Port scanning, one of the phases in ethical hacking, is the finest hacking tool ever. Primarily a command-line tool, it was then developed for operating systems based on Linux or Unix, and the windows version of Nmap is now available.
Nmap is basically a network security mapper capable of discovering services and hosts on a network, thereby creating a network map. This software offers several features that help in probing computer networks, host discovery as well as detection of operating systems. Being script extensible it provides advanced vulnerability detection and can also adapt to network conditions such as congestion and latency while scanning.
Scan every active IP address.
You can get detailed information on every IP active on your network to determine whether an IP has been compromised. Nmap will tell you whether a legitimate service or an external hacker is using the IP.
Perform entire network scanning.
You can get information on your network as a whole, including a list of live hosts and open ports and the OS of every connected device. Due to this, Nmap does a great job at monitoring your ongoing system and helping perform pen-testing.
Identify server vulnerabilities.
You can use the tool to scan your web server for any security gaps to protect personal and business websites. Nmap helps simulate the process a malicious agent would typically use to attack your website.
Develop visual mappings.
Nmap has a graphical user interface known as Zenmap. You can use it to create visual mappings of your network to facilitate better usability and reporting.
Automate system and vulnerability scans.
Nmap has an incredible feature known as “Nmap Scripting Engine” (NSE). It's a scripting engine that lets you use a predefined set of scripts and automate networking features. Alternatively, you can write your own NSE scripts using the Lua programming language to make conclusions about the target host/service.
Use Nmap Effectively
Nmap uses diverse techniques to scan, such as TCP connect scan, TCP SYN scan, TCP reverse ident scan, FTP bounce scan, and so on. Each of these methods has its own benefits and drawbacks, and whether you should opt for simple scanning or advanced scanning depends on the target machine.
Before you get started with Nmap, the software needs to be installed.
The installation process is easy, but it may vary based on your operating system. Below, we’ve covered how to install an app for Windows, MacBook, and Linux versions.
For Windows OS: Download and run the custom installer you get with Nmap (namp<version>setup.exe). This will automatically configure Nmap on your Microsoft system.
For Mac OS: Run the Nmap-<version>mpkg file to start the dedicated installer (you get this with Nmap).
For Linux OS: Run the following commands after opening the terminal to install Nmap
CentOS/Fedora: sudo dnf install nmap
Ubuntu/Debian: sudo apt-get install nmap
1. Ping Scanning
A ping scan returns information on every IP active on your network.
You can use the following command to execute a ping scan:
> Nmap -sp 192.168.1.1/24
Note: You can run a Scan a Single Host command to scan a single host for 1000 well-known ports—ports that are used by popular services like SQL, SNTP, and apache.
Here's how to run this command:
> Nmap scanme.nmap.org
2. Port Scanning
There are tons of ways to execute a scan for ports. The main differences between the varying types of port scans are whether they cover TCP or UDP ports and if they run a TCP connection.
For instance, the TCP Connect scan actively queries every host and requests a response, while the UDP scan uses UDP packets to scan DNS, SNMP, and DHCP ports to do the same job.
Let's review the different port scanning types below.
> Nmap -p 973 192.164.0.1
> Nmap -p T:7777, 973 192.164.0.1
> Nmap -p 76–973 192.164.0.1
> Nmap --top-ports 10 scanme.nmap.org
3. Host Scanning
Host scanning gives you detailed information on a specific host or a range of IP addresses, including their latency, MAC address, and any description associated with that address. In turn, this will allow you to quickly identify and eliminate suspicious hosts connected to your network.
You can use the following commands to execute a host scan:
> Nmap 192.164.1.1 192.164.0.2 192.164.0.2
> Nmap 192.164.1.*
> Nmap 192.164.0.1,2,3,4
> Nmap 192.164.0.0–255
Note: If you want to scan a hostname, you simply have to replace the IP address for the host.
4. OS Scanning
Nmap can also provide operating system detection, script scanning, version detection, and traceroute. In fact, OS scanning is claimed as one of the most powerful features of the tool.
OS scanning involves Nmap sending TCP and UDP packets to a particular port before analyzing its response. This scan then compares the response to a 2600-strong operating systems database and returns information on a host’s OS (and version).
You can use the following command to execute an OS scan:
> Nmap -SV scanme.nmap.org
Disclaimer: OS detection may not always be accurate. Still, it does a fairly good job at getting a pen tester closer to their target.
5. Stealth Scanning
Running a stealth scan involves analyzing the response after sending an SYN packet. If SYN or ACK is received, it indicates the port is open, and you can open a TCP connection.
Keep in mind that a stealth scan never completes the 3-way handshake, so the target may face difficulty determining the scanning system.
Use the following command to run a stealth scan:
> Nmap -sS scanme.nmap.org
6. Scan the Most Popular Ports
As the name suggests, this command auto-scans several 'most popular' ports of a host. This can come in handy for users who run Nmap on a home server.
You can use the following to execute this Nmap command:
> Nmap --top-ports n 192.168.1.106
Replace the ‘n’ in the above command for the number of ports you want to scan. Nmap will quickly scan that many ports.
7. Output to a File
You can add an extension to your commands if you want to output your Nmap scan results to a file.
Use the following command:
8. Disable DNS Name Resolution
You can use this Nmap command to accelerate your Nmap scan using the -n parameter, which may disable reverse DNS resolution. We highly recommend this when starting Nmap scanning for a large network.
Let us explain how this Nmap command works using an example.
Suppose you want to turn off DNS resolution for the basic ping scan. To do this, you’ll have to add -n.
Here’s how you can run the command:
> Nmap -sp -n 192.100.1.1/24