Nmap

Nmap Tutorial, Download, Install & Commands

Nmap Tutorial, Download, Installation, Commands & Examples

Nmap aka Network Mapper are available in Various versions and formats. Nmap tarball compiles under Linux, Windows, Mac OS X, and many UNIX platforms (Solaris, Free/OpenBSD/Net, etc.)

Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions, and Codetalker Digest.

Download Nmap in Microsoft Windows
Nmap Support on Windows 7 and newer Version of Windows, as well as Windows Server 2008 and newer.The Nmap executable Windows installer can handle WinPcap installation, registry performance tweaks, and decompressing the executables and data files into your preferred location.

Download Nmap for Windows: Nmap-7.12-setup.exe

Download Nmap in Linux/Ubuntu 
Download and Install Nmap for Linux/Ubuntu (64 bit and 32 bit) From Here.

x86-64 (64-bit Linux) Nmap RPM: nmap-7.12-1.x86_64.rpm

x86-64 (64-bit Linux) Ncat RPM: ncat-7.12-1.x86_64.rpm

x86-64 (64-bit Linux) Nping RPM: nping-0.7.12-1.x86_64.rpm

i686 (32-bit Linux) Nmap RPM: nmap-7.12-1.i686.rpm

i686 (32-bit Linux) Ncat RPM: ncat-7.12-1.i686.rpm

i686 (32-bit Linux) Nping RPM: nping-0.7.12-1.i686.rpm

Optional Zenmap GUI (all platforms): zenmap-7.12-1.noarch.rpm

Source RPM (includes Nmap, Zenmap, Ncat, and Nping): nmap-7.12-1.src.rpm

Download Nmap in Mac OS 
The installer allows installing Nmap, Zenmap, Ncat, and Ndiff. The programs have been tested on Intel computers running Mac OS X 10.6 and later.

Download Nmap for Mac OS: nmap-7.12.dmg

Nmap Installation in Linux, Ubuntu

The Nmap aka Network Mapper is an open source and a very versatile tool for Linuxsystem/network administrators.

Nmap installation guide
How to install nmap in Ubuntu/Debain systems
$ sudo apt-get install nmap

Run/start Nmap by typing nmap, For Help Type nmap -h

To Install nmap in yum packaged system Centos/RHEL
$ yum install nmap -y

To install from rpm Pcakge
$ rpm -ivh nmap{version_of_package}.deb

To Install from .deb package file if you have downloaded
$ dpkg -i nmap{version_of_package}.deb

Install GUI version of nmap ZenMap in ubuntu/linux
$ sudo apt-get install zenmap

Install Umit in ubuntu/linux, the graphical network scanner
$ sudo apt-get install umit

Install NmapSI4 in ubuntu/Linux
$ sudo apt-get install nmapsi4

Download & Intsall Zenmap in Linux, Ubuntu

Nmap and Zenmap (the graphical front end) are available in several versions and formats.

Download Zenmap for Linux or Ubuntu
Developement Realese 
Optional Zenmap GUI (all platforms): zenmap-7.25BETA1-1.noarch.rpm
Source RPM (includes Zenmap and Ncat): nmap-7.25BETA1-1.src.rpm

Stable Realese
Optional Zenmap GUI (all platforms): zenmap-7.12-1.noarch.rpm
Source RPM (includes Nmap, Zenmap, Ncat, and Nping): nmap-7.12-1.src.rpm

Install Zenmap in Linux or Ubuntu 
$ sudo yum install nmap-frontend

Nmap Commands and Examples

The Nmap aka Network Mapper is an open source and a very versatile tool for Linuxsystem/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions. Org, and Codetalker Digest. Here is examples of Nmap commands

1. Scan a System with Hostname and IP Address
Scan using Hostname :
nmap host-name-here
$nmap server1.nmaptutorial.com

Scan using IP Address :
nmap IP-address-here
$nmap 172.16.6.152

2. Scan a whole Subnet
scan a whole subnet or IP range with Nmap by providing * wildcard with it.
$nmap 172.16.6.*

3. Scan Multiple Servers using last octet of IP address :
Perform scans on multiple IP address by simple specifying last octet of IP address. For example, here I performing a scan on IP addresses 172.16.6.152, 172.16.6.153 and 172.16.6.154. or 172.16.6.152,153,154
$nmap 172.16.6.152,153,154
$nmap 172.16.6.152, 172.16.6.153, 172.16.6.154

4. Scan an IP Address Range
You can specify an IP range while performing scan with Nmap.for example 172.16.6.152-160
$nmap 172.16.6.152-160

5. Scan Network Excluding Remote Hosts
You can exclude some hosts while performing a full network scan or when you are scanning with wildcards with “–exclude” option.
$nmap 172.16.6.* –exclude 172.16.6.100

6. Scan OS information and Traceroute
With Nmap, you can detect which OS and version is running on the remote host. To enable OS & version detection, script scanning and traceroute, we can use “-A” option with NMAP.
$nmap -A 172.16.6.152

7. Enable OS Detection with Nmap
$nmap -O server2.nmaptutorial.com

8. Scan a Host to Detect Firewall
$nmap -sA 172.16.6.152

9. Scan a Host to check its protected by Firewall
$nmap -PN 172.16.6.152

10. Find out Live hosts in a Network
$nmap -sP 172.16.6.*

11. Perform a Fast Scan
$nmap -F 172.16.6.152

12. Find Nmap version
$nmap -V

13. Scan Ports Consecutively
$nmap -r 172.16.6.152

14. Print Host interfaces and Routes
$nmap –iflist

15. Scan for specific Port
$nmap -p 80 server2.nmaptutorial.com

16. Scan a TCP Port
$nmap -p T:8888,80 server2.nmaptutorial.com

17. Scan a UDP Port
-sU (UDP scans):-UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the –data, –data-string, or –data-length options are specified.
$nmap -sU 53 server2.nmaptutorial.com

18. Scan Multiple Ports
$nmap -p 80,443 172.16.6.152

19. Scan Ports by Network Range
$nmap -p 80-160 172.16.6.152

20. Find Host Services version Numbers
Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
$nmap -sV 172.16.6.152

21. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)
$nmap -PS 172.16.6.152

22. Scan Remote host for specific ports with TCP ACK
$nmap -PA -p 22,80 172.16.6.152

23. Scan Remote host for specific ports with TCP Syn
$nmap -PS -p 22,80 172.16.6.152

24. Perform a stealthy Scan
-sS (