Nmap full scan. Scanning using the SYN method

nmap[ <Тип сканирования> ...] [ <Опции> ] { <цель сканирования> }

Description

Nmap(" Network Mapper") is an open-source utility source code for network exploration and security testing. It was designed for quickly scanning large networks, although it also works well with single targets. Nmap uses raw IP packets in an ingenious way to determine what hosts are available on the network, what services (application name and version) they offer, what operating systems (and OS versions) they use, what types of packet filters/firewalls they use, and much more. other characteristics. While Nmap is typically used for security testing, many system administrators find it useful for common tasks such as monitoring network structure, managing service startup schedules, and keeping track of host or service uptime.

The output of Nmap is a list of scanned targets with additional information for each depending on the options specified. The key information is « table of important ports» . This table contains the port number, protocol, service name, and status. The status can be open, filtered, closed, or unfiltered. Open means that the application on the target machine is ready to establish a connection/receive packets on that port. Filtered means that a firewall, network filter, or some other network clutter is blocking the port, and Nmap cannot determine whether the port is open or closed. Closed ports are not associated with any application, but can be opened at any time. Ports are considered unfiltered when they respond to Nmap requests, but Nmap cannot determine whether they are open or closed. Nmap issues open|filtered and closed|filtered when it cannot determine which of these two states describes a port. This table can also provide version details software, if requested. When performing an IP protocol scan (-sO), Nmap provides information about supported protocols rather than open ports.

In addition to the table of important ports, Nmap can provide further information about targets: resolved DNS names, guess about the operating system being used, device types, and MAC address A.

A typical scan using Nmap is shown in Example 1. The only arguments used in this example are -A , for OS version detection, script scanning, and tracing; -T4 for faster execution; then two target hosts.

Example 1. Typical example scanning with Nmap

# nmap -A -T4 scanme..org) Interesting ports on scanme.site (64.13.134.52): (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X| 2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground..168.0.40): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC(protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows, Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

Most new version Nmap can be downloaded from

The responsibilities of a network administrator include many things, and network auditing is one of the main ones. Auditing a network is not difficult if it is small. But what if the size of the network you administer makes it impossible to manually walk through each device or host in order to find out whether it is working or not, what OS is installed on it, which ports are open and which are not? If you find yourself in such a situation, then a program that has become virtually a standard in the world of OpenSource network audit utilities will help you a lot - Zenmap.

Zenmap is a graphical front end for the popular utility Nmap. Nmap is a console-based OpenSouce tool for network security analysis and auditing. Despite the fact that Nmap itself is a very powerful utility, when working on large networks, many administrators have little desire to use console tools alone. As some of them say: “A picture is worth a thousand words.” And in the case of Zenmap, they are certainly right, because with it you can get an interactive graphical map of your network.

Installation and launch

Installing Zenmap on most modern distributions is not difficult if you use the standard package manager and install it from the repositories. Also, of course, you can build Zenmap yourself, although I personally don’t see much point in this. Well, don’t forget that Zenmap is a GUI for Nmap, which, of course, must be present in the system (in the case of installation through the package manager, it will tell you about it).

It is best to launch Zenmap from under root, since Nmap requires superuser rights to function fully:

Sudo zenmap

Usage

Once you launch Zenmap, you'll see a fairly simple user interface:

Let's start. The first thing we need is target(target) scanning. Let's imagine that you need to scan a network with IP addresses by mask 192.168.100.* . Enter this template in the Target field. Next, you need in the drop-down list Profile select the appropriate scanning profile from those offered. I want to warn you right away that scanning using "Intense scan" can do bad things to some network devices, such as switches or routers. Be careful with him. After selecting the appropriate profile, the contents of the field will also change "Command", which contains the nmap command with parameters. If necessary, you can always adjust it “to suit yourself”.

Once the target has been identified and a scan profile has been selected, you can press "Scan" and go have coffee (or not, it all depends on the size of the task assigned to nmap and the speed of your network). Once the scan is completed, you will see a list of found hosts in the left pane.

