Learn Linux Nmap Command With Examples

December 29, 2012 | By
| Reply More

NMAP, well, we here are talking of network mapping, this tool is a celebrity tool that also appeared in one of my favorite trilogy, yes, the Matrix series, in the movie , its used to scan the whole Matrix ecosystem but here we will not go in much details but will start from a basics.

As per Insecure Org,

“Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded,Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Lets get to work, first we can have the IP of the machine

[root@localhost ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:77:EA:7D
inet addr:192.168.172.128 Bcast:192.168.172.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe77:ea7d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:54691 errors:0 dropped:0 overruns:0 frame:0
TX packets:28951 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:80387733 (76.6 MiB) TX bytes:1595230 (1.5 MiB)
Interrupt:19 Base address:0x2000

1. Scanning localhost

Nmap –sP localhost

2. Scanning network 192.168.1.0/24

Nmap –sP 192.168.1.0/24

3. Scan everything damn thing about localhost or network

Nmap –A localhost

Output :

Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-18 09:26 PST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000053s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 36:87:72:a9:08:04:0d:ba:7c:6a:ff:45:99:41:19:79 (DSA)
|_2048 38:b0:e9:0f:b2:72:07:06:5c:22:88:86:f5:cf:e7:08 (RSA)
25/tcp open smtp Postfix smtpd
5900/tcp open vnc VNC (protocol 3.7)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=12/18%OT=22%CT=1%CU=33133%
OS:=i386-redhat-linux-gnu)SEQ(SP=103%GCD=1%
OS:O1=M400CST11NW6%O2=M400CST11NW6%O3=M400
OS:CST11NW6%O6=M400CST11)WIN(W1=8000%W2=80
OS:0)ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:=40%CD=S)
Network Distance: 0 hops
Service Info: Host: localhost.localdomain
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

So simply, you can get the detailed stats of the whole network as you got for localhost.

Some other basic scanning techniques

4. nmap TCP SYN (half-open) scanning

# nmap -v -sS localhost
# nmap -v -sS 192.168.0.0/24

5. nmap TCP FIN scanning

# nmap -v -sF localhost
# nmap -v -sF 192.168.0.0/24

6. nmap TCP Xmas tree scanning

Useful to see if firewall protecting against this kind of attack or not

# nmap -v -sX localhost
# nmap -v -sX 192.168.0.0/24

7. nmap TCP Null scanning

Useful to see if firewall protecting against this kind attack or not

# nmap -v -sN localhost
# nmap -v -sN 192.168.0.0/24

8. nmap TCP Windows scanning

# nmap -v -sW localhost
# nmap -v -sW 192.168.0.0/24

9. nmap TCP RPC scanning

Useful to find out RPC (such as portmap) services

# nmap -v -sR localhost
# nmap -v -sR 192.168.0.0/24

10. nmap UDP scanning

Useful to find out UDP ports

# nmap -v -O localhost
# nmap -v -O 192.168.0.0/24

If you are looking for automation then NSE is the answer (NMAP Scripting Engine), Nmap 6.25 is with 85 new NSE scripts, performance improvements, better OS/version detection, and more!

References:

Nmap Org
Lua Org

Filed Under : LINUX COMMANDS, LINUX HOWTO, OPEN SOURCE TOOLS

Tagged With :

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.