Nmap: Learning the Art of Network Scanning with Cool Flags!
Aastha Thakker
Cyber security enthusiast | SOC analyst | Digital Forensics | Blogs & Articles | THM - Documentation Team Lead | Gujarat University
In the world of pen testing, Nmap stands out as a popular scanning tool. Nmap stands for Network Mapper, it’s an open-source Linux command-line tool. Basically, it scans IP addresses and ports in a network, identifying installed applications. Nmap helps network admins to pinpoint devices on their network, uncover open ports and services, and spot vulnerabilities. The credit for creating Nmap goes to Gordon Lyon, also known as Fyodor, who developed it to easily map networks, revealing open ports and services.
Well, to check if the device is up, what we use? Ping, right?
But what if we have to check in the whole network that which device is up?
nmap -sP <network-range>
Nmap syntax is simple and looks like this:
nmap <scan types> <options> <target>
To know all the options which nmap provides us, type:
nmap --help
This is a bunch of commands for you, but don’t worry, I’ve narrowed it down to the coolest and most essential ones in each category.
A) Target Specification:
nmap <ip-address>
2. Getting input from the file (-iL):
nmap -iL <file-name>
B) Host discovery:
nmap -sn <ip-range>
C) Scan Techniques:
1. TCP-SYN Scan (-sS): By default scan. This only sends the SYN flag and thus doesn’t complete 3-way handshake. So, full connection of TCP is not made. If Nmap receives a SYN-ACK flag after it sends a SYN flag then it is marked open otherwise marked as close.
sudo nmap -sS <ip-address>
2. TCP Connect Scan (-sT): This checks 3-way handshake. It is considered open if the target port responds with an SYN-ACK packet and closed if responds with RST (reset) packet. It is slower than TCP-SYN scan but also stealthier.
nmap -sT <ip-address>
3. UDP Scan (-sU): doesn't require 3-way handshake. Less common.
sudo nmap <ip-address> -sU
D) Port Specification:
1. Specifying the port:
sudo nmap <ip-address> -p <ports-to-scan>
2. Giving the range of ports:
nmap <ip-address> -p 1–443
3. Scan all ports:
领英推荐
nmap -p- <ip-address>
4. Fast port scan (top 100):
nmap -F <ip-address>
E) Service/ Version Detection:
nmap -sV <ip-address>
2. Detailed version scan activity (?—?version-trace):
nmap --version-trace <ip-address>
F) Script?Scan:
nmap -sC <ip-address>
G) OS Detection:
sudo nmap -O <ip-address>
H) Output:
nmap <ip-address> -o <file-name>
2. Getting output in 3 major formats (-oA):
nmap -sC <ip-address> -oA <file.name>
3. Increasing Verbosity (-v): Provides more detailed information about the scanning process. To increase the verbosity strength, increase number of v’s (-vvv). It’s helpful for understanding what Nmap is doing and identifying any issues during the scan.
nmap -v <ip-address>
4. Increasing Debugging (-d): used for troubleshooting and when trying to diagnose problems or understand the inner workings of Nmap. To increase the debugging strength, increase number of d’s (-ddd).
nmap -d <ip-address>
5. Showing possibly open ports (?—?— open):
nmap --open <ip-address>
I) MISC:
1. Aggressive Scan (-A): It’s a step up from the basics. You can trigger it using the -A flag. Essentially, it bundles together several scans we discussed earlier: service detection (-sV), OS detection (-O), traceroute (?—?— traceroute), and default scripts (-sC).
nmap -A <ip-address>
Well, these are fundamental yet crucial CLI flags that one should familiarize themselves with before getting into hacking or pen-testing stuff.
This blog may receive updates with new flags later on. In the meantime, grasp these concepts, and don’t forget to engage in hands-on practical exercises. Feel free to share additional flags in the comments to enhance everyone’s knowledge! Also, I would recommend you to solve TryHackMe | Nmap room,?, it’s fun trust me.
Thanks for taking the time to check out this blog, you’re Awesome!
Connection: LinkedIn
MERN | Interested in Bug Bounty?? & CTF??
1 年Love this ??