Nmap (Network Mapper) is a free and open-source tool for network exploration and security auditing. It can be used to discover hosts and services on a computer network, thus creating a "map" of the network.
Nmap offers several types of scans, each with its own advantages and disadvantages. Here are some of the most commonly used Nmap scans, and a brief explanation of what they do:
-sS (SYN scan): This is the default scan type for Nmap and is also known as a "half-open scan." It sends a SYN packet to initiate a connection with the target host and waits for a response. If the host responds with a SYN-ACK, it means the port is open. If the host responds with a RST, it means the port is closed. This type of scan is less likely to be detected by firewalls as it does not complete the full TCP handshake.
-sT (TCP Connect scan): This scan establishes a full TCP connection to each port on the target host. It is the most reliable scan type and is less likely to be blocked by firewalls. But, it may be noticed by Intrusion Detection Systems (IDS) as it completes the full three-way handshake.
-sU (UDP scan): This scan sends an empty UDP packet to each port on the target host and waits for a response. If the host responds with an ICMP port unreachable message, it means the port is closed. If the host does not respond, it could mean the port is open or filtered. This type of scan is less reliable than TCP scans, as some hosts may not respond to UDP packets.
Here is a guide on using Nmap with examples of commands.
Open a command prompt or terminal window and navigate to the folder where Nmap is installed.
To scan a specific IP address or hostname, use the following command:
nmap 192.168.1.1This command will scan the IP address 192.168.1.1 and return information about the host and any open ports.
To scan a range of IP addresses, use the following command:
nmap 192.168.1.1-255This command will scan all IP addresses in the range of 192.168.1.1 to 192.168.1.255.
To scan a subnet, use the following command:
nmap 192.168.1.0/24This command will scan all IP addresses in the subnet 192.168.1.0 with a subnet mask of 255.255.255.0.
To scan for specific ports, use the following command:
nmap -p 80,443,22 192.168.1.1This command will scan IP address 192.168.1.1 for the ports 80, 443, and 22.
To run a more comprehensive scan that includes OS detection, version detection, and script scanning, use the following command:
nmap -A 192.168.1.1This command will run an intense scan that includes OS and version detection, script scanning, and traceroute.
To save the results of a scan to a file, use the following command:
nmap -oN scan_results.txt 192.168.1.1This command will save the results of the scan to a file named "scan_results.txt" in the current directory.
To see all the options available to use with Nmap, use the following command:
nmap --helpVulnerability Scanning
To run a basic vulnerability scan, use the following command:
nmap --script vuln <target>This command will run all of the vulnerability-related scripts included with Nmap.
To run a specific vulnerability script, use the following command:
nmap --script <script name> <target>To view a list of all available vulnerability scripts, use the following command:
nmap --script-help vulnTo run a vulnerability scan that includes OS detection, version detection, and script scanning, use the following command:
nmap -A --script vuln <target>To save the results of a scan to a file, use the following command:
nmap --script vuln -oN <filename> <target>To load a scan result from a file, use the following command:
nmap --script vuln -iL <filename>To run a scan against a specific port or range of ports, use the following command:
nmap -p <port numbers> --script vuln <target>To see all the options available to use with nmap's scripting engine, use the following command:
nmap --script-helpNote: Always make sure you have the proper permissions before scanning any network, and also, keep in mind that vulnerability scanning is just the first step in identifying potential vulnerabilities, it doesn't guarantee that a system or network is completely secure. The results should be analyzed, and then appropriate steps should be taken to address any vulnerabilities that are found.