Nmap - Beginner's Guide
Many have heard and used the wonderful nmap utility. Both system administrators and hackers love it. Even Hollywood knows about it - in the movie “The Matrix”, nmap is used for hacking.
nmap is an abbreviation of "Network Mapper", it can be most correctly translated into Russian as a "network mapper". Perhaps this is not the best version of the translation into Russian, but it fairly accurately reflects the essence - a tool for network research and security checks. The utility is cross-platform, free, supported by the operating system Linux, Windows, FreeBSD, OpenBSD, Solaris, Mac OS X.
Consider using a utility in Debian. In the standard distribution of the nmap distribution is missing, install it with the command
')
Nmap can scan by various methods - for example, UDP, TCP connect (), TCP SYN (half-open), FTP proxy (break through ftp), Reverse-ident, ICMP (ping), FIN, ACK, SYN and NULL scanning. The choice of scan option depends on the specified keys, the nmap call looks like this:
For the experiments, we take a special experiment host created by the nmap developers themselves - scanme.nmap.org. Perform as root
Scanning keys are optional; in this case, nmap will check the host for open ports and services that listen on those ports.
Run the command:
After a few seconds, we get the result:
Nothing unusual, ssh on the standard port and http to 80. Nmap recognizes the following port states: open , filtered , closed , or unfiltered . Open means that the application on the target machine is ready to accept packets to this port. Filtered means that a firewall, filter, or something else on the network is blocking the port, so Nmap cannot determine whether the port is open or closed. Closed - are not connected to any application at the moment, but can be opened at any time. Unfiltered ports respond to Nmap requests, but you cannot determine whether they are open or closed.
Hint: If you press the spacebar during the scan, you can see the current scan progress and by what percentage it is completed. After a few seconds, we get an answer, in which the line is still interesting:
In general, it is impossible to determine the exact version of the kernel using nmap, but you can determine the approximate date of “freshness” and the operating system itself. You can scan several hosts at once, for this you need to list them separated by a space:
Let's return to our experimental host. I want to know in more detail what software is used. Let's try to refine the data using the -sV keys:
Get the answer:
Progress is evident - we have learned the exact names of the services used and even their versions, and at the same time we learned exactly what operating system is on the server. There are no problems with decoding, everything is quite clear.
Aggressive scans can be made by specifying the -A switch.
Nmap will display a lot of information, I will not give an example. Scanning can take quite a long time, taking several minutes.
In local networks or simply having on hands a range of ip addresses, it is convenient to check them for employment with the -sP keys:
Scanning is quite fast, because in fact it is a regular ping test, does the host respond to ping. Please note that the host may not respond to ping due to the firewall settings. If the desired part of the network cannot be limited to a mask, you can specify the range of addresses with which and for which it is necessary to conduct a scan. For example, there is a range of addresses from 192.168.1.2 to 192.168.1.5. Then we will execute:
The answer will look like this:
In my case, all ip were currently online.
These are not all nmap features, but it is somewhat complicated to fit them in one article.
If the GUI is closer to you, there is a wonderful Zenmap utility - a graphical shell for nmap that can build a prospective network map as well.
I want to warn you that scanning ports on remote machines may violate the law.
UDP Inflame clarified that port scanning is still not illegal.
nmap is an abbreviation of "Network Mapper", it can be most correctly translated into Russian as a "network mapper". Perhaps this is not the best version of the translation into Russian, but it fairly accurately reflects the essence - a tool for network research and security checks. The utility is cross-platform, free, supported by the operating system Linux, Windows, FreeBSD, OpenBSD, Solaris, Mac OS X.
Consider using a utility in Debian. In the standard distribution of the nmap distribution is missing, install it with the command
')
# aptitude install nmapNmap can scan by various methods - for example, UDP, TCP connect (), TCP SYN (half-open), FTP proxy (break through ftp), Reverse-ident, ICMP (ping), FIN, ACK, SYN and NULL scanning. The choice of scan option depends on the specified keys, the nmap call looks like this:
nmap <>For the experiments, we take a special experiment host created by the nmap developers themselves - scanme.nmap.org. Perform as root
Scanning keys are optional; in this case, nmap will check the host for open ports and services that listen on those ports.
Run the command:
# nmap scanme.nmap.orgAfter a few seconds, we get the result:
Interesting ports on scanme.nmap.org (74.207.244.221):
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nothing unusual, ssh on the standard port and http to 80. Nmap recognizes the following port states: open , filtered , closed , or unfiltered . Open means that the application on the target machine is ready to accept packets to this port. Filtered means that a firewall, filter, or something else on the network is blocking the port, so Nmap cannot determine whether the port is open or closed. Closed - are not connected to any application at the moment, but can be opened at any time. Unfiltered ports respond to Nmap requests, but you cannot determine whether they are open or closed.
# nmap -O scanme.nmap.orgHint: If you press the spacebar during the scan, you can see the current scan progress and by what percentage it is completed. After a few seconds, we get an answer, in which the line is still interesting:
Device type: general purpose|WAP|webcam|storage-misc
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (93%), AXIS Linux 2.6.X (89%), Linksys Linux 2.4.X (89%)
Aggressive OS guesses: Linux 2.6.17 - 2.6.28 (93%), Linux 2.6.9 - 2.6.27 (93%), Linux 2.6.24 (Fedora 8) (92%), Linux 2.6.18 (Slackware 11.0) (92%), Linux 2.6.19 - 2.6.26 (92%), OpenWrt (Linux 2.4.32) (91%), Linux 2.6.22 (91%), Linux 2.6.22 (Fedora Core 6) (90%), Linux 2.6.13 - 2.6.27 (90%), Linux 2.6.9 - 2.6.18 (90%)
No exact OS matches for host (test conditions non-ideal).In general, it is impossible to determine the exact version of the kernel using nmap, but you can determine the approximate date of “freshness” and the operating system itself. You can scan several hosts at once, for this you need to list them separated by a space:
# nmap -O example.com example2.comLet's return to our experimental host. I want to know in more detail what software is used. Let's try to refine the data using the -sV keys:
# nmap -sV example.com example2.comGet the answer:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
Service Info: OS: LinuxProgress is evident - we have learned the exact names of the services used and even their versions, and at the same time we learned exactly what operating system is on the server. There are no problems with decoding, everything is quite clear.
Aggressive scans can be made by specifying the -A switch.
# nmap -A scanme.nmap.orgNmap will display a lot of information, I will not give an example. Scanning can take quite a long time, taking several minutes.
In local networks or simply having on hands a range of ip addresses, it is convenient to check them for employment with the -sP keys:
# nmap -sP 192.168.1.0/24Scanning is quite fast, because in fact it is a regular ping test, does the host respond to ping. Please note that the host may not respond to ping due to the firewall settings. If the desired part of the network cannot be limited to a mask, you can specify the range of addresses with which and for which it is necessary to conduct a scan. For example, there is a range of addresses from 192.168.1.2 to 192.168.1.5. Then we will execute:
# nmap -sP 192.168.1.2-5The answer will look like this:
Host 192.168.1.2 is up (0.0023s latency)
Host 192.168.1.3 is up (0.0015s latency)
Host 192.168.1.4 is up (0.0018s latency)
Host 192.168.1.5 is up (0.0026s latency)In my case, all ip were currently online.
These are not all nmap features, but it is somewhat complicated to fit them in one article.
If the GUI is closer to you, there is a wonderful Zenmap utility - a graphical shell for nmap that can build a prospective network map as well.
I want to warn you that scanning ports on remote machines may violate the law.
UDP Inflame clarified that port scanning is still not illegal.
Source: https://habr.com/ru/post/131433/
All Articles