In the right panel you see five bookmarks:

• Nmap Output: a bookmark that opens by default, in which you can see the text output of nmap;
• Ports/Hosts: here you can see which ports are open and on which hosts;
• Topology: This tab displays your network topology in graphical form;
• Host Details: Here you can see detailed information about the scan results of the host selected in the left panel;
• Scans: this tab contains all your previous scanning commands, history that is.

Topology

By going to the bookmark Topology, you will find the most interesting part of Zenmap. The topology of the network under study is displayed here in the form of a cluster of circles with host names or their IP addresses. If the network under study is large enough, then it is almost impossible to make out anything in this pile of circles.

Click on the button Controls at the top and using the buttons that appear on the right Zoom And Ring gap customize the display in a way that suits you. Also, using the checkboxes in the section View, you can select the host information to be displayed on the map.

As stated above, the graphical topology presented in Zenmap is interactive. By clicking on a host you can make it the central part of the map, and in the section Navigation you can rotate the entire map as you please. These features are especially useful when your network is large enough that you need to work with a specific part of the topology. To get detailed information about a host, just right-click on it:

Scan profiles

In Zenmap you can use predefined profiles, or you can create your own. To create a new profile or edit an existing one, open the menu Profile and then select New Profile or Command or Edit Selected Profile respectively. In the window that appears, configure everything as you need.

Of course, if you changed an existing profile, you will need to restart the scan again, taking into account the changes made.

Conclusion

Zenmap is an incredibly powerful utility that enables network administrators to audit networks of virtually any size. A great thing, easy to use and, in addition, OpenSource. Be sure to delve into the profile editor and configure everything in the best way for yourself, and then you will be able to fully appreciate the full power of this tool.

Have you ever wondered how an attacker knows which ports are open on a system? Or how can you find out what applications are running on the server without asking the administrator? You can do all this and more with a little tool called Nmap.

What is Nmap? The name Nmap is short for “network mapper”; nmap itself is a set of tools for scanning a network. It can be used to check security, simply to determine the services running on a node, to identify the OS and applications, and to determine the type of firewall used on the scanned node.
Nmap is a famous tool. Once you learn more about Nmap, you'll understand what it does in episodes of films like The Matrix Reloaded, The Bourne Ultimatum, Hottabych, and others.
This tutorial will cover the basics of using Nmap and provide some examples that you can use.

Where can I get Nmap?

If you use Linux, you can find Nmap packages in the repositories for most distributions. Nmap was last released in early 2010, so the latest version may not be on the current stable branches. You can find the sources and some binary assemblies on the download page. There is also a windows version.

Basics of using Nmap.

Nmap syntax is as follows:

Nmap Scan_options Scan_target.

Let's say you want to scan a node and find out what operating system is running on it. To do this do the following:

Nmap -O target.host.com

Note that Nmap requires superuser privileges to run this type of scan. The scanning process may take about a minute, so be patient. When the process is finished you will see something similar to this:

Starting Nmap 5.21 (nmap.org) at 2010-02-27 23:52 EST
Nmap scan report for 10.0.0.1
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
MAC Address: 00:11:24:6B:43:E2 (Apple Computer)
Device type: WAP|printer
Running: Apple embedded, Canon embedded, Kyocera embedded, Xerox embedded
OS details: VxWorks: Apple AirPort Extreme v5.7 or AirPort Express v6.3; Canon imageRUNNER printer (5055, C3045, C3380, or C5185); Kyocera FS-4020DN printer; or Xerox Phaser 8860MFP printer
Network Distance: 1 hop

As you can see, Nmap provides a lot of information. Here it displays a guess about the operating system that was running on the node. In this case, the Apple Airport Extreme router was scanned. As an added bonus, Nmap reported what device was one hop away, as well as the MAC address of the device and network card manufacturer, open ports, and how long the scan took.
Below are the results of another scan, on a home computer running Ubuntu 9.10:

Starting Nmap 5.21 (nmap.org) at 2010-02-28 00:00 EST
Nmap scan report for 10.0.0.6
Host is up (0.0039s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:17:08:2A:D6:F0 (Hewlett Packard)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 - 2.6.31
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at nmap.org/submit.
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

Here we see that the system has network card HP, running Linux between versions 2.6.19 and 2.6.31. By the way, you will not be able to clearly identify the distribution, only the version of the Linux kernel.

