🔍

Comprehensive Guide to Using Nmap

May 10, 2025

Lecture Notes: Comprehensive Guide to Nmap

Introduction to Nmap

  • Nmap Origin: Created by Gordon Lyon (aka Fyodor) and introduced in Phrack magazine.
  • Current Status: A key tool in network reconnaissance and cybersecurity auditing.
  • Evolution: Began as a port scanner and evolved to include tools like Ncrack, Ncat, Nping, and Zenmap.

Key Components of Nmap

  • Nmap Scripting Engine (NSE): Uses Lua for scripting additional tasks.
  • Tools Overview:
    • Ncrack: Network authentication cracking.
    • Ncat: Enhanced version of Netcat.
    • Nping: Network packet crafting.
    • Zenmap: Graphical interface for Nmap.

Installation and Setup

  • Pre-installation Considerations:
    • Firewalls, routers, and proxies can impact scan results.
    • Scanning without authorization can lead to legal issues.
  • Installation from Source: Offers the latest features and customization.
    • Requires dependencies like OpenSSL.
    • Commands for SVN, configuring, and compiling Nmap.

Basic Scanning Techniques

  • Simple Scans:
    • nmap [target]: Scans 1000 most common TCP ports.
    • Port States: Open, closed, filtered, unfiltered, open|filtered, closed|filtered.
  • Multiple Targets:
    • CIDR notation for subnets.
    • IP range and target list files.
    • Exclude specific hosts or use exclude file.
  • Network Interface: Use -e [interface] to specify.
  • IPv6 Scanning: -6 parameter for IPv6 targets.

Discovery Techniques

  • Ping Types:
    • -sn: Skip port scanning, just ping discovery.
    • TCP, UDP, SCTP, and ICMP pings.
  • Traceroute and DNS Resolution:
    • --traceroute: Maps path to target.
    • -r: Force DNS resolution.
    • -n: Disable DNS lookups.
    • --dns-servers: Specify DNS servers.

Advanced Scanning Techniques

  • Scan Types:
    • -sS: TCP SYN scan (default for root users).
    • -sT: TCP connect scan (default for non-root users).
    • -sU: UDP scan.
    • -sN, -sF, -sX: Null, FIN, and Xmas scans.
  • Service and OS Detection:
    • -O: Operating system detection.
    • -sV: Service version detection.

Timing and Performance

  • Timing Templates: -T[0-5] for adjusting speed vs stealth.
  • Parallelism: --min-parallelism, --max-parallelism.
  • Rate Controls: --min-rate and --max-rate.

Evasion Techniques

  • Fragmentation: --mtu [value] for packet fragmentation.
  • Decoys and Spoofing: -D, --spoof-mac.
  • Idle Scans: -sI [zombie] for stealthy probing.

Nmap Scripting Engine (NSE)

  • Usage: --script [name] to run specific scripts.
  • Examples:
    • Whois information retrieval.
    • Trace route geolocation.
  • Script Repository: Access additional scripts from the Nmap website.

Output Options

  • Saving Results:
    • -oN, -oX, -oG: Different formats (text, XML, greppable).
  • Regular Updates: --stats-every [time] for ongoing scan summaries.

Using Zenmap

  • Graphical Interface: Simplifies complex Nmap commands.
  • Cross-platform: Available for Windows, macOS, and Linux.

Conclusion

  • Continued Learning: Explore more about Nmap through additional resources and tutorials.
  • Caution: Always scan responsibly and adhere to legal guidelines.

Full transcript