are you tired of constantly wondering how to use n map and what it is capable of well where you know more in this comprehensive guide I'm going to take you through everything you need to know about end map from the basics to the more advanced features by the end of this video you will never have to ask again about end map you just become Pro after this video this video isn't just your average watch it's a full-fledged end map Expedition grab your learning gear because we're diving deep if you're not prepared to Unleash Your Inner detect this might not be the video for you all right let's start with the foundation of in map picture this back in the day the genius Gordon lion aaot dropped the bomb that is end map in the legendary pages of Frack magazine v 7 issue 51 you can still Catch The Vibes of its Inception at their website fast forward to today an nmap is still stealing the spotlight as one of the Holy Grails in network reconnaissance and cyber security auditing it all started as a bang up Port scanner blowing Minds with groundbreaking techniques for Port Discovery but oh my friends it didn't stop there nmap has evolved into a family of Rockstar networking tools featuring Headliners like en crack the Rockstar of network authentication cracking jamming out support for all your favorite applications and protocols then we've got incat the upgraded version of netcat on steroids rocking encryption out of the box and getting all fancy with Luis scripts but wait there's more enter and ping the Maestro of custom Network packet crafting for all your Diagnostics and troubleshooting needs and let's not forget zenmap the crossplatform GUI for nmap where usability meets sophistication and in the heart of it all we've got the nmap scripting engine nsea game Cher it snatches up Intel from scan targets and hands you the power to script additional tasks using Lua it's like having a cyber wizard at your fingertips weaving magic spells in the world of networking before delving into the end map it's crucial to grasp the following concepts firewalls routers proxy servers and other security devices can influence and map scan results scanning remote hosts outside your local network May yield misleading information due to these factors certain scanning options necessitate elevated privileges on Unix and Linux systems you might need to log in as the root user or execute nmap using the pseudo command alongside these considerations it's essential to heed the following warnings scanning networks without proper authorization can lead to repercussions with your internet service provider law enforcement and potentially government entities avoid scanning sensitive sites like FBI or Secret Service websites unless you want legal trouble aggressively scanning certain systems May induce crashes resulting in undesirable outcomes such as system downtime and data loss exercise caution when scanning Mission critical systems approach each scan with the awareness of potential consequences installing nmap unlocking the full potential of nmap goes beyond the default pre-installation in ki Linux let's take control and Elevate our capabilities by installing nmap from the source code why source code you ask well my friends let's talk about the beauty of installing nmap Straight From the Source you see when you embark on the Journey of building nmap from the raw unfiltered Source codee you're opening the door to a realm of possibilities the first perk my friends is the Allure of the latest and greatest features by immersing yourself in the source code you get to bask in the glory of the freshest functionalities and the sweet Nector of bug fixes it's like sipping on the elixir of progress customization ah now that's where the magic happens imagine having the power to tailor end map to your heart's desire enable what you need disable what you don't it's a dance of options a symphony of choice all at the tip of your command line building end map from Source takes a little extra work but is well worth the effort to get the new features in nmap's latest release pre-compiled nmap packages can be found for all major platforms at this page for those who do not feel like setting up the build environment when working with precompiled packages just make sure that you grabb the latest version to avoid missing important fixes or enhance ments this is especially important with Windows and the npap driver which has gone through some serious improvements before we proceed let's ensure that subversion is installed on your colie Linux Ki typically comes pre-installed with subversion so you need not worry simply open the terminal and type SVN as you can see it's already installed as it should be you'll see the familiar commands if in some cases it's not installed don't fret will prompt you to install it just type why and it will seamlessly install for you the subversion repository hosted at this link contains the latest development version of nmap and has World red access that allows anyone to grab a copy of the source code the installation process described in this recipe also installed ncat zenmap n if and nping as we embark on this journey building nmap requires additional libraries like the development definition from op sell and the make Command execute the following command to install the necessary dependencies it's important to note that while open SSL is optional its absence may nmap functionality nmap relies on open SSL for Vital functions such as integers hashing and encoding and decoding SSL requests crucial for both service detection and the nmap scripting engine [Music] having completed the preliminary steps we are now set to install nmap from the source code first things first type the following command SVN nmap source code [Music] link this command initiates the download and listing of [Music] files once it completes you'll receive a message indicating that a new directory containing the source code is now available in your current working directory assuming you've installed all the necessary dependencies you're now ready to compile and map navigate to the directory by typing CDN map [Music] for a complete list of configuration directives use the help command argument do/ configure [Music] [Music] help then execute the configuration command do/ configure this command initiates the config figuration process be patient for a few minutes [Music] [Music] upon successful completion of the configuration you should see a message indicating [Music] so now it's time to compile n map simply type make this will compile nmap and you'll be ready to utilize its enhanced capabilities on your system [Music] oh no we got error no worries after some diligent research we found a solution to fix this issue simply downgrade the setup tools version by typing the following command now let's give it another shot type make install [Music] upon successful completion you'll receive a message confirming that nmap has been installed you're now all set to unleash the power of nmap across your entire system now that we've successfully compiled nmap we are all set to roll if for instance you wish to open zenmap follow these simple steps navigate to the zenmap directory by entering CD zenmap then execute zenmap by typing do/ [Music] zenmap you're now ready to explore the powerful features of zenmap on your system you can use others too like this but end map is ready to go [Music] if you want to try the latest creations of the development team there is a folder named nmap exp that contains several experimental branches of the project the code stored in this folder is not guaranteed to work all the time as it is used as a Sandbox spy Developers although some hidden gems can be found there from time to time these branches are located at this website okay now we are good to start scanning but if you want to install nmap on your windows it is so simple I will put a link on description you can download it from there now let's embark on the inmap journey progressing from the basics to advance techniques let's kick things off with a straightforward scan no fancy end map options involved before we embark on this journey it's essential to clarify that my target is my Windows