Skip to main content

nmap - The Network Mapper

nmap logo. Source: https://nmap.org/images/sitelogo-nmap-1680x900.png

WARNING: It is ILLEGAL to scan hosts without permission.

Tip: Register FREE account on tryhackme.com or hackthebox.eu, there are MANY free hosts/machines to practice nmap.

Keep updating

Current version: 7.90 (2020-10-03)

Previous version: 7.80 (2019-08-10)

Visit Change log for details.

Online document: https://nmap.org/book/

Install nmap on CentOS

$ sudo yum install -y nmap
yum install -y nmap

Check nmap version

$ nmap --version

Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.2k libpcre-8.32 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Get help

nmap -h

The default simplest first nmap scan

root@kali:~# nmap scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 13:52 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1723/tcp  filtered pptp
9929/tcp  open     nping-echo
31337/tcp open     Elite

Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds
root@kali:~#

Detect Operation System

https://nmap.org/book/osdetect.html 
root@kali:~# nmap -O scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 13:56 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1723/tcp  filtered pptp
9929/tcp  open     nping-echo
31337/tcp open     Elite
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), HP P2000 G3 NAS device (89%), Linux 3.2 - 4.9 (89%), Linux 3.16 - 4.6 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Linux 4.4 (88%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 19 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.04 seconds
root@kali:~#

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

-Pn: Ping no - do not ping

Detect HTTP Headers

List of scripts: https://svn.nmap.org/nmap/scripts/

tuyendq@2:~$ nmap -sV --script=http-headers scanme.nmap.org

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-04 18:13 +07
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0097s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http       Apache httpd 2.4.7 ((Ubuntu))
| http-headers:
|   Date: Mon, 04 May 2020 11:13:46 GMT
|   Server: Apache/2.4.7 (Ubuntu)
|   Accept-Ranges: bytes
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|
|_  (Request type: HEAD)
|_http-server-header: Apache/2.4.7 (Ubuntu)
9929/tcp  open  nping-echo Nping echo
31337/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds
tuyendq@2:~$

nmap on Microsoft Windows 10

Go to https://nmap.org/download.html, scroll to Microsoft Windows binaries to download the latest stable version, for example nmap-7.80-setup.exe, and run to install.

PS C:\Users\Tuyen> nmap --version
Nmap version 7.90 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1h nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcre-7.6 Npcap-1.00 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: iocp poll select
PS C:\Users\Tuyen>

Commmonly used

nmap -iflist : List all interfaces
nmap -sV -Pn script=http-headers scanme.nmap.org
nmap -Pn -p- : Scan ALL ports, no ping
nmap -Pn --script vuln : Run all scripts out of the vulnerability category

target=10.10.x.x
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) \
&& nmap -Pn -sC -sV -p$ports $target -oN $target.log &

Example scanning WordPress

https://svn.nmap.org/nmap/scripts/http-wordpress-enum.nse

nmap -p 8080 --script=http-wordpress-enum --script-args search-limit=1500 -vv 127.0.0.1

Resources

TryHackMe Hacktivities

Practice

>>> THM | 25 Days of Cyber Security - Day 8

>>> THM | Advent of Cyber 2 - Task 14 (Day 9)

Related articles

>>> RustScan

Labels:

Popular posts from this blog

Office 365: Alert Policies - Creation of forwarding/redirect rule

The default Creation of forwarding/redirect rule alert policy will be triggered when end-users create rule to forward or redirect mail
Read more

Hydra: Notes

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Read more

Free Software Foundation

Richard Stallman founded the Free Software Foundation in 1985 to support the free software movement, promoting the universal freedom to study, distribute, create and modify computer software.
Read more