Skip to main content

nmap - The Network Mapper

nmap logo. Source: https://nmap.org/images/sitelogo-nmap-1680x900.png

WARNING: It is ILLEGAL to scan hosts without permission.

Tip: Register FREE account on tryhackme.com or hackthebox.eu, there are MANY free hosts/machines to practice nmap.

Keep updating

Current version: 7.90 (2020-10-03)

Previous version: 7.80 (2019-08-10)

Visit Change log for details.

Online document: https://nmap.org/book/

Install nmap on CentOS

$ sudo yum install -y nmap
yum install -y nmap

Check nmap version

$ nmap --version

Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.2k libpcre-8.32 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Get help

nmap -h

The default simplest first nmap scan

root@kali:~# nmap scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 13:52 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1723/tcp  filtered pptp
9929/tcp  open     nping-echo
31337/tcp open     Elite

Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds
root@kali:~#

Detect Operation System

https://nmap.org/book/osdetect.html 
root@kali:~# nmap -O scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 13:56 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1723/tcp  filtered pptp
9929/tcp  open     nping-echo
31337/tcp open     Elite
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), HP P2000 G3 NAS device (89%), Linux 3.2 - 4.9 (89%), Linux 3.16 - 4.6 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Linux 4.4 (88%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 19 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.04 seconds
root@kali:~#

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

-Pn: Ping no - do not ping

Detect HTTP Headers

List of scripts: https://svn.nmap.org/nmap/scripts/

tuyendq@2:~$ nmap -sV --script=http-headers scanme.nmap.org

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-04 18:13 +07
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0097s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http       Apache httpd 2.4.7 ((Ubuntu))
| http-headers:
|   Date: Mon, 04 May 2020 11:13:46 GMT
|   Server: Apache/2.4.7 (Ubuntu)
|   Accept-Ranges: bytes
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|
|_  (Request type: HEAD)
|_http-server-header: Apache/2.4.7 (Ubuntu)
9929/tcp  open  nping-echo Nping echo
31337/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds
tuyendq@2:~$

nmap on Microsoft Windows 10

Go to https://nmap.org/download.html, scroll to Microsoft Windows binaries to download the latest stable version, for example nmap-7.80-setup.exe, and run to install.

PS C:\Users\Tuyen> nmap --version
Nmap version 7.90 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1h nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcre-7.6 Npcap-1.00 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: iocp poll select
PS C:\Users\Tuyen>

Commmonly used

nmap -iflist : List all interfaces
nmap -sV -Pn script=http-headers scanme.nmap.org
nmap -Pn -p- : Scan ALL ports, no ping
nmap -Pn --script vuln : Run all scripts out of the vulnerability category

target=10.10.x.x
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) \
&& nmap -Pn -sC -sV -p$ports $target -oN $target.log &

Example scanning WordPress

https://svn.nmap.org/nmap/scripts/http-wordpress-enum.nse

nmap -p 8080 --script=http-wordpress-enum --script-args search-limit=1500 -vv 127.0.0.1

Resources

TryHackMe Hacktivities

Practice

>>> THM | 25 Days of Cyber Security - Day 8

>>> THM | Advent of Cyber 2 - Task 14 (Day 9)

Related articles

>>> RustScan

Labels:

Popular posts from this blog

Powershell: head and tail command

Use head or tail to skim the first or last 5 lines.
Read more