Virtual Machine Additionally the scan me insecure org server serves as a common example Target frequently used throughout this video it's worth noting that this particular system is graciously hosted by the nmap project in the sacred realm of command line incantation seek Enlightenment and Guidance with a venerable n map Behold The Mystic symbols H shall reveal unto you a summary of the available incantations and map H but Lo should your thirst for knowledge remain unquenched delve deeper into the Arcane teachings of enmap utter the sacred invocation to open the manual and partake in the wisdom it bestows upon the worthy man and map in the sacred Scrolls of the manual page you shall find a wealth of knowledge revealing the secrets and nuances of nmap's mystical Powers the capital V option in nmap is used to display the installed version of the tool it can be helpful for troubleshooting and ensuring that you are using the latest version which may include bug fixes and new features to use this option you can run the following command in your terminal or command prompt nmap capital V this command will display information about the nmap version installed on your system if you encounter any issues or if you want to stay updated with the latest features and Bug fixes it's a good practice to check the official nmap website for the most recent version the small V option in nmap is used to enable verbose output providing more detailed information during the scanning process it can be helpful for troubleshooting connectivity issues and gaining insights into the scans progress to use this option you can run the following command in your terminal or command prompt mmap small V your target this command will perform a scan on the specified Target with verbose output enabled if you want even more detailed information you can use the option multiple times such as nmap small double v your target this will increase the verbosity level and provide additional details about the scanning process embarking on a targeted exploration executing mmap without any command line options initiates a fundamental scan on the specified Target which can be denoted by an IP address or host name just type inmap your target what happens next in map The Wizard of network probing systematically scans the 1,000 most common TCP IP ports now each Port responding to its probing reveals its Secrets falling into one of these six intriguing States open it's like a neon sign saying come on in a service is actively awaiting connections on this port closed probes were received but it's like knocking on a door with no one home no service is running on this port filtered the mysterious cloak no signs of probes no established state something's filtering those signals could be a security wizard at play unfiltered probes were received but a clear State remains elusive the plot thickens open and filtered a tantalizing blend of possibility the port might be open or filtered but the exact State remains a bit elusive closed and filtered a double mystery the port is either closed or filtered but the precise State continues to play hide and seek so with this Voyage Through Port States nmap unveils the secrets of your target service [Music] landscape exploring multiple targets and map has your back the simplest way to achieve this is by stringing together the target IP addresses or host names on the command line separated by spaces [Music] ready to scan a whole subnet nmap makes it Easy by using cidr classless interdomain routing notation just type nmap Network ip/ cidr this command directs M map to scan the entire IP address Network leveraging cidr notation cidr notation is a compact representation of the network address and subnet mask in binary bits conveniently separated by a [Music] slash to scan a range of IP addresses simply type nmap range of IP addresses this allows nmap to Target a specified range of IP addresses for thorough scanning [Music] to scan a list of targets efficiently you can create a text file for example ip. txt containing the IP addresses or host names of the systems you want to scan each entry in the file should be separated by a space tab or new line for instance if your file ip. txt contains a list of IP addresses is you can initiate the scan by typing nmap I capital L ip. txt the i l parameter is crucial here as it instructs nmap to extract the list of targets from the specified file this scan will be executed individually for each host mentioned in the file allowing for a comprehensive assessment of multiple systems [Music] to fine-tune your scans nmap offers the exclude option allowing you to Omit specific hosts during a scan for instance nmap your targets exclude Target this option proves valuable when dealing with a substantial number of addresses enabling you to selectively exclude certain hosts the exclude option accommodates single hosts ranges or entire Network [Music] [Music] blocks Additionally you can Leverage The exclude file option which functions similarly to exclude but allows you to provide a list of targets to be excluded from the network scan for example nmap your targets exclude file your file name in this scenario the targets listed in the ip. txt file will be excluded from the scan providing flexibility in tailoring your scanning [Music] parameters when it comes to network interface selection nmap usually does a great job of automatically detecting your active interface however there are situations where it might encounter challenges or you specifically need to choose a different interface to address networking issues in such cases you can utilize the E argument to instruct nmap to scan using a particular network interface nmap e interface Target this becomes necessary when dealing with broadcast scripts or if you come across the warning message warning unable to find appropriate interface Forst System Route two by specifying the interface you can overcome these challenges and ensure a more accurate and targeted [Music] scan venturing into the realm of IPv6 nmap has you covered with the six parameter designed for scanning IP version six targets for instance inmap 6 Target executing this command unveils the results of scanning an IPv6 Target it's worth noting that while most nmap options seamlessly support IPv6 there are exceptions multiple Target scanning using ranges and cidr for example is rendered pointless in IPv6 [Music] networks fancy a roll of the dice in cyberspace end Maps got you covered with the IR parameter allowing you to scan random internet hosts for instance nmap I capital r number of targets executing this command prompts nmap to randomly generate a specified number of targets and scan them while it might be an interesting exercise for research purposes or sheer curiosity it's crucial to note that conducting frequent and aggressive random scans could potentially lead to issues with your internet service provider so proceed with caution unless you're working on a research project [Music] Unleash the Power of understanding Port states with this special command mmap reason your target when you run this you'll notice a new reason field in the results it's like a Dakota revealing the secrets behind why each Port is in its current state whether it's open closed or filtered by a firewall think of it as your magical guide helping you make sense of the Hidden forces within the realm of network exploration may your scanning Journey be clear and full of [Music] Revelations simplify your scan results with the power of focus and map open your Target by using the open parameter you tellin map to cut through the noise and show only the open ports it's like a spotlight in the darkness revealing the crucial entry points and keeping your results clear and concise [Music] uncover the secrets of network communication with the packet Trace magic nmap packet trace your Target by using packet Trace nmap reveals a detailed log of every packets Journey sent and received it's your backstage pass to the network performance perfect for troubleshooting connectivity hiccups all right let's delve into the Myriad of Port SC scanning options that nmap has to offer in the vast expanse of TCP IP ports totaling 