Skip to main content

nmap - The Network Mapper

nmap logo. Source: https://nmap.org/images/sitelogo-nmap-1680x900.png

WARNING: It is ILLEGAL to scan hosts without permission.

Tip: Register FREE account on tryhackme.com or hackthebox.eu, there are MANY free hosts/machines to practice nmap.

Keep updating

Current version: 7.90 (2020-10-03)

Previous version: 7.80 (2019-08-10)

Visit Change log for details.

Online document: https://nmap.org/book/

Install nmap on CentOS

$ sudo yum install -y nmap
yum install -y nmap

Check nmap version

$ nmap --version

Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.2k libpcre-8.32 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Get help

nmap -h

The default simplest first nmap scan

root@kali:~# nmap scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 13:52 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1723/tcp  filtered pptp
9929/tcp  open     nping-echo
31337/tcp open     Elite

Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds
root@kali:~#

Detect Operation System

https://nmap.org/book/osdetect.html 
root@kali:~# nmap -O scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 13:56 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1723/tcp  filtered pptp
9929/tcp  open     nping-echo
31337/tcp open     Elite
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), HP P2000 G3 NAS device (89%), Linux 3.2 - 4.9 (89%), Linux 3.16 - 4.6 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Linux 4.4 (88%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 19 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.04 seconds
root@kali:~#

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

-Pn: Ping no - do not ping

Detect HTTP Headers

List of scripts: https://svn.nmap.org/nmap/scripts/

tuyendq@2:~$ nmap -sV --script=http-headers scanme.nmap.org

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-04 18:13 +07
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0097s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http       Apache httpd 2.4.7 ((Ubuntu))
| http-headers:
|   Date: Mon, 04 May 2020 11:13:46 GMT
|   Server: Apache/2.4.7 (Ubuntu)
|   Accept-Ranges: bytes
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|
|_  (Request type: HEAD)
|_http-server-header: Apache/2.4.7 (Ubuntu)
9929/tcp  open  nping-echo Nping echo
31337/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds
tuyendq@2:~$

nmap on Microsoft Windows 10

Go to https://nmap.org/download.html, scroll to Microsoft Windows binaries to download the latest stable version, for example nmap-7.80-setup.exe, and run to install.

PS C:\Users\Tuyen> nmap --version
Nmap version 7.90 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1h nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcre-7.6 Npcap-1.00 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: iocp poll select
PS C:\Users\Tuyen>

Commmonly used

nmap -iflist : List all interfaces
nmap -sV -Pn script=http-headers scanme.nmap.org
nmap -Pn -p- : Scan ALL ports, no ping
nmap -Pn --script vuln : Run all scripts out of the vulnerability category

Example scanning WordPress

https://svn.nmap.org/nmap/scripts/http-wordpress-enum.nse

nmap -p 8080 --script=http-wordpress-enum --script-args search-limit=1500 -vv 127.0.0.1

Resources

TryHackMe Hacktivities

Practice

>>> THM | 25 Days of Cyber Security - Day 8

>>> THM | Advent of Cyber 2 - Task 14 (Day 9)

Related articles

RustScan

Labels:

Popular posts from this blog

IIS: Delete cached files on server running IIS

Delete cached files on server running IIS When changing css, javascript files, check to delete if IIS still caches old files in the default folder C:\inetpub\temp\IIS Temporary Compressed Files\<sitename>\$^_gzip_D^\ Apply to: IIS 8.5
Read more

Linux command: du - disk usage

Where have all my storage gone? du summarize disk usage of the set of FILEs, recursively for directories.
Read more

ManageEngine ServiceDesk Plus - Reset password

Let's reset the default administrator's password to 'admin'
Read more