Network mapper : Nmap

10th Jan 2020 Linux

Nmap is an open source security and analysis tool designed for scanning large networks, even though it works perfectly on single hosts.

Navigating through the numerous features in Nmap can be overwhelming, which is why we will focus in this page on recognizing the commonly utilized ones that could be leveraged for later exploitation.

1 Scan a single host

nmap 192.168.1.10
nmap github.com
nmap -v github.com \# verbose mode, -vv for more effect

2 scan a subnet or several IP

nmap 192.168.1.1 192.168.1.10 192.168.1.11
nmap 192.168.1.1,10,11       # scan IP 192.168.1.1 and 192.168.1.10 and 192.168.1.11
nmap 192.168.1.1-15            # scan a range of IP

The number of addresses of a network may be calculated as 2^address lengh-prefix lengh , where address length is 128 for IPv6 and 32 for IPv4.

For example, in IPv4, the prefix length /28 gives: 2³²-²⁸= 2⁴ = 16 addresses. Example of a small ipv4 network

nmap -v -sn 192.168.1.0/28 10.0.0.0/24

It is also possible to feed nmap with a text file containing hosts or subnets or range of IP to scan with option :

 -iL <inputfilename>: Input from list of hosts/networks
 nmap -iL ~/inputfilename.txt

3 Exclude an IP from scan

nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.2

4 Host discovery or ping scan

It allows to discover which hosts are up

nmap -sP 192.168.1.0/28

5 Operating system detection

nmap -O 192.168.1.2
nmap -O  --osscan-limit 192.168.1.2         #  (Limit OS detection to promising targets) .
nmap -O  --osscan-guess 192.168.1.2     #  (Guess OS detection results) .

6 Port scanning

nmap -p 80,443 192.168.1.2       # Scan webserver http and https ports

nmap -p 80-200 192.168.1.2          # Scan port range

nmap --open 192.168.1.2                 # Only show open (or possibly open) ports