131,072 whether to unveil uncommon services or to trace ports redirected to Alternative locations this section unfolds the options that Grant you the power to extend your scans into different port territories and explores various features tailored for Port specific investigations let's unravel the possibilities that lie beyond the customary Port limits to kick things off with a swifter approach the F option in nmap is your ticket to a speedy scan focusing solely on the 100 most prevalent ports here's how to unleash this rapid exploration inmap capital F your target while nmap by default meticulously examines the top 1,000 commonly used ports the F option strategically trims that list down to 100 this not only dramatically accelerates your scanning Pace but also ensures that you're still capturing the essence of the most commonly used ports it's a powerful trade-off between speed and comprehens intensiveness designed to optimize your scanning [Music] experience intricate world of Port scanning the P option in nmap acts as your Guiding Light allowing you to pinpoint and scrutinize specific ports with finesse let's unravel the possibilities nmap P Port that you want then your target for instance the command above harnesses P to hone in on Port 80 but why stop there the P option goes beyond solitary Pursuits you can explore multiple individual ports separated by commas or even a captivating range of ports witness the flexibility mmap Port 1 Port two Etc or range of ports your target yet the P option doesn't merely stop at numerical values it Embraces the eloquence of Port names and map P Port names your target as Illustrated you can seek open ports by name where the specified names must align with a service listed in the nmap services file in the Symphony of Port scanning options the P option in nmap reveals yet yet another note the Wild Card asterisk this wild card when employed with P becomes a powerful tool to scan all 65 535 TCP IP ports on the target of your choice nmap P asterisk your target crucially the use of double quotes is imperative to encapsulate the wildcard statement preventing your system from misinterpreting it as a shell wild card this ensures Precision in your command execution in essence the this command is an invocation to explore every nook and cranny of the target's Port landscape an all-encompassing journey into the entire spectrum of TCP IP ports embarking on the intricate journey of Port scanning the P option in nmap stands as a versatile Ally its capabilities extend to scanning ports based on specific protocols introducing a nuanced approach to your exploration imagine this scenario a craving for a meticulous examination of both UDP and TCP ports enter the command nmap S capital u s Capital TP u53 T25 your target here nmap by default tends to focus solely on TCP ports to broaden your scope and Encompass both TCP and UDP ports additional scan types like Su and St need to be activated a topic will delve into an an upcoming section this command orchestrates a symphony of exploration executing a UD P scan on Port 53 and a TCP scan on Port 25 it's a masterful blend of precision and protocol specific scrutiny unraveling the Mysteries concealed within each port and protocol combination in the expansive realm of Port scanning the P option remains a steadfast [Music] guide traversing the intricate landscape of Port scanning the top ports option in nmap becomes a crucial tool allowing you to define the number of top ranked ports for a meticulous exploration nmap top ports number of top ports that you want to scan than your Target by default nmap sets its sights on the vast sea of the 1,000 most commonly used ports a number curtailed to a Nimble 100 with the F option however with the top ports option you take the helm determining the specific quantity of top ranked ports to scrutinize nmap top port 10 your Target in this command observe the top ports option in action guiding nmap to inspect the top 10 ports yet the true strength lies in your hands any number can be specified embarking on a methodical exploration of Port scanning the r option in nmap unveils the capability to perform a sequential port scan on the designated Target for instance nmap are your target map's default scanning algorithm orchestrates a random order for Port scans a strategic maneuver to evade firewalls and intrusion prevention systems however the r parameter serves as a directive overriding this Randomness and guiding nmap to systematically seek open ports in numerical order to enhance your understanding consider combining the V option with r nmap VR your target this combination provides a real time display of the sequential Port Discovery unraveling the exploration process as it unfolds all right guys those was basic scanning technique and with no options it not good scanning techniques but I just want to show you some basic for starting to scan the default Discovery options aren't useful when scanning secured systems and can hinder scanning progress now let's delve into some foundational scanning techniques with a touch of advanced exploration let's take a detour from the default ordinarily before nmap delves into scanning A System's open ports it initiates a quick ping to check if the target is online this smart move helps expedite the scanning process by skipping non-responsive targets now if you want to skip the default discovery check and go for a comprehensive port scan you can use nmap capital P capital N your target the the PN option tells nmap to forgo the default Discovery step which is particularly handy when dealing with hosts protected by firewalls that block ping probes sometimes you just want to say hello with a ping the s p option and nmap lets you do just that nmap S capital P your target this option is handy when you're on a reconnaissance mission seeking a quick overview of the online hosts in your Network without delving into the intricacies of Port scanning for instance nmap S capital P 10 02/24 in this example nmap pings all 254 addresses in the 10.0.2 subnet presenting results for live hosts when running nmap with root privileges on a local network the SP option kicks it up a notch performing an ARP ping and returning the Mac addresses of the discovered [Music] systems performing a TCP s ping can be a handy alternative especially when standard icmp pings are blocked here's how to use the PS option in nmap nmap capital P capital S your target the PS option initiates a TCP sin ping by sending a sin packet to the Target system and then listens for a response on the specified ports if you specified ports this approach is particularly effective for systems configured to block standard icmp pings by default if no specific ports are provided the Ping is sent to Port 80 this method provides a reliable way to discover live hosts and assess network connectivity without relying on icmp [Music] engaging in network discovery with nmap the p option lets you perform a TCP act Ping On a specified Target here's how to use it nmap capital P capital A your target when employed the PA option prompts nmap to dispatch TCP act packets to the specified hosts this method is designed to discover hosts by responding to TCP connections that don't actually exist aiming to elicit a response from the target it proves particularly valuable in scenarios where standard icmp pings are blocked offering an alternative means of network exploration for a different approach to network discovery the Pu option in nmap allows you to perform a UDP Ping On A Target system here's how to use it nmap capital P capital u ports that you want then your target when invoked the Pu option directs nmap to dispatch UDP packets to the specified hosts aiming to elicit a response while many firewalled systems are configured to block this type of connection some poorly configured systems might allow it especially if they are set up to filter TCP connections exclusively by default if no specific ports are provided the UDP ping is sent to Port 481 25 this method serves as an alternative means of network exploration particularly useful in situations where TCP connections are filtered or blocked exploring network connectivity with nmap