Scanning foreign nodes.

In the examples above, the local router and one of the workstations were selected for scanning because we had permission to scan them. However, it would be a bad idea to launch multiple scans on someone else's node if you don't control them or don't have the rights to scan them. For experimentation, Nmap has a publicly available test server scanme.nmap.org which you can use.
Many administrators do not like unauthorized scanning of their servers, so the best option is to limit the scanning of hosts to their own local network or those for which you have scanning rights. Also in some cases you may be breaking your contract with your ISP by using some of Nmap's particularly aggressive scanning methods, so be careful.

Scan multiple nodes.

You can scan more than one node at a time using nmap. If you are scanning by IP address, you can define the range 10.0.0.1-6 or 10.0.0.0/24. Using the range 10.0.0.1-6, hosts from 10.0.0.1 to 10.0.0.6 will be scanned. Using the /24 definition, the entire range of hosts from 10.0.0.0 to 10.0.0.255 will be scanned. For example, if you need to scan nodes from 10.0.0.1 to 10.0.0.42 and find out which OS is probably running, use:

Nmap –O 10.0.0.1-42

If you have some list of domain names instead of IP addresses, you can separate them on the command line, like this:

Nmap -O host1.target.com host2.target.com

Checking open ports

If you run nmap without any options at all and specify a host, it will scan ports and show all open ports found and services running on them. For example run:
nmap target.hostname.com
after which it should output something similar to this:

Interesting ports on target.hostname.com (10.0.0.88):
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 0.228 seconds

Nmap will provide more information if you use the -v (verbose) option.

Scanning running services

If you want to find out what service might be running, try the –sV option. This option will perform a more aggressive scan and try to find out what version of services is running on a given node, and can also help more accurately determine what OS is running. For example, let's run nmap –sV on the test server and get the following response:

Starting Nmap 5.21 (nmap.org) at 2010-02-28 00:15 EST
Nmap scan report for test.host.net (XX.XXX.XXX.XX)
Host is up (0.090s latency).
Not shown: 965 closed ports, 33 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at nmap.org/submit.
Nmap done: 1 IP address (1 host up) scanned in 11.43 seconds

As you can see, Nmap can analyze packets and determine the version running applications on SSH and HTTP ports. Here you can see that the system being polled is Ubuntu with Apache 2.2.8 and OpenSSH 4.7p1. This information can be useful for a number of reasons. An Nmap scan can identify a system running legacy services that may be vulnerable to known exploits.

Who's in my network?

Don't know how many online nodes are on your network? Try using nmap –sP which will run a ping scan specified network. For example, nmap –sP 10.0.0.0/24 scans 256 nodes from 10.0.0.0 to 10.0.0.255, checks if they are accessible and reports on this. You can also use a range, for example:

Nmap –sP 10.0.0.1-15

Zenmap

Finally, if all these joys command line not for you, nmap has a GUI that you can use to build and execute commands. It's called Zenmap. It will allow you to select a target, start a scan, display the results, as well as save them and compare them with others.
GUI Zenmap is good way become familiar with Nmap, but it's best to know how to use Nmap on the command line if you plan to use it frequently.
In a future guide, we'll take a deeper look at Nmap and the specific tasks you can solve.

This post is a free translation of the article

Are you concerned about the security of your or any other network? Protecting your router from unwanted connections is key to keeping your network safe. One of simple methods is Nmap or Network Mapper. This is a scanning program that checks which ports are open and which are closed, as well as other details. Security professionals use this program to test network security. To learn how to use this program, see Step 1.

