What is Nmap ?
Nmap is a tool that can be used to scan networks, servers, routers. It is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. In some jurisdictions, unauthorized port scanning is illegal. Please be careful with that.
What are Network Packets ?
In simple words, a packet is a segment of data sent from one computer to another over a network. A packet contains the source, destination, size, type, data and other useful information that helps packet get to its destination. You will get a detailed understanding once I cover Circuit and Packet Switching.
sudo apt-get install nmap
nmap saumitra.co Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-29 11:52 IST Nmap scan report for saumitra.co (220.127.116.11) Host is up (0.027s latency). rDNS record for 18.104.22.168: ec2-50-19-172-88.compute-1.amazonaws.com Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 447.34 seconds
If you observe carefully, there is a “state” section. There are 4 kinds of states:
- Open : Active and open to connections.
- Closed : No services are running.
- Filtered : Port protected by a firewall.
- Unfiltered : Nmap cannot determine whether its open / closed.
You can even see the IP Address of the respective website. It even works if you type in “Nmap <IP>”. Some of you might think what is SSH ? SSH is also knowns as Secure Socket Shell, which is a network protocol that provides admins with a secure way to access remote computer.
Scanning Multiple Targets at once
nmap <IP1> <IP2>
IP1 and IP2 can be IP addresses of devices on the Home network or IP of websites, servers, etc. It scans all the IP’s listed.
Scanning Range of IP’s
Scans range of IP’s which might take few minutes.
Scanning an Entire Subnet
This scans all devices from 0-255
Making a File with a List of IP Adresses
This is going to save us a lot of time if we create a text file with IP Adresses we wish to scan and then upload it.
cd Desktop/ touch list.txt leafpad list.txt
Now, enter the IP Adresses you wish to scan.
cat list.txt nmap -iL list.txt
where -iL is simply import from list. So, we do see how to simplify our work of scanning multiple IP’S.
Aggressive / Detailed Scan
I have no idea why is it called an Aggressive scan. However, it gives you a lot more detail about the server or the network.
nmap -A saumitra.co
It returns not only the Ports, Services and States but also the Traceroute. You will see a separate section showing you the traceroute (I cannot show you due to an internel error)
Now, the traceroute is useful because :
- Suppose from your Computer you connect to Saumitra.co , it shows you all the routers used to get there, basically the path.
- If you are connecting to some website and your connection is really slow, so you can use this to figure out the point path.
Detecting the Operating System
nmap -O saumitra.co
If the main aim is to detect the Operating System instead of going through the clutter, use this. It involves guess work.
Detecting Version of the Services Running
nmap -sV saumitra.co
Now, apart from Ports, States, and Services, a section of Version is also available.
More Port Scanning Options
There are 65,535 ports available on your server. Surprisingly, 99% of the ports available are never used. Whenever Nmap looks at a server and starts scanning, by default, it is going to scan most popular ports (like SSH, ftp) because it takes time to scan ports. If you wish to scan top 100 ports and save time then use –
nmap -F saumitra.co
It cuts roughly to 1/10th of original time and is a lot faster.
Scanning a Specific Port
nmap -p 20-25,80,443 saumitra.co
It scans ports from 20-25 , 80 and 443.
Scan Every Single Port
nmap -p- saumitra.co
Scan Open Ports only
nmap --open saumitra.co
I hope you found this guide useful. If you have any doubt, feel free to ask.