nmap is very popular port scanner used to scan remote hosts in the network to primarily list open ports and also other get details such as list of online systems, OS, presence of a firewall etc.
Basic nmap example
Post scanning a remote host with nmap is as simple as passing the hostname or IP address of the remote host as an argument to nmap command.
nmap unixutils.com #OR nmap 23.239.238.233
By default nmap checks if the specified targets is up or not, scans the common ports and lists them. We can specify the target servers for nmap to scan for, in different ways. In the previous example, we scanned a single host. We will further see different ways to scan multiple target servers.
Specifying Targets
Scan subnet:
nmap 192.168.0.* nmap 192.168.0.0/24
Scan multiple hosts:
nmap 192.168.0.1 192.168.0.2 192.168.0.3 nmap 192.168.0.1,2,3
Scan hosts by range, example – (from 192.168.0.1 to 192.168.0.27):
nmap 192.168.0.1-27
Exclude hosts from being scanned:
nmap 192.168.0.* --exclude 192.168.0.4
Scan list of hosts from file:
#server.txt should contains multiple servers, one server name or IP per line nmap -iL server.txt
Exclude hosts from being scanned:
nmap 192.168.0.* --exclude 192.168.0.4 nmap 192.168.0.0/24 --excludefile donotscan.txt nmap -iL server.txt --excludefile donotscan.txt
Scan Types
List Scan – simply list targets to scan:
nmap -sL 192.168.0.1-27
Ping Scan – disable port scan:
nmap -sn 92.168.0.1,2,3
Treat all hosts as online — skip host discovery:
nmap -Pn 192.168.0.0/24
Scan with TCP instead of icmp:
#this is useful if icmp is blocked by firewall in the network. nmap -PS 192.168.0.8
Stealth scan:
nmap -sS 192.168.0.*
Normal scan vs Stealth scan:
Normal Scan
Source -------SYN--------> Target #source is sending syn for specific port Source <--SYN/ACK OR RST-- Target #Target responds with SYN/ACK if port is listening, else sends RST to terminate. Source -------ACK--------> Target #Source sends ACK to gracefully close connection
Stealth Scan
Source -------SYN--------> Target #source is sending syn for specific port Source <--SYN/ACK OR RST-- Target #Target responds with SYN/ACK if port is listening, else sends RST to terminate. Source --------X---------- Target #Target does not receive ACK.
In stealth scan, the source does not respond with ACK and leaves the handshake incomplete. However, the Source running nmap knows that when an SYN/ACK is received in second step, the port is open. When RST is received, this means that the port is closed and, when there is no response (i.e neither a SYN/ACK nor RST) then the packets have been dropped, meaning that there is a firewall either en-route or at the target.
Specifying ports
nmap scans the most common 1,000 ports for each protocol, by default. However we can tweak this behaviour.
Specify port numbers with -p:
nmap -p 22,80,443 192.168.0.0/24
Specify TCP/UDP protocol with port:
nmap -p T:80 192.168.0.* nmap -p U:389 192.168.0.1-11
We have seen how to specify targets, specify scan type and specify ports. Now, lets try some examples combining all these.
Examples:
Run scan to find out if TCP port 22 is open on hosts ranging from 192.168.0.1 - 192.168.0.5. Scan all hosts regardless of whether it pings or not.
nmap -Pn -p T:22 192.168.0.1-5
Run a stealth scan to find out list of all open ports on host 192.168.0.8
nmap -sS 192.168.0.8