Steps

Using Zenmap

Download the Nmap installer. You can find the installer on the developers website and download it for free. It is recommended to download from the developers' website to avoid the risk of downloading viruses or spoofed files. By downloading Nmap you will simultaneously get Zenmap, GUI for Nmap, which makes the program easy to use for beginners when performing scans without knowing the commands.

• Zenmap software available for operating rooms Windows systems, Linux, and Mac OS X. You can find installers on the official Nmap website.

1. Launch the “Nmap – Zenmap” GUI program. If during installation you left all the items untouched, then the program icon should appear on your desktop. If not, look in the start menu and launch Zenmap.

   Enter the purpose of your scan. Zenmap makes network scanning a very simple process. First of all, select the scanning target. You can enter the domain (example.com), IP address (127.0.0.1), network (192.168.1.0/24), or a combination of these.

   • Depending on your download and the purpose of your scan, using Nmap may violate your ISP's user policies. Always check local user rules when using Nmap when scanning outside of your own network.

2. Select your profile. Profiles are a group of modifications that change the scanning structure. Profiles allow you to quickly select different types scans without the need for a set of modifications on the command line. Choose the best profile for your needs:

   • Intense scan- extensive scanning. Includes operating system, version, script recognition, tracing, and has an aggressive scan time.
   • Ping scan- This scan determines the online status of the target of your scan, and does not scan ports.
   • Quick scan- scans faster than a regular scan with aggressive scanning time and port sampling.
   • Regular scan- this is a standard Nmap scan without any modifications. The result includes ping and open ports.

3. Click Scan to start scanning. Active scan results will be displayed in the Nmap Output tab. Scanning time will depend on the selected profile, physical distance to the target, and network configuration.

   See your results. After the scan is completed, you will see the message “Nmap is done” at the bottom of the Nmap Output tab. You can now check your results, depending on the type of scan you selected. All results are collected in the Output tab, but by selecting other tabs, you can study the resulting result in more detail.

   • Ports/Hosts- This tab will show port scans, including services running on those ports.
   • Topology- Shows the trace for the scan performed. You can see how many “hops” it takes for your data to reach the desired goal.
   • Host Details- Shows complete information about the target, number of ports, IP addresses, host names, operating systems, and more.
   • Scans- this tab records the history of your previous scans. This way you can quickly restart a scan done in the past with a specific set of parameters.

Using the command line

1. Install Nmap. Nmap is not big and free program. You can download the program on the developer's website. Follow the instructions based on your operating system:

   Open your command prompt. Nmap commands work from the command line and show the results right below the command. You can use the options to change the scan structure. You can run scans from anywhere specified in your command line.

2. Scan the ports you need. To start a simple scan, write nmap . This will begin pinging the selected target and scanning ports. This scan is very easy to recognize. The results will be visible on your screen. You may have to scroll to the top to see the full results.

   • Depending on the download and the purpose of your scan, using Nmap may be against your ISP's rules. Always check local user rules when using Nmap when scanning outside of your own network.

3. Perform a modified scan. You can use command variables to change scan parameters, resulting in a more or less extensive scan. You can add multiple variables by leaving a space between each one. Variables are placed before the target: nmap

   • -sS- This is a covert SYN scan. This scan is more difficult to detect than a regular scan but may take longer to complete. Most newer firewalls can detect –sS scanning.
   • -sn- This is a ping scan. This scan does not use port detection, and only checks the online status of the target.
   • -O- This scan determines the type of operating system of the target.
   • -A- This variable includes detection of more extensive information: operating system, version, scripts, and trace.
   • -F- enables fast scanning and reduces the number of scanned ports.
   • -v- this variable shows more of your scan results, making them more readable.

4. Output the results of your scan to an XML file. You can configure the output of your scan results to an XML file and, subsequently, easily open them in any web browser. To do this use a variable -oX with the name of the file to output data. The complete command looks like this: nmap –oX ScanResults.xml .

