How to Use the Command 'nmap' (with Examples)

How to Use the Command 'nmap' (with Examples)

Nmap, short for “Network Mapper,” is a powerful open-source tool designed for network exploration, security auditing, and port scanning. It is extensively used by network administrators and security professionals to discover network assets, verify security measures, and even test firewalls and intrusion detection systems. Nmap offers numerous capabilities such as scanning large networks, detecting operating system versions, and finding open ports. It also provides flexibility in terms of verbosity, timing, and output options, among others. Its real strength lies in its ability to provide a comprehensive overview of network configurations and vulnerabilities, enabling users to ensure a more secure network environment.

Use Case 1: Scan the Top 1000 Ports of a Remote Host with Various Verbosity Levels

Code:

nmap -v1|2|3 ip_or_hostname

Motivation:

In network security, understanding the state of open or vulnerable ports is critical. Ports are entry points for network traffic, and knowing which ones are open helps in securing them from unauthorized access. By utilizing the verbosity level, you can control the amount of detail shown during the scan process, which is beneficial for both quick overviews and detailed diagnostics.

Explanation:

  • nmap: This is the executable command for the Network Mapper tool.
  • -v1|2|3: The verbosity levels, where 1 provides minimal output, 2 offers more detailed information, and 3 gives comprehensive details about the scan process. This allows users to gauge the depth of information required.
  • ip_or_hostname: Replaces this placeholder with the actual IP address or hostname of the target machine you wish to scan.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 12:30 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.052s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
992/tcp open  telnets
Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds

Use Case 2: Run a Ping Sweep Over an Entire Subnet or Individual Hosts Very Aggressively

Code:

nmap -T5 -sn 192.168.0.0/24|ip_or_hostname1,ip_or_hostname2,...

Motivation:

Network administrators often need to assess which devices are live within a subnet to manage resources effectively and ensure devices are joined correctly into the network environment. A ping sweep can quickly identify active hosts across an entire network without delving into detailed service information.

Explanation:

  • -T5: This sets the timing template to “Insane”, which is the most aggressive scan setting. This is used when time is of the essence but can risk being blocked by intrusion detection systems (IDS).
  • -sn: This option disables port scanning, focusing purely on host discovery, useful when the focus is solely on identifying live hosts.
  • 192.168.0.0/24: The CIDR notation specifies the subnet range you wish to scan for live hosts.
  • ip_or_hostname1,ip_or_hostname2,...: Targets for individual host scanning.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 12:40 UTC
Nmap scan report for 192.168.0.1
Host is up (0.023s latency).
Nmap scan report for 192.168.0.5
Host is up (0.018s latency).
Nmap scan report for 192.168.0.10
Host is up (0.026s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 8.56 seconds

Use Case 3: Enable OS Detection, Version Detection, Script Scanning, and Traceroute of Hosts from a File

Code:

sudo nmap -A -iL path/to/file.txt

Motivation:

Comprehensive knowledge of a network’s characteristics, such as operating system details, service versions, and network paths, aids in security auditing and remediation planning. By scanning hosts listed in a file, administrators can automate and simplify the tracking process of multiple network devices.

Explanation:

  • sudo: This command prefix is necessary for running privileged operations like OS detection, requiring root access.
  • -A: Enables aggressive scan options, including OS detection, version detection, script scanning, and traceroute for a detailed analysis.
  • -iL path/to/file.txt: This specifies an input file containing a list of target IP addresses or hostnames, enabling batch processing for efficiency.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 12:50 UTC
Nmap scan report for 192.168.0.1
Host is up (0.012s latency).
...
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3
...
Nmap done: 10 IP addresses (1 host up) scanned in 12.34 seconds

Use Case 4: Scan a Specific List of Ports

Code:

nmap -p port1,port2,... ip_or_host1,ip_or_host2,...

Motivation:

When network administrators or security officers are only interested in monitoring specific ports due to known vulnerabilities or compliance reasons, focusing scans on a particular set of ports can optimize both time and resources without broad scanning.

Explanation:

  • -p port1,port2,...: Lists specific ports to scan rather than default or all ports, allowing targeted investigations of known vulnerabilities.
  • ip_or_host1,ip_or_host2,...: Addresses or hostnames specifying network targets, providing flexibility to scan multiple devices at once.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 13:00 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.062s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds

Use Case 5: Perform Service and Version Detection of the Top 1000 Ports Using Default NSE Scripts

Code:

nmap -sC -sV -oA top-1000-ports ip_or_host1,ip_or_host2,...

Motivation:

Understanding the services running on open ports, along with their versions, is crucial to identifying outdated software and potential vulnerabilities. Automated scanning using default Nmap Scripting Engine (NSE) scripts provides in-depth service analysis without requiring individual script selection.

Explanation:

  • -sC: Activates a selection of NSE scripts categorized as safe and in the default script set.
  • -sV: Engages in service version detection, vital for recognizing vulnerable software setups.
  • -oA top-1000-ports: Specifies saving output in all available formats (normal, grepable, and XML), with the base filename “top-1000-ports” for later reference.
  • ip_or_host1,ip_or_host2,...: Denotes target IPs or hostnames for comprehensive service enumeration.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 13:10 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.047s latency).
PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.4.41
443/tcp open  ssl/http Apache httpd 2.4.41
...
Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

Use Case 6: Scan Target(s) Carefully Using Default and Safe NSE Scripts

Code:

nmap --script "default and safe" ip_or_host1,ip_or_host2,...

Motivation:

When concerns about network disruption are paramount, and the need to scan carefully is present, employing default and safe NSE scripts helps balance thorough scanning with minimal risk. These scripts are vetted to reduce interference with target systems.

Explanation:

  • --script "default and safe": Directs Nmap to utilize scripts categorized as both “default” and “safe,” minimizing the potential negative impact on network performance and stability.
  • ip_or_host1,ip_or_host2,...: Targets for scanning, which can be any combination of IPs or hostnames, enabling extensive checks across selected nodes.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 13:20 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.054s latency).
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
...
Nmap done: 1 IP address (1 host up) scanned in 6.23 seconds

Use Case 7: Scan for Web Servers Running on Standard Ports Using All Available HTTP NSE Scripts

Code:

nmap --script "http-*" ip_or_host1,ip_or_host2,... -p 80,443

Motivation:

Web servers are frequent attack targets. Scanning them using every available HTTP related NSE script helps in uncovering vulnerabilities or misconfigurations, ensuring the security of web applications via comprehensive checks on common HTTP ports.

Explanation:

  • --script "http-*": Selects all scripts in the NSE library starting with “http-”, leveraging extensive coverage of HTTP-related vulnerabilities.
  • ip_or_host1,ip_or_host2,...: denotes the web servers’ IP addresses or hostnames.
  • -p 80,443: Specifies the widespread web service ports, fostering a focus on services typically associated with web traffic.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 13:30 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.050s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-methods: 
|_  Potentially risky methods: TRACE
443/tcp open  https
| http-title: Example Domain
|_Requested resource was http://example.com/
Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds

Use Case 8: Attempt Evading IDS/IPS Detection by Using Extremely Slow Scans

Code:

sudo nmap -T0 -D decoy_ip1,decoy_ip2,... --source-port 53 -f --data-length 16 -Pn ip_or_host

Motivation:

When aiming to test a network against intrusion detection/prevention systems (IDS/IPS) for resilience or to avoid detection, using techniques such as slow scans, decoy addresses, and packet fragmentation can help. These methods simulate legitimate traffic and obscure the scanning entity’s identity.

Explanation:

  • sudo: Needed for privileged scan operations manipulating network traffic.
  • -T0: Sets the slowest timing template to avoid triggering IDS/IPS by spreading scan packets over long intervals.
  • -D decoy_ip1,decoy_ip2,...: Utilizes decoy or fake IP addresses to disguise true source IP, increasing scan stealth.
  • --source-port 53: Sets the source port to one commonly allowed through firewalls, emulating DNS queries.
  • -f: Fragment packets to further evade detection by requiring assembly before processing.
  • --data-length 16: Introduces random data into packets to change the packet size, hindering pattern recognition.
  • -Pn: Disables host discovery and treats targets as online, crucial when expecting restrictive network settings.
  • ip_or_host: Specifies target network(s) or host(s) for the stealth scan.

Example Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-10 13:40 UTC
Nmap scan report for target.com (203.0.113.42)
Host is up.
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
Nmap done: 1 IP address (1 host up) scanned in 302.35 seconds

Conclusion:

Nmap offers an array of functionalities that makes it an indispensable tool for network scanning and security analysis. With its vast range of options from basic port scanning to complex IDS evasion techniques, Nmap equips users with the capabilities to both identify and mitigate network vulnerabilities. Utilizing specific use cases and respective command configurations enables efficient and effective task execution, catering to unique security needs and objectives.

Tags :

Related Posts

Utilizing the 'pcapfix' Command (with Examples)

Utilizing the 'pcapfix' Command (with Examples)

The pcapfix command is a powerful tool specifically designed to repair damaged or corrupted PCAP (Packet Capture) and PcapNG (Packet Capture Next Generation) files.

Read More
How to Use the Command 'takeout' (with examples)

How to Use the Command 'takeout' (with examples)

Takeout is a Docker-based development-only dependency manager that streamlines the process of managing development dependencies by enabling or disabling services within isolated Docker containers.

Read More
How to use the command 'git filter-repo' (with examples)

How to use the command 'git filter-repo' (with examples)

The git filter-repo command is a highly versatile tool designed for rewriting Git history with far superior performance and ease-of-use compared to its predecessor, the git filter-branch.

Read More