the py parameter empowers you to execute an sctp init Ping On a specified Target here's how to utilize it nmap capital P capital Y ports that you want then your target when employing the py option nmap Endeavors to discover hosts using the stream control transmission protocol sctp is commonly employed on systems for IP based telepan by default if no specific ports are provided the sctp init ping is sent to Port 80 this method offers a unique approach to network exploration particularly relevant in contexts where sctp is used such as in IP based telephony [Music] systems for a classic approach to network discovery the PE option in nmap enables you to execute an icmp internet control message protocol Echo Ping On a specified system here's how to use it inap capital P capital E then your target when you employ the PE option nmap sends a standard icmp ping to the Target to check if it replies this type of Discovery is particularly effective on local networks where icmp packets can be transmitted with few restrictions however it's essential to note that many internet hosts are configured not to respond to icmp packets for security reasons it's worth mentioning that the PE option is automatically implied if no other ping options are specified this ensures a straightforward icmp Echo ping when no other ping methods are explicitly chosen in the realm of network exploration the pp option in nmap allows you to conduct an icmp timestamp Ping On a specified Target here's how to utilize it nmap capital double P then your target when you invoke the pp option nmap engages in an icmp timestamp ping while many firewall systems are set up to block icmp Echo requests some improp properly configured systems might still respond to icmp timestamp requests this unique approach with PP proves valuable for attempting to solicit responses from targets behind firewalls however it's crucial to exercise caution and respect security policies when using such probing [Music] techniques delving into icmp exploration the PM option in nmap enables an icmp address mask Ping On a specified Target here's how to use it nmap capital P capital N your target this atypical icmp query akin to the pp option Endeavors to Ping the specified host using alternative icmp registers the uniqueness of this type of ping lies in its ability to occasionally bypass firewalls configured to block standard Echo requests in the realm of n work probing the PO option in nmap allows you to execute an IP protocol Ping On a specified Target here's how to utilize it nmap capital P capital O protocols that you want then your target when you use the PO option nmap dispatches packets with the specified protocols to the Target if no Protocols are explicitly specified the default protocols 1 icmp 2 igmp and for IP and IP are utilized this approach provides a versatile means of probing a Target system using different IP protocols offering flexibility in network exploration engaging in local network discovery the pr option in nmap empowers you to execute an ARP or address resolution protocol Ping On a specified Target here's how to utilize it nmap capital p capital r your [Music] target the pr option is automatically implied when scanning the local network this discovery method based on a RP is notably faster than other ping methods and offers increased accuracy because Lan hosts can't block ARP requests even if they are situated behind a firewall it's important to note that ARP scans are restricted to targets within your local subnet this method excels in local network scenar iios providing a Swift and accurate means of identifying live hosts embarking on a journey of network exploration the trace route parameter in nmap allows you to trace the network path to a specified host here's how to utilize it nmap trace route your target executing this command provides information similar to the trace route or Trace path commands found on Unix and Linux systems however nmap's tracing functionality surpasses these commands offering additional benefits in terms of accuracy and features trace route with nmap proves to be a powerful tool for understanding the route that Network packets take to reach a destination aiding in network Diagnostics and optimization efforts venturing into the realm of reconnaissance the r parameter in nmap empowers you to Force reverse DNS resolution on a specified Target IP address here's how to use it mmap capital r your Target by default mmat performs reverse Dems resolution only for hosts that appear to be online the r option proves beneficial when conducting reconnaissance on a block of IP addresses as it prompts nmap to attempt resolving the reverse DNS information for every IP address this can unveil interest details about the target IP address even if it is offline or blocking n Maps probes however it's important to note that the r option can significantly impact the performance of a scan so it should be used judiciously based on the specific requirements of your reconnaissance [Music] efforts in the Quest for faster scan results the nend parameter in nmap allows you to disable reverse DNS lookups here's how to use it n map and your target enabling the N option proves to be a strategic Choice especially when scanning a large number of hosts as reverse DNS resolution can significantly slow down the process by opting for n you prioritize scan speed over obtaining DNS information for the Target system this option is particularly useful in scenarios where you don't require detailed DNS information and prefer Swift scan results it's a practical choice for efficiency when the focus is primarily on the IP level details of the [Music] targets exploring alternative DNS lookup methods the system DNS option in nmap directs the tool to utilize the host systems DNS resolver rather than its internal method here's how to use it nmap system DNS your target while this option is seldom used due to its slower performance compared to the default method it can be valuable in scenarios where troubleshooting DNS problems with nmap is necessary it provides an alternative approach to dn's resolution leveraging the host systems DNS resolver it's important to note that the system resolver is automatically employed for IPv6 scans as nmap has not fully implemented its own internal IPv6 resolver at the time of this information update in the pursuit of customizing DNS server usage the DN serers option in nmap allows you to manually specify DNS servers to be queried during scanning here's how to use it nmap DNS servers server 1 server 2 Etc then your Target by default naap utilizes the DNS servers configured on your local system for name resolution however the DNS server option empowers you to specify one or more alternative servers for nmap to query this proves useful in situations where DNS is not configured on the system or if you wish to avoid having your scan lookups recorded in the log files of your locally configured DNS server this option provides flexibility in tailoring the DNS resolution process according to your specific requirements during scanning now let's dive in advanced scanning with nmap in this exploration we're not just sticking to the basics nmap opens up a plethora of possibilities with its user selectable scan types allowing you to tailor your scans to the unique challenges posed by each Target system by default nmap gracefully executes a basic TCP scan on every Target but the real adventure begins when we venture into more complex territories picture this you need to unveil those elusive uncommon services or gracefully maneuver around a firewall this is where the advanced scan type come to the rescue throughout this journey we'll unravel the intricacies of these Advanced scans empowering you with the knowledge to navigate the diverse Landscapes of network discovery TCP or UDP we've got you covered it's like having a versatile toolkit at your disposal each scan type A Unique tool designed for specific challenges diving into the world of TCP sin scans with n map the SS option is your key to performing a TCP sin scan n and here's how you wield it nmap S capital S your target now let's break it down the TCP sin scan set as the default for privileged users those running as rude on Unix Linux or administrator on Windows is a strategic exploration tactic this scan Endeavors to pinpoint the 1,000 most commonly used TCP ports by delicately sending a sin packet to the Target and keenly listening for a response what makes it stealthy you ask well this scan doesn't boldly attempt to establish a full-fledged connection with the remote host it operates in the shadows preventing many systems from logging a connection attempt from your scan a truly ninja move in the world of network reconnaissance but here's the reality check stealth isn't a guarantee modern packet capture programs and advanced firewalls have evolved to detect the subtle Footprints of TCP sin [Music] scans let's delve into the realm of t TCP connect scans with nmap the St option is your gateway to performing a TCP connect scan and here's how you wield it nmap S capital T then your target now let's unravel the magic the TCP connect scan executed by default for non-privileged users and also used for IPv6 targets is a straightforward probe it boldly attempts to establish a direct connection with the remote system bypassing the stealthiness associated with with other scan types here's a pro tip while the TCP connect scan is effective it's generally advisable to execute nmap with root privileges whenever possible why because with root privileges nmap opts for a TCP sin scan SS providing a more accurate listing of Port States and significantly boosting scan speed embark on the Journey of UDP exploration within map the Su option is your gate way to performing a UDP or user datagram protocol scan and here's how you command it and map S capital u your target now let's uncover the magic this command gracefully unveils the results of a UDP scan while TCP takes the Limelight as the most commonly used protocol numerous Network Services like DNS DHCP and SNMP rely on the agility of UDP when you're on a network audit Mission it's a Savvy move to check for both t C CP and UDP Services ensuring you paint a comprehensive picture of the target host or network UDP scans add a layer of depth to your exploration capturing those services that might be operating in the subtle Realms of the user datagram protocol Venture into the realm of TCP null scans within map the SN option is your ticket to performing a TCP null scan and here's how you orchestrate it and app S capital N your target now let's unravel the Intrigue a TCP null scan in its enigmatic Glory prompts nmap to dispatch packets with no TCP Flags enabled it's like sending a message with a blank slate setting the packet header to zero why you ask well this method is a crafty way to coax a response from a firewalled system by sending null packets to the Target you're essentially playing a subtle game of trickery seeking a response from systems that might otherwise remain guarded it's a dance in the shadows of network reconnaissance where not all systems choose to unveil their secrets in the face of such probing as you embark on this TCP n scan Adventure remember that the art lies in the unexpected responses the hidden Revelations that may surface in the wake of this nuanced exploration dive into the world of TCP fin scans with nmap the SF option is your key key to performing a TCP fin scan and here's how you command it n map S capital F your target now let's unravel the Intrigue in a TCP fin scan nmap sets the TCP fin bit active when dispatching packets all in a cunning move to elicit a tcpa from the target system in question it's a subtle dance where the absence of a flag becomes a signal seeking acknowledgement from the targeted system why employ such finesse well it's yet another method in the Arsenal of sending unexpected packets a strategy aimed at unraveling information from systems shielded by firewalls it's like tapping on the door with a nuanced Rhythm inviting responses that may reveal more than meets the eye as with any covert exploration not all systems will readily unveil their secrets in the face of such probing the TCP F scan adds an air of sophistication to your reconnaissance toolkit into the festive Spirit of network scanning with the xmus scan using nmap just remember to use the SX flag in your command n map S capital x your target now let's break it down in the xas scan nmap sends packets with special urg Fin and psh flags activated like lighting up a packet in the style of a Christmas tree this unique combination of flags is designed to see if it can get a response from systems protect ected by firewalls imagine it as a playful Holiday Dance of flags trying to get attention from the systems in a creative way however not every system will respond to this festive [Music] probing unveil the Fortress walls utilize the tcpa scan with the essay option in nmap to decipher if your target system is shielded by a firewall n map S capital A your target here's the lowdown with the PCP a scan nmap meticulously probes the Target on the lookout for rst responses no response received that signals the system is filtered if the system retorts with an rst packet it earns the unfiltered badge and discovering that there's a lack of responses on certain ports considered filtered indicates the system is likely fortified by a firewall the unfiltered ports may have their own special rules within the target's firewall architecture keep in mind the saay option doesn't spill the beans on whether the unfiltered ports are open or closed it's on a singular mission to unveil the port filtering status of the [Music] system Unleash the Power of customization with the nmap scan Flags option this feature allows you to craft a custom TCP scan tailored to your needs here's how you can command it n map scan flags flag or Flags then your target Target let's decode it with the scan Flags option you can Define your scan by choosing from various TCP header Flags picture it like assembling your own set of flags for the scan any of this combination of flags listed in this can be used with the scan Flags option so embrace the freedom to customize and create a scan that suits your specific [Music] requirements unravel the tapestry of supported IP protocols on your Target system using the IP protocol scan with the so option in nmap nmap S capital O your target picture this the IP protocol scan unveils the diverse protocols supported by the Target system icmp TCP and UDP commonly stand as the pillars of modern networks armed with this knowledge you can strategically plan your subsequent scans based on the detected protocols for a comprehensive list of IP protols consult the a website Unleash the Power of raw ethernet packets in your network Exploration with the send e option in nmap nmap send eth then your target imagine this by activating send eth nmap ascends to the data link layer Sid stepping the traditional IP layer on your system this strategic move empowers you to send raw ethernet packets offering a solution to potential issues with your system's IP stack embrace the potential of send eth a feature so potent that nmap automatically incorporates it where needed sparing you from the need to frequently specify it as a command line argument elevate your scanning game by delving into the realm of raw ethernet packets with n Maps send death [Music] option harness the flexibility of Ip packets in your scanning Endeavors with n M's send IP option nmap send IP your target here's the Scoop by activating send IP nmap seamlessly integrates with your local systems IP stack utilizing IP packets for scanning purposes this Choice provides an alternative approach compared to the use of raw ethernet packets noteworthy is the fact that the send IP option is automatically invoked by nmap when required sparing you the need to frequently specify it as a command line an argument now let embark on a journey into the realm of operating system and service detection with inmap where it's prow shines in uncovering the mysteries of remote systems mmap boasts a remarkable feature that sets it apart the ability to discern operating systems and services on target machines this capability delves into the responses received during scans aiming to pinpoint the host's operating system and the services it hosts at the heart of this capability lies TCP IP fingerprinting a process that Endeavors to identify the fingerprint left by a target's operating system and software versions while not in exact science nmap developers have meticulously crafted this feature to be both accurate and reliable as with many of nmap's powerful features the art of version detection is at your command offering precise control through an array of arguments explored in this section embark on the quest of uncovering the elusive operating system running on remote targets with nmap's operating system detection capability to unleash this feature wield the O parameter in your nmap command nmap capital O then your target witness the magic as nmap Endeavors to identify the operating system on the remote Target operating system detection is a crafty process analyzing responses from the target to unveil specific characteristics that hint at the OS type for the sleuth to be effective ensure there is at least one open and one closed port on the target system when scanning multiple targets you can utilize the OS scan limit option combined with o directing nmap to skip OS scanning for hosts that don't meet this Criterion for more in-depth exploration couple the V option with o revealing additional information that nmap uncovers about the remote system in instances where nmap struggles to pinpoint the OS accurately take charge and force a guess with the OS scan guess option inmap capital O OS scan guess then your target Behold a list of potential OS matches each accompanied by a percentage indicating nmap's confidence in the proposed match for those who prefer brevity the fuzzy option stands as a synonym serving as a convenient shortcut for the oskan guest feature [Music] delve into the heart of nmap's capabilities with the SV parameter unveiling the intricacies of service version detection nmap S capital V then your target witness the magic as nmap Endeavors to unravel the identity of the vendor and software version for each open ported encounters the scan results unveil a tapestry of information showcasing the software vendor and version numbers for services that nmap successfully identifies for those yearning for deeper insights the version Trace option serves as a beacon of Enlightenment enable it to immerse yourself in verbose version scan activity and map S capital V version trace your target version Trace acts as your guiding companion shedding light on the intricate details of version scan activity whether you seek to debug problems or yearn for additional insights about the target system this option stands ready to assist you on your nmath journey let's explore the intricacies of nmap's timing options a set of versatile tools that allow you to fine-tune the speed of your scans based on specific requirements whether you're navigating a high-speed local network with numerous hosts or carefully scanning slower networks or the vast expanse of the internet these timing options provide the flexibility you [Music] need nmap's timing parameters are versatile and can be expressed in milliseconds by default Additionally you have the flexibility to specify timing parameters in seconds minutes or hours by appending a qualifier to the time argument here's an example showcasing the usage of timing parameters milliseconds or the default one nmap T4 then your target seconds nmap t4s then your target minutes mmap t4m then your target hours nmap t4h your target this flexibility and timing parameters empowers you to tailor nmap scans to your specific requirements adapting to the varied Landscapes of network reconnaissance with precision and control the T parameter serves as a powerful tool to designate a timing template for your nmap scan nmap t 0 to5 your target timing templates offer convenient shortcuts for adjusting the timing options during a scan striking a balance between speed and stealth you can choose from six templates numbered 0 to 5 each tailored for specific purposes the following table provides an overview of each timing template Empower your nmap scans with the flexibility of timing templates allowing you to adapt your reconnaissance strategy to the specific requirements of your scanning [Music] environment fine-tune the parallelism of your nmap scans with the Min parallelism and Max parallelism options nmap Min parallelism number the you want than your target the Min parallelism option allows you to specify the minimum number of parallel port scan operations that nmap should execute simultaneously nmap usually adjusts this value dynamically based on network conditions but you can set a custom value if needed for instance this command ensures that at least 100 parallel operations are performed at any given time while tweaking this parameter May enhance scan performance setting it too high could lead to an acccurate results nmap Max parallelism number that you want then your target conversely the max parallelism option lets you control the maximum number of parallel port scan operations executed by mmap simultaneously for example the command end map Max parallelism one your target restrict Tri and map to perform only one operation at a time although this slows down the scan considerably it minimizes the risk of overwhelming the target system with a flood of packets adjusting these parameters provides flexibility in adapting and map scans to various Network conditions and Target sensitivities refine your nmap scans with the Min host group and Max host group options to control the parallelism of host groups and map Min hos group number than your targets the Min hos group option allows you to set the minimum number of targets that nmap should scan in parallel when scanning multiple targets such as a range or entire subnet nmap organizes the scans into groups for efficiency by default nmap dynamically adjusts these group sizes based on the scan type and network conditions however specifying the Min host group option ensures that nmap aims to keep the group sizes at the specif number nmap Max hos group number your Targets on the other hand the max hos group option enables you to specify the maximum number of targets and map should scan in parallel within a group this option proves useful for controlling Network load or avoiding detection by network security products by setting an appropriate maximum host group size you can find tune your scans to align with specific Network conditions and security considerations fine-tune your nmap scans with the initial rtt timeout and Max rtt timeout options to control round trip time Behavior nmap initial rtt timeout time you want then your target the initial rtt timeout option governs the initial round trip time rtt timeout value utilized by nmap the default timing template T3 sets an initial rtt timeout of 1,000 milliseconds adjusting this value allows you to reduce packet retransmissions due to timeouts and potentially speed up scans however exercise caution when decreasing the value too much as it may lead to inaccurate results inmap Max rtt timeout time that you want than your Target on the other hand the max RT timeout option lets you specify the maximum rtt timeout for a packet response by default nmap dynamically adjusts RT TT timeout options for optimal results with a default maximum rtt timeout of 10 seconds manually setting the maximum rtt timeout lower can accelerate scan times especially on fast and reliable networks conversely a higher maximum rtt timeout prevents nmap from prematurely giving up on slow or unreliable connections choose values judiciously typically between 100 milliseconds for fast networks and 10,000 milliseconds for slower or less reliable connection connections fine-tune your nmap scans with the max retri option allowing you to control the maximum number of probe retransmissions nmap Max retries number that you want then your target the max retries option empowers you to govern the maximum number of probe retransmissions that nmap will attempt typically map dynamically adjusts the number of prob Bri Transmissions based on network conditions however this option offers manual control useful for overriding default settings or troubleshooting connectivity issues adjusting the number of retries can impact scan duration and accuracy setting a higher value increases the time it takes for a scan to complete but may yield more accurate results conversely lowering the max retries speeds up the scan but may risk incomplete results if nmap abandons probes too swiftly strike a balance based on your priorities and the specific conditions of your scanning environment tailor your nmap scan to specific Network conditions with the TTL option allowing you to set the time to live for the packets in milliseconds nmap TTL time than your target the TTL option empowers you to define the TTL value in milliseconds for the packet sent during the scan this becomes particularly valuable when scanning targets on slower connections where conventional packets might expire before receiving a response fine-tune the TTL to optimize your scans Effectiveness ensuring that it aligns with the characteristics of the network environment you are probing streamline your nmap scans by utilizing the host timeout option designed to manage slow or unresponsive hosts during the scanning process nmap host timeout time that you want then your Target when scanning across networks with varying speeds or encountering systems protected by rate limiting fir walls some hosts may take an extended period to respond the host timeout option empowers you to set a specific time interval after which nmap will gracefully terminate the scan for that particular host if it fails to complete within the specified duration this proves invaluable when conducting scans across wide area networks or internet connections allowing you to to maintain efficient scan operations notably nmap's parallel operations enable it to continue scanning other hosts even if one is experiencing delays this mitigates potential bottlenecks caused by slow or unresponsive hosts if a host surpasses the defined timeout with the host timeout option nmap will not display results for that host regardless of any discovered open ports fine-tune your inmap scans with Precision using the scan delay option allowing you to introduce deliberate pauses between probes inmap scan delay time that you want then your target certain systems Implement rate limiting measures that can impact the effectiveness of nmap scans nmap by default dynamically adjusts the scan delay on systems where rate limiting is detected however for scenarios where you have specific knowledge of rate limiting or the presence of intrusion detect ction systems the scan delay option enables you to define a custom time interval between probes ensuring optimal scanning performance to set a maximum threshold for the time between probes the max scan delay option comes into play and map Max scan delay time that you want then your target while the max scan delay option can potentially accelerate your scan it introduces a trade-off between speed and result accuracy along with an increased Lo on the network carefully consider the balance based on your specific scanning requirements and network conditions control the pace of your nmap scans with Precision using the Min rate and Max rate options allowing you to tailor the packet rate based on your specific needs inmap Min rate number then your Target by default nmap dynamically adjusts the packet rate during a scan SC to adapt to network conditions however there are scenarios where you might want to enforce your own minimum packet rate although this is generally not recommended for instance using Min rate 30 in the example above instructs nmap to send a minimum of 30 packets per second but the actual rate may be faster depending on network conditions caution should be exercised when setting Min rate too high as it may compromise the accuracy of the scan to cap the packet rate the max rate option comes into play nmap Max rate number that you want then your Target in this command specifying Max rate 30 ensures that nmat does not send more than 30 packets per second this deliberate throttling can significantly slow down the scan a tactic useful for avoiding intrusion detection systems or targets implementing rate limiting for an exceptionally discret scan consider using Max rate 0.1 instructing nmap to send one pack it every 10 seconds this method adds an extra layer of subtlety to your scanning strategy overcome obstacles posed by targets employing rate limits on RSD or reset packets using the defeat RSD rate limit option in inmap inmap defeat RSD rate limit your target targets that Implement rate limiting on RSD packets can slow down your scans the defeat RSD rate limit option is designed to counter this restriction potentially accelerating your scans however it's crucial to note that using this option may result in less accurate results and is therefore employed sparingly in practice nmap is adept at detecting hosts implementing rate limiting on its own often making the defeat RSD rate limit option unnecessary as a result it sees infrequent use as nmap typically adjusts itself automatically to navigate such Network constraints navigating firewalls with nmap firewalls and intrusion prevention systems are formidable barriers against tools like nmap striving to thwart accurate reconnaissance of protected systems to counter these defenses nmap incorporates several evasion techniques this section delves into the various evasion strategies embedded in nmap to customize the maximum transmission unit or MTU and potentially confused firewalls you can utilize the MTU option in nmap nmap MTU number that you want then your target similar to the F option MTU allows you to set your own MTU for scanning the provided example MTU 16 instructs nmap to use tiny 16 bike packets during the scan it's important to note that the MTU value must be a multiple of eight like 8 16 2432 etc for Effective transmission of fragmented packets some host operating systems may require combining send if with MTU the D option in nmap provides a means to enhance your anonymity during scanning by incorporating one or more decoy addresses inmap D decoy 1 decoy 2 Etc or R&D numbers that you want than your target in a decoy scan naap sends spoofed packets from the specified decoy addresses making it appear as if multiple systems are scanning the target concurrently this helps the true source of the scan blend into a multitude making it more challenging to trace in the example nmap D R&D five directs nmap to generate five random decoys alternatively you can manually specify decoy addresses like this nmap D decoy 1 decoy 2 decoy 3 Etc it's essential to note that excessive use of decoys can lead to network congestion and diminish the effectiveness of the scan some internet service providers may also filter spoof traffic reducing the overall effectiveness of decoys in concealing your scanning activity the SI option in nmap introduces an intriguing technique known as the idle zombie scan nmap S capital I zombie host than your target this unique scanning method leverages an idle system turning it into a zombie to conduct scans on a Target system in the example 1022 acts as the zombie the scan capitalizes on the predictable IP sequence ID generation found in some systems for a successful idle scan the zombie system must genuinely be idle during the scanning process notably no probe packets are sent directly from your system to the Target tget however an initial ping packet is dispatched to the Target unless you combine PN with SI to skip the initial ping this intricate method exploits system Behavior to discreetly gather information without direct interaction for additional details and in-depth information regarding the idle zombie scan technique you can explore the dedicated page on the nmap website nmap Idol scan this resource provides comprehensive insights explanations and guidance on implementing the idle zombie scan effectively delve into the details to enhance your understanding of this unique scanning approach and its applications to manually specify the source port number of a probe in N map you can use the source Port option this option allows you to set a specific port number as the source for all packets in the scan by default nmap randomly selects an available outgoing Source Port however using Source Port enables you to exploit potential weaknesses in firewalls that improperly accept incoming traffic based on a specific port number commonly susceptible ports include 20 or FTP 53 or DNS and 67 or DHCP here's an example of using the source Port option n map Source Port Port that you want then your target additionally the G option is a synonym for Source port providing a convenient shortcut for the same functionality to append random data to probe packets in end map you can use the data length option this option adds a specified amount of additional data to the probes helping to circumvent firewall checks that may be looking for predictable packet sizes here's an example of using the data length option mmath data length number then your target replace number with the desired amount of additional data to be appended and target with the target system or network in the provided example 25 additional bytes are added to all packets sent to the Target adjust the value based on your specific needs to randomize the scanning order of specified Targets in nmap you can use the randomize hosts option this helps prevent scans from being easily detected by firewalls and intrusion detection systems as the targets are scanned in a random order rather than sequentially here's an example of using the randomize hosts option in map randomize hosts targets by randomizing the scan order you add an additional layer of evasion to your scanning activities adjust the command based on your specific requirements and targets to spoof the Mac or media Access Control address of an Ethernet device in nmap you can use the spoof Mac option this can help make your scanning activity more difficult to trace by preventing your actual Mac address from being logged on the target system here's an example of using the spoof Mac option nmap spoof Mac vendor or Mac or zero than your target replace vendor Mac or zero with one of the following param zero generates a random Mac address specific Mac address use the specified Mac address vendor name generates a MAC address from the specified vendor such as Apple Dell 3om etc for example nmap spoof Mac zero then your target this command instructs nmap to generate a random Mac address for the scanning activity adjust the command based on your specific requir requirements and targets the badum option in nmap is used to send packets with incorrect checks Sims to the specified Host this can be utilized as a technique to potentially elicit a response from a poorly configured system or as part of network security audits here's an example command using the badom option inmap badom then your Target in this example nmap will send packets with incorrect checks of to the specified Target however keep in mind that well-configured systems typically won't respond to packets with bad checkum this option is mainly used for specific situations where you are auditing network security or testing against certain configurations nmap script engine the nmap scripting engine NSE is a powerful tool that allows users to develop custom scripts which can be used to harness n Maps Advanced scanning functions in addition to the ability to write your own custom scripts there are also a number of standard built-in scripts that offer some interesting features such as vulnerability detection and exploitation to work some magic with NSC scripts just use the script option it's like casting a spell to reveal hidden secrets nmap script script you want to run then your target for example for instance you want to get information from who is records retrieving who is records can provide valuable information including the registar organization name creation and expiration dates geographical location and abuse contact details nmap facilitates batch processing of who is records for IP addresses or domain names the following command demonstrates how to use nmap for this purpose nmap SN script who is- asterisk then your target let's breaking down the command SN will skip the port scanning phase script who is Will executes NSE scripts matching the file name pattern who is two scripts match this pattern who is IP query is a regional internet who is database and who is domain obtaining referral records until the requested information is found executing this command will provide who is information for the specified Target it's a convenient way to Gather Comprehensive details about IP addresses or domains in a batch fashion let me give you another example to obtain trace route geolocation information to obtain trace route geolocation information using nmap you can utilize the trace route geolocation NSE script the following command demonstrates how to achieve this in map trace route script trace route geolocation then your target let's breaking down the command trace route will initiat a trace route to the specified Target and script trace route geolocation will executes the trace route geolocation nsse script the script will display geolocation coordinates for each hop in the trace route results it relies on an external service from HTTP w WJ plugin com doesn't require an API key and has no query limitations Additionally you can save the results in KML format for later visualization on Google Maps or Google Earth you might want to explore the nmap script engine scripts available on this website for additional functionalities it's a great resource to enhance your understanding and usage of nmap uncover a rich tapestry of possibilities that will not only broaden your understanding but also elevate your proficiency with nmap to new heights this resource offers a diverse range of scripts each serving as a gateway to enhanced functionality and a deeper exploration of the capabilities that nmap has to offer whether you're a season user or just starting this repository is a treasure Trove waiting to be explored output options in nmap ah behold the Myriad ways to record The Echoes of your digital Expeditions nmap the Oracle of networks offers you several Enchanted Scrolls to to transcribe your scan Revelations let's explore these mystical output options when nmap unveils its findings the default display Graces your screen with the essence of discovered ports hosts and their secrets to inscribe your findings for eternity you can harness the power of output files you can use o capital N to save as a text o capital x to save his XML o capital G to save his Gable file or you can use the o parameter saves the output of a scan in text Gable and XML formats in the Grand Theater of network exploration witness the mesmerizing display of scan statistics with the illustrious stats every option let the dance of information unfold before your eyes nmap stats every 2s then your target as you embark on the journey through the network Realms the mystical stats every option commands and map to unveil the status of the ongoing scan at regular intervals in this incantation every 2 seconds the veil is lifted revealing the secrets uncovered so far feel not the annui of a stagnant screen during language scans for the periodic spectacle shall Captivate your attention the timing parameters are at your back and call seconds minutes or hours Anointed with the symbols s m or H absolutely you've done a fantastic job to stick with this video in the intricacies of end map and its various scanning techniques now with Zen map stepping onto the stage it's like having a magic wand to orchestrate these powerful scans effortlessly zenmap with its userfriendly interface turns complex nmap commands into a visual Feast just a few clicks and you're weaving spells with your scans whether you're on Windows Mac OS X or the land of Unix Linux zenmap is there to make your scanning Journey smoother than ever thanks for sticking with this video I hope you found something valuable in the content if there's anything more you'd like to explore or if you have any questions don't hesitate to let me know happy scanning and stay curious if you're interested in learning how to install kie Linux I recommend checking out the instructional video available it provides a stepbystep guide for a comprehensive understanding of the installation process