   • Your XML file will be saved in the current directory of your command line.

• Wondering how the scan goes? Press Spacebar or any button while the scan is running to view Nmap's progress.
• Target not responding? Try adding the variable “-P0” to your scan. As a result Nmap scan will begin its work even if the program “thinks” that the target does not exist. This can be useful when the computer is protected by a firewall.
• If your scan takes a long time (more than 20 minutes), try adding the “-F” variable so that the Nmap scan will only affect recently used ports.

Warnings

• Make sure you have permission to scan the target. Scanning government websites will bring you quite a few problems. If you want to test the scan, you can use scanme.nmap.org. This is a test computer installed by the creator of the program.
• If you use Nmap scanning frequently, be prepared to answer questions from your ISP. Some providers specifically check traffic for Nmap scanning. The program is well-known and often used by hackers.

A few examples of working with a wonderful network scanner - NMAP

Scan the network looking for Active Hosts:

$ nmap -sn 192.168.1.0/ 24

Scanning a list of hosts/networks from a File:

$ nmap -iL input.txt

File format:

Entries can be in any of the formats that Nmap works with from the command line (IP addresses, hostnames, CIDR, IPv6, or octet ranges). Entries must be separated by one or more spaces, tabs, or newlines.

$ cat input.txt server.test.com 192.168.1.0/ 24 192.168.2.1,2 ,3 192.168.3.0-200

Scan Multiple IP Addresses:

$nmap 192.168.1.1 192.168.1.2 192.168.1.3 $nmap 192.168.1.1,2,3

5. Excluding IP/Hosts/Networks from Scanning

Exclude Targets from Nmap scanning:

$ nmap 192.168.1.0/ 24 --exclude 192.168.1.1 $ nmap 192.168.1.0/ 24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/ 24 --exclude 192.168.1.1,2 ,3

Exclude List of hosts taken from file:

$ nmap 192.168.1.0/ 24 --excludefile exclude.txt

6. Scan Specific Ports

Scan One Port:

$ nmap -p 80 192.168.1.1

Scan Multiple Ports:

$ nmap -p 80,443 192.168.1.1

Scan Port Range:

$ nmap -p 80 -1000 192.168.1.1

Scan All Ports:

$ nmap -p "*" 192.168.1.1

Scan open ports

$ nmap -Pn 192.168.1.1

7. Determination of Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) the scanned host supports:

$ nmap -sO 192.168.1.1

8. TCP/UDP Port Scanning

Scan all TCP Ports:

$ nmap -sT 192.168.1.1

Scan specific TCP Ports:

$ nmap -p T:80 192.168.1.1

Scan all UDP Ports:

$ nmap -sU 192.168.1.1

Scan specific UDP Ports:

$ nmap -p U:53 192.168.1.1

Combining scanning of different ports:

$ nmap -p U:53,79,113,T:21 -25,80,443,8080 192.168.1.1

9. Quick Scan

Activate Fast Mode scan:

$ nmap -F 192.168.1.1

Show Cause of Port Status

Show the reason why Nmap thinks a port is in a certain state:

$ nmap --reason 192.168.1.1

11. Show Only Open Ports

Show Only Open Ports (or possibly open ones):

$ nmap --open 192.168.1.1

Show only open 22nd ports:

Nmap -p22 --open 192.168.1.1

12. OS Definition

Enable OS Detection:

$ nmap -O 192.168.1.1

* Defines remote operating system using the TCP/IP stack fingerprint.
13. Determining the Version of Services

Enable Service Version Detection:

$ nmap -sV 192.168.1.1

* Determines the versions of programs running on the remote server.
14. Firewall Detection

Find out if your computer is protected by any Packet Filters or Firewall:

nmap -oX output.xml 192.168.1.1

Nmap -A 192.168.1.2

This command will allow you to run all scripts and many other options, here is the description from the help menu: Enable OS detection, version detection, script scanning, and traceroute.
For example, for the Samba service (port 445), it will show the following:

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)