/ Network Hacking

Nmap --the-very-basics


Nmap is one of the most important and frequently used tool by hackers as well as system administrators. Although the offical documentation does a good job at explaining, this acts more like a cheat sheet for all the options as well as a few tips for effective nmaping.

Default Scan : nmap target-ip-here

To check if the host is alive use the -sn flag (Ping requests)

If the -Pn flag can be used to scan the host without veryfying if it is alive. It helps in cases where the system administrator has disabled reply to Ping requests.

However it does create a problem, while scanning large block of networks with the -Pn switch activated, it is going to spend a large amout of time on each host which is undesirable.

We can use the --host-timeout followed by time in minutes.

Example: --host-timeout 1m . In this case nmap will give up on the host if it being alive is not confimed in the speicied time. Hence it is not recommended to set the value to a very small quantity like 1m.

The -PS port-number-here switch makes the scan a TCP SYN Scan,

Using the -sT switch initaites the TCP CONNECT SCAN

Using the -sS switch initaites the SYN STEALTH SCAN

Using the -sU switch initiates a UDP SCAN

To use the Nmap scripts use the -sC switch which will autmatially run relevant NSE scripts according to the ports found open.

To run a specific script use the --script followed by the script name.

Service Version Scan nmap target-ip-here -sV

Operating System Version Detection nmap target-ip-here -O

To take the list of target ip from a file use the -iL option followed by the full path of the file

Saving nmap scan output:

To save in normal format (almost same as what is printed on the screen ):

nmap target-ip-here -oN output-file-name-here

To save in a grepable format:

nmap target-ip-here -oG output-file-name-here

To save in the XML format :

nmap target-ip-here -oX output-file-name-here

To save in all the above three mentioned formats:

nmap target-ip-here -oA output-file-name-here

Scan a port : use -p port-number-here option.

To scan all ports use -p—

To scan a range of ports -p100-200

The reason flag --reason makes nmap print the logic behind clasifying the port as open , close or filtered.

The -sL flag gets reverse DNS lookups

The scans can be made more verbose using the -v,-vv,-vvv with the verbosity increasing with increasing number of V. To make nmap less verbose than it usually is , we can use the --reduce-verbosity flag.

Timing is the key


To control with the timing of the nmap scans use the -T followed by a number between 1 and 5 where 5 is the fastest.

Example nmap target-ip-here -T5

The default speed is set to 3. Running the scan at the highest speed has its own merits and demerits .

Nmap has support for packet tracing which can be enable for the scan using --packet-trace switch

When scanning a range of IPs , nmap automatically clusters them in block so that it scans those hosts in parallel and when the block is done it prints the result and moves on to the next block.If we are scanning a large group then we have to wait for the whole block to finish before seeing any output.In this case a smaller block is preferred.This can be controlled using the --min-hostgroup and --max-hostgroup switches.

For host discovery and ping sweeps the host group specifications are oveeridden by nmap with a very large number.

The parallelism can be increased or decreased using the --min-parallelism and --max-parallelism switches. This controls the number of probes being sent simultaneously.

These values are auto optimised by nmap for efficient performance..

The probing rate itself can be controlled using the --scan-delay switch defines the time interval between two probes on a single host. The --max-scan-delay in conjucntion can be used to ensure that the rate doesn't fall below the specified minimum.

We can also have direct control over the number of packets sent by Nmap. They can be adjusted using the --min-rate and --max-rate . They can be used in conjunction to act as a range in which Nmap is supposed to pump out packets

Example: nmap target-ip-here --min-rate 50 --max-rate 100 will give nmap a range between 50 to 100 packets per second.


Special scans (to be continued)

*FIN

*Xmas

*Null