Using nmap for Network Discovery
nmap is short for Network Mapper. It is an open-source network probe and is integrated into many vulnerability assessment applications. It primarily performs host discovery and operating system detection. Hackers use nmap to perform the discovery process. It is most popular on the Linux platform of which it is was originally designed. It has been ported to Windows, macOS, and BSD.
Features
- host discovery;
- port scanning;
- version detection;
- OS detection
Installation on Red Hat Based Systems
# Red Hat Linux Based Command yum install nmap
Installation on Debian Based Systems
# Debian Linux Based Command sudo apt-get install nmap
nmap Examples
Scan with OS Detection
# Scan a Single Host IP Address with OS Detection nmap -A 10.0.0.1
Scan a Host Name with OS Detection
# Scan a Host Name with OS Detection nmap -A server.example.com
Scan with OS Detection and Increased Verbosity
# Scan a Host Name with OS Detection and Increased Verbosity nmap -vv -A server.example.com
Scan Against a Network or Subnet
# Scan a Network or Subnet nmap 10.0.0.0/24
Scan Against a Range of IP Addresses
# Scan a Range of IP Addresses nmap 10.0.0.1-10.0.0.100
Scan Against a Single Port
# Scan a Single Port Against a Single Host IP nmap -p 443 10.0.0.1
Scan Against Multiple Ports
# Scan Multiple Ports Against a Single Host IP nmap -p 80,443,3306 10.0.0.1
Scan Against a Range of Ports
# Scan a Rang of Ports Against a Single Host IP nmap -p 1-1024 10.0.0.1
Scan Against All Ports
# Scan all Ports Against a Single Host IP nmap -p "*" 10.0.0.1
Perform a TCP SYN Scan
From the nmap Book: SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections.
# Perform a TCP SYN Scan Against a Single Host IP nmap -sS 10.0.0.1
Scan for Specific TCP Ports
# Scan Specific TCP Ports Against a Single Host IP nmap -p T:443 10.0.0.1
Scan Showing Only Open Ports
# Scan for Open Ports Against a Single Host IP nmap --open 10.0.0.1
Scan with Firewall Detection
# Scan with Firewall Detection Against a Single Host IP nmap -sA 10.0.0.1
Scan Hosts when Protected by a Firewall
# Scan Hosts When Protected by a Firewall nmap -PM 10.0.0.0/24
Perform an Idle Scan
# Perform an Idle Scan Against a Single IP Address with a 10.0.0.232 Source Address nmap -sI 10.0.0.1 10.0.0.232