations.?Nmap has robust scripting engine (NSE), which allows users to extend the tool's functionality through custom scripts and plugins. NSE scripts enable users to automate tasks, perform specialized scans, gather additional information, and even exploit vulnerabilities in target systems.?
??
nmap --script-help scriptname???????????? Shows help about scripts??
nmap --script http-vuln-* target_ip? finding vuln in a target
To do a Nmap host scan, use the following command:?
?nmap -sn your_local_ip/host_bits?
?nmap -sn 192.168.0.1/24?
?
To launch an Nmap port scan with version detection enabled, run this command:?
nmap -sV -T4 ip_to_scan?
nmap -sV -T4 scanme.nmap.org?
??
Some useful arguments to use for Nmap are:?
-sn This argument is used in order to specify that you are conducting a host-only scan.?
-T[0-5] This is used to indicate the speed at which to run the scan.?
-sV This will instruct Nmap to conduct a service version scan alongside the normal scan.?
-p [port range] This allows a user to specify a range of ports for Nmap to scan.?
-oA <filename> This will store the Nmap scan output in normal, XML, and grepable formats.?
-iL <filename> This feature is for inputting a target list of hosts or network ranges.?
-A Enables OS detection, service version detection, script scanning, and traceroute.?
–open This feature will shows only open or possibly open ports.?
-Pn This will skip the host discovery function and treat all hosts as online.?
-sU This enables UDP scan.?
??
Multiple networks can be scanned at once.?nmap 192.168.0.0/24 10.80.0.0/24??
checking the state of ports 22 and 443 (which by default use the TCP protocol)??
nmap -sV -p 22,443 192.168.0.0/24?
We interested in open ports, and so we can add the –open flag to achieve this. ??
nmap -sV -p 22,443 192.168.0.0/24 –open?
Tracing a packet on a single IP?
?nmap -vv -n -sn -PE -T4 --packet-trace 192.168.2.3?
?Nmap runs an rDNS (reverse-DNS) resolution on any responsive host
??
To run a stealth list scan -sL on the IP address 209.132.183.105.?
?nmap --dns-servers 8.8.4.4,8.8.8.8 -sL 209.132.183.105/24???
Using NSE scripts with Nmap allows you to scan different hosts and find vulnerabilities in services running on the host and possibly log in by brute-forcing these services.?
nmap --script="name_of_script" --script-args="argument=arg" target?
?Web Application Firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc. Using Nmap, we can detect if a website is protected by such a WAF.? The following displays the usage of an NSE script and its arguments:?
?nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.slimmer.ai?
??
Assume that some unauthorized person has scanned your network and found a few open ports/services. This person could then pass some NSE scripts to Nmap and see if these services are vulnerable. Here is what is going to happen:?
nmap -Pn -sV --script=vulners 37.xx.xx.xx?
?
When scanning a network, you may want to select an entire group (such as a whole subnet) while excluding a single host.?
nmap 192.168.0.* --exclude 192.168.0.2?
??You can exclude certain hosts from your search using the -exclude flag.?
nmap 192.168.0.* --excludefile /file.txt??? ?
Scan from a File?
If you have a long list of addresses that you need to scan, you can import a file directly through the command line.?
nmap -iL /file.txt ?
??
Scan IPv6 Addresses?
IPv6 is becoming more commonplace, and Nmap supports it just as it supports domains and older IP addresses. IPv6 works with any of the available Nmap commands. But, a flag is required to tell Nmap that an IPv6 address is being referenced.?
nmap -6 ::ffff:c0a8:1?
?
Find Host Interfaces, Routes, and Packets?
It may become necessary to find host interfaces, print interfaces, and routes to debug.?
To do this, use the --iflist command:?
nmap --iflist??????? ?
??
Attempt to Guess an Unknown OS nmap -O –osscan guess [target] ?
nmap -O –osscan-guess 192.168.0.1 ?
??
Specify a Network Interface nmap -e [interface] [target] ?
nmap -e eth0 192.168.0.1?
??
UDP scans are slower than TCP scans, so you might experience extreme lag in responses or long delays before the tool displays output. Some hosts might take up to an hour to scan if you don’t optimize the NMAP process. You can speed up UDP scans depending on the use case. For example, use the following NMAP command to eliminate slow-responding hosts and gives up on scans when a host does not respond within 1 minute:?
nmap 192.168.1.100 --host-timeout 1m?
Other Open-Source Network Scanning Tools Besides Nmap are OpenVAS, Wireshark, Nessus, Metasploit, Qualys, Sqlmap, Angry IP Scanner, SolarWinds network scanner, Wapiti, Advanced IP Scanner, Burp Suite, Zed Attack Proxy, App scanner, Network IP Scanner, Nikto, Openscap – open-scap.org, Vulnerability scanners, Acunetix Ltd., Nexpose, Intruder, Arachni, Firmwalker: unveiling iot vulnerabilities, Manageengine Vulnerability Manager Plus?
Conclusion:
Users designate a list of targets on a network that they want to learn information about. Users do not need to identify specific targets, which is good because most administrators do not have a complete picture of everything that is using the potentially thousands of ports on their network. Instead, they compile a range of ports to scan. While one could make the argument that Nmap is a perfect hacking tool, many of the deeper scan activities require root access and privileges. Someone from outside can not just point Nmap at a target network they do not have permission to access and have it magically uncovered vulnerabilities for them to exploit. Not only that, but the attempt would likely trigger a critical security alert by any defensive or network monitoring tools. Nmap is not a dedicated vulnerability scanning tool in that it does not maintain a database of known vulnerabilities or any kind of artificial intelligence that could identify potential threats. However, organizations that regularly ingest security information from threat feeds or other sources can use Nmap to check their susceptibility to specific threats. Other advancements like the new Zenmap tool make it even more useful, especially for those who do not like working with console or command lines. The graphical interface for Zenmap allows users to quickly set up targets and configure desired scans with just a few clicks. That will help Nmap find an even bigger user base. Administrators have several reasons for performing a UDP scan using NMAP. It could be to simply audit the network for open unnecessary ports. For cybersecurity reasons, unnecessary services should be disabled, and an NMAP scan tells administrators which machines are running services that can be shut down. Another reason for a UDP scan is to find vulnerabilities on the network. If an attacker can install malware on the network, a compromised host could be running a malicious service on a UDP port. Using the NMAP scan, an administrator would find the open port and perform additional scans and analysis on the host. NMAP could also be used to discover hosts on the network. In some cases, Nmap may produce false positives, incorrectly identifying open ports or services due to firewalls, NAT devices, or other network configurations. This can lead to potentially misleading results if not interpreted correctly.?
?
References:?
??
?? ?
?
?
Digital Marketing Specialist at SkillAcademee |SEO| |SMO| |Advertising| |Promotions|
1 个月This article effectively highlights Nmap as an essential tool for ethical hacking, emphasizing its importance in the reconnaissance phase of penetration testing. By scanning networks for open ports and services, Nmap allows ethical hackers to identify potential vulnerabilities that could be exploited. Its user-friendly interface and powerful capabilities make it a go-to resource for both beginners and experienced professionals. The article also underscores that while Nmap is a vital starting point, ethical hackers must possess the skills and knowledge to interpret the data it provides effectively. This comprehensive overview makes it clear why Nmap remains a foundational tool in the ethical hacking toolkit! https://www.mobileappdaily.com/products/top-hacking-apps?utm_source=web&utm_medium=harsh&utm_campaign=mad
--
2 个月I am haker