Nmap features include:
Host Discovery - Identifying computers on a network, for example listing the computers which respond to pings, or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target computers
Version Detection - Interrogating listening network services listening on remote computers to determine the application name and version number
OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.
Typical uses of Nmap:
-Auditing the security of a computer, by identifying the network connections which can be made to it
-Identifying open ports on a target computer in preparation for auditing
-Network inventory, Network mapping, maintenance, and asset management
Auditing the security of a network, by identifying unexpected new servers.
Nmap options
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idlescan
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection (try 2nd generation w/fallback to 1st)
-O2: Only use the new OS detection system (no fallback)
-O1: Only use the old (1st generation) OS detection system
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup : Parallel host scan group sizes
--min-parallelism/max-parallelism : Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
--max-retries : Caps number of port scan probe retransmissions.
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/--source-port : Use given port number
--data-length : Append random data to sent packets
--ip-options : Send packets with specified ip options
--ttl : Set IP time-to-live field
--spoof-mac : Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.
-oA : Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume : Resume an aborted scan
--stylesheet : XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir : Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
How to use NMAP
1.How to scan your network to see which hosts are up:
nmap -sP 192.168.1.0/24 (it will scan ip-s from 192.168.1.1 to 192.168.1.254 to see which hosts are up)
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:05 EET
Host 192.168.1.12 is up (0.0010s latency).
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Host 192.168.1.50 is up (0.00021s latency).
MAC Address: 00:24:8C:5D:EC:6C (Asustek Computer)
Host 192.168.1.51 is up.
Host 192.168.1.53 is up (0.0013s latency).
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.88 seconds
2. Now we scan 192.168.1.12 using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.The results will be saved in a file named nmap.log.
nmap -sS -A -oN nmap.log 192.168.1.12
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:12 EET
Interesting ports on 192.168.1.12:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Linksys WRT54GL wireless-G router http config
|_ html-title: 401 Unauthorized
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = WRT54GL
5431/tcp open http Belkin/Linksys wireless router http config (Linux 2.4; UPnP 1.0; BRCM400 1.0)
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Devices: WAP, router
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
3.How to scan a host for open ports ,network services,os version,ipid:
nmap -sS -P0 -A -v 192.168.1.53
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:38 EET
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 19:38
Scanning 192.168.1.53 [1 port]
Completed ARP Ping Scan at 19:38, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:38
Completed Parallel DNS resolution of 1 host. at 19:38, 0.05s elapsed
Initiating SYN Stealth Scan at 19:38
Scanning 192.168.1.53 [1000 ports]
Discovered open port 22/tcp on 192.168.1.53
Completed SYN Stealth Scan at 19:38, 1.41s elapsed (1000 total ports)
Initiating Service scan at 19:38
Scanning 1 service on 192.168.1.53
Completed Service scan at 19:38, 0.05s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.1.53
Retrying OS detection (try #2) against 192.168.1.53
Retrying OS detection (try #3) against 192.168.1.53
Retrying OS detection (try #4) against 192.168.1.53
Retrying OS detection (try #5) against 192.168.1.53
NSE: Script scanning 192.168.1.53.
NSE: Starting runlevel 1 scan
Initiating NSE at 19:38
Completed NSE at 19:38, 0.24s elapsed
NSE: Script Scanning completed.
Host 192.168.1.53 is up (0.00085s latency).
Interesting ports on 192.168.1.53:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0)
| ssh-hostkey: 1024 51:08:cd:ba:ad:5a:4d:87:20:5b:41:ee:f2:34:80:e5 (DSA)
|_ 2048 a2:7c:9e:22:7e:9c:3f:2e:7d:46:d6:1a:29:f1:c2:c8 (RSA)
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=2/23%OT=22%CT=1%CU=41757%PV=Y%DS=1%G=Y%M=080027%TM=4B8412B
OS:0%P=x86_64-redhat-linux-gnu)SEQ(SP=C5%GCD=1%ISR=C0%TI=Z%CI=Z%II=I%TS=8)S
OS:EQ(SP=C6%GCD=1%ISR=BF%TI=Z%CI=Z%II=I%TS=8)SEQ(SP=C6%GCD=1%ISR=C0%TI=Z%CI
OS:=Z%II=I%TS=8)SEQ(SP=C5%GCD=1%ISR=BF%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M5B4ST11N
OS:W5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5B4ST11NW5%O6=M5B4S
OS:T11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=4
OS:0%W=16D0%O=M5B4NNSNW5%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW5%RD=0%Q=)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.004 days (since Tue Feb 23 19:33:04 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
Raw packets sent: 1103 (52.340KB) | Rcvd: 1076 (46.596KB)
vices available
No comments:
Post a Comment