NERDBUDE

[ code. keyboards. terminals. cyber. ]

[HOWTO] [WHOAMI] [PODCAST] [GERMAN]

nmap basics

Nmap (Network Mapper) is a free port scanner for scanning and evaluating hosts on a network. The tool, released under the GNU Public License, was developed by a resourceful hacker known as Fydor. Of course, I advise you to only scan networks that you own or administer - anything else could be illegal and punishable. Nmap runs under:
====

Installation:

macOS

shell
brew install nmap


Linux (Ubuntu / Debian):

shell
sudo apt-get install nmap


Windows (.exe):

https://nmap.org/download.html

====

Usage:

shell
$ nmap -h


What can you use nmap for?

Nmap is primarily a port scanner, i.e. nmap checks the availability of the running protocols of a domain given to nmap. Ports, as mentioned earlier, are protocols and parts of a network address that handles the mapping of TCP and UDP connections and data packets between server and client. To each connection always two same ports belong one on the side of the server and one on the side of the client. Ports thus serve as a feature to distinguish multiple connections between the same pair of endpoints, and ports can identify network protocols and services. A list of all standardized ports can be found here:

https://de.wikipedia.org/wiki/Liste_der_standardisierten_Ports

If you want to play around yourself you can use

shell
nmap -h


Display the list of all options and parameters.

====

Simple Port Scan

. The simplest scan variant of nmap is:

shell
nmap 127.0.0.1


and that brings the following output:

nmap_simple

output
Host is up (0.00026s latency)


Means that the scanned host responds and took 0.00026 sec. to do so.

output
Not shown: 999 closed Ports


999 ports are not displayed because they are not open

output
631/TCP open ipp


Port 631 is open and is used by the IPP service. IPP is a printing service provided over the network.

====

Definition of targets

Line of a scan with nmap can be present as IP addresses (for example 127.0.0.1), as hostnames (www.nerdbude.com), networkranges (127.0.0.1-255) and so on. If there are several target systems to be scanned, there are also different parameters that can be given to nmap:

-iL (processes a file with a list of targets)

-iR (searches for a random number of targets)

--exclude host1[,host2]... (Ignores the defined goals)

--excludefile filename (ignores the targets in the passed file)


====

Definition of ports

Similar to the targets, the ports to be scanned can also be defined.

-p (scans only predefined ports (z.B. -p22 / -p1-65535 etc.)

--exclude-ports (exclude ports)

-F (Fast-Mode / scans only the first 100 ports)

-r (scans ports one after another)


====

Scans

After we have defined our targets and the port, the scanning can start.

shell
nmap -sn 127.0.0.1


Ping the target only and see if it responds and is online

shell
nmap -p1-65535 127.0.0.1


Scans the target for all 65535 existing ports and their state.

shell
nmap -PO [Protokollliste] 127.0.0.1


Scans only IP protocol services running on the target.

shell
nmap -O 127.0.0.1


This parameter activates the OS (Operating System) check, so that at the end of the scan the used OS is dropped out.

These are only a few scan options nmap offers but a start and basic understanding should be done. If you want the full list of current parameters and options, you can find them here:

https://nmap.org/data/nmap.usage.txt

and the nmap page is available here:

https://nmap.org



//EOF