One might be curious to understand how network intruders get to know which ports are open on a computer? Or may be how they detect which services are being run by the system that too without any prior permission of network admin. Well, anybody can do this stuff and even more than this using an easy-to-use utility called Nmap.
Nmap is short for "Network MAPper," nmap is a port scanner used by network security experts, network researchers and network admins. It is often used for security scanning, simply to determine which services the system is running, to take the records of the operating system and various applications running on a system, the version of firewall a system is utilizing, or to have a quick inspection of the local network. In brief, a very useful tool to deal with.
This article explains several Nmap Scans, techniques, knowing the intentions and objectives of every scan , pluses and minuses over other such similar scanning tools, which might be better at escaping from firewalls and much more.
Basic UsageThe fundamental syntax of nmap command is as follows :
nmap [Scan Type] [Options] [Target]
To begin with, let's consider that we want to know which operating system is running on our computer system. To do this, use following command-
nmap -O target.host.com
Of course, you will need root privileges to run this command along with some patience.
The most basic and default scan among all, the one which doesn't use any parameters but the target is your local IP address.
sudo nmap 10.10.6.204
One can also add multiple IP addresses with a space after each complete IP address.
sudo nmap 10.10.6.75 10.10.6.180 10.10.6.204
Prior to scanning any target port, Nmap will try to transmit ICMP request to check whether the remote system is active. This will save time at the time of scanning a number of hosts as nmap don't waste time in making attempts to explore the hosts that are offline.
Don’t ping -PNIf we use this option, nmap simply won’t send any ICMP echo requests to the target/s.
sudo nmap -PN 10.10.6.204
Only Ping scan -sP
This option will start executing simple ping scan of the target host.
sudo nmap -sP 10.10.6.204
This type of scan is helpful when we want to perform a quick survey of the target network to observe the hosts that are active, without any need to scan the target hosts for open ports.
ARP Ping scan
This –PR option will start to execute an ARP (Address Resolution Protocol) ping scan on the specified target host.
sudo nmap –PR 10.10.6.204
-PR option is applied by default at the time of scanning the local network. This sort of search is much quicker than other ping processes. As LAN hosts can not block ARP requests, this method is more appropriate to be used.
NOTE: ARP Ping scan will work only on those targets which are in your subnet range.
Port Scanning Choices
Fast scanThe –F option will execute a scan for only 100 ports that are used most frequently.
sudo nmap –F 10.10.6.204
Typically, nmap will scan the 1000 most frequently used ports. This option decreases that to 100 which improves the port scanning speed drastically.
Scan only specific portsThe -p option will inform nmap to scan the specific port(s).
To check if the http port is open:
sudo nmap –p 80 10.10.6.204
You may also scan several ports by separating the port numbers with a comma (,). You can also mention a port range to be scanned with the use of hyphen (-).
sudo nmap –p 22,23,443,50-100 10.10.6.204
Above command will scan ports 22, 23, 443 and ports ranging from 50 to 100 and will show only OPEN ports among them.
Scan Ports by nameWe can also use -p option to scan well-known ports by their names.
nmap -p telnet,ftp 10.10.6.204
Above command will scan telnet (23) and ftp (21) ports and show their status.
All Ports Scan
The -p option along with a “*” is used to scan all the TCP/IP ports (which are 65,535 in number) on the target host.
nmap -p “*” 10.10.6.204
Select TCP or UDP protocol
Finally, using option -p we may also select some ports to scan depending upon which protocol they use- either TCP or UDP.
nmap -p T:100-1000 10.10.6.204
nmap -p U:100-1000 10.10.6.204
In examples a port range with (T), that implies TCP only, is specified. We can also mention U in case we want to scan UDP ports.
Service version detectionThe -sV option is used to determine version of different services running on a host.
nmap -sV 10.10.6.204
This finishes an overview of a most commonly used Linux command by network experts - NMAP and it's parameters that are frequently used.