Nmap

Nmap Description

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Nmap is …

  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detectionversion detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.

In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.

Homepage: http://insecure.org/

GitHub: https://github.com/nmap/nmap

Author: Fyodor

License: GPLv2

Nmap Help

Usage:

nmap [Scan Type(s)] [Options] {target specification}

Options:

TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80

Nmap Reference Guide

The newest version of Nmap can be obtained from https://nmap.org. The newest version of this man page is available at https://nmap.org/book/man.html. It is also included as a chapter of Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (see https://nmap.org/book/).

Runtime interaction

During the execution of Nmap, all key presses are captured. This allows you to interact with the program without aborting and restarting it. Certain special keys will change

options, while any other keys will print out a status message telling you about the scan. The convention is that lowercase letters increase the amount of printing, and uppercase

letters decrease the printing. You may also press ‘?’ for help.

v / V

Increase / decrease the verbosity level

d / D

Increase / decrease the debugging Level

p / P

Turn on / off packet tracing

?

Print a runtime interaction help screen

Anything else

Print out a status message like this:

Stats: 0:00:07 elapsed; 20 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 20:57 (0:00:12 remaining)

Nmap Usage Example

Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network. While I don't think port scanning other networks is or should be illegal, some network administrators don't appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach.

For testing purposes, you have permission to scan the host scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do not currently exist.

This option scans all reserved TCP ports on the machine scanme.nmap.org. The -v option enables verbose mode:

nmap -v scanme.nmap.org

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on the /24 sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection:

nmap -sS -O scanme.nmap.org/24

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116.0.0/16 address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running:

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -Pn since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway:

nmap -v -iR 100000 -Pn -p 80

This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats:

nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

Scan verbally (-v), enable OS detection, version detection, scripting and traceroute scanning (-A) using the aggressive time management preset (-T4) against host (suip.biz):

sudo nmap -v -A -T4 suip.biz

Output:

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-21 15:22 MSK
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 15:22
Completed Parallel DNS resolution of 1 host. at 15:22, 0.02s elapsed
Initiating SYN Stealth Scan at 15:22
Scanning suip.biz (185.117.153.79) [1000 ports]
Discovered open port 993/tcp on 185.117.153.79
Discovered open port 3306/tcp on 185.117.153.79
Discovered open port 143/tcp on 185.117.153.79
Discovered open port 25/tcp on 185.117.153.79
Discovered open port 443/tcp on 185.117.153.79
Discovered open port 80/tcp on 185.117.153.79
Discovered open port 995/tcp on 185.117.153.79
Discovered open port 110/tcp on 185.117.153.79
Discovered open port 465/tcp on 185.117.153.79
Completed SYN Stealth Scan at 15:22, 0.04s elapsed (1000 total ports)
Initiating Service scan at 15:22
Scanning 9 services on suip.biz (185.117.153.79)
Completed Service scan at 15:22, 12.05s elapsed (9 services on 1 host)
Initiating OS detection (try #1) against suip.biz (185.117.153.79)
NSE: Script scanning 185.117.153.79.
Initiating NSE at 15:22
Completed NSE at 15:23, 43.55s elapsed
Initiating NSE at 15:23
Completed NSE at 15:23, 0.01s elapsed
Nmap scan report for suip.biz (185.117.153.79)
Host is up (0.000038s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE  VERSION
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: suip.biz, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=suip.biz
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-17T12:14:00
| Not valid after:  2016-08-15T12:14:00
| MD5:   c5ea 594b d185 e811 6381 c82f 352d 9489
|_SHA-1: 5ead 1a9c 0858 23a2 59bb 98b4 70c3 c8dc a72d 9b92
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http     Apache httpd 2.4.20 ((Unix) PHP/7.0.6 OpenSSL/1.0.2h)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.20 (Unix) PHP/7.0.6 OpenSSL/1.0.2h
|_http-title: Did not follow redirect to https://suip.biz/
110/tcp  open  pop3     Dovecot pop3d
|_pop3-capabilities: RESP-CODES USER STLS TOP UIDL PIPELINING AUTH-RESP-CODE SASL(PLAIN CRAM-MD5) CAPA
| ssl-cert: Subject: commonName=suip.biz
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-17T12:14:00
| Not valid after:  2016-08-15T12:14:00
| MD5:   c5ea 594b d185 e811 6381 c82f 352d 9489
|_SHA-1: 5ead 1a9c 0858 23a2 59bb 98b4 70c3 c8dc a72d 9b92
|_ssl-date: TLS randomness does not represent time
143/tcp  open  imap     Dovecot imapd
|_imap-capabilities: ID listed STARTTLS LITERAL+ AUTH=CRAM-MD5A0001 SASL-IR LOGIN-REFERRALS IDLE Pre-login post-login have more capabilities ENABLE IMAP4rev1 OK AUTH=PLAIN
| ssl-cert: Subject: commonName=suip.biz
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-17T12:14:00
| Not valid after:  2016-08-15T12:14:00
| MD5:   c5ea 594b d185 e811 6381 c82f 352d 9489
|_SHA-1: 5ead 1a9c 0858 23a2 59bb 98b4 70c3 c8dc a72d 9b92
|_ssl-date: TLS randomness does not represent time
443/tcp  open  ssl/http Apache httpd 2.4.20 ((Unix) PHP/7.0.6 OpenSSL/1.0.2h)
|_http-favicon: Unknown favicon MD5: 913CC96448A5F71C239098652CB10104
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.20 (Unix) PHP/7.0.6 OpenSSL/1.0.2h
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=suip.biz
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-17T12:14:00
| Not valid after:  2016-08-15T12:14:00
| MD5:   c5ea 594b d185 e811 6381 c82f 352d 9489
|_SHA-1: 5ead 1a9c 0858 23a2 59bb 98b4 70c3 c8dc a72d 9b92
|_ssl-date: TLS randomness does not represent time
465/tcp  open  ssl/smtp Postfix smtpd
|_smtp-commands: suip.biz, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN CRAM-MD5, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Dovecot imapd 2.0.11
|_imap-capabilities: ID more listed ENABLE OK LITERAL+ AUTH=CRAM-MD5A0001 IMAP4rev1 post-login have Pre-login capabilities AUTH=PLAIN SASL-IR LOGIN-REFERRALS IDLE
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN CRAM-MD5) RESP-CODES UIDL PIPELINING AUTH-RESP-CODE USER TOP CAPA
|_ssl-date: TLS randomness does not represent time
3306/tcp open  mysql    MariaDB (unauthorized)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.4
Uptime guess: 4.002 days (since Tue May 17 15:21:07 2016)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host:  suip.biz

NSE: Script Post-scanning.
Initiating NSE at 15:23
Completed NSE at 15:23, 0.00s elapsed
Initiating NSE at 15:23
Completed NSE at 15:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.73 seconds
           Raw packets sent: 1022 (45.778KB) | Rcvd: 2051 (87.376KB)

How to install Nmap

Installation on Kali Linux

The program is pre-installed on Kali Linux. To install in minimal builds run:

sudo apt install nmap

Installation on Debian, Linux Mint, Ubuntu

sudo apt update
sudo apt install nmap

Installation on BlackArch

The program is pre-installed on BlackArch. To install in minimal builds run:

sudo pacman -S nmap

Nmap Screenshots

Programs included in the Nmap package:

  • nping — Network packet generation tool / ping utility
  • ndiff — Utility to compare the results of Nmap scans
  • ncat — Concatenate and redirect sockets
  • nmap – Network Mapper

Nmap Tutorials

Related tools

Recommended for you:

Comments are Closed

Рейтинг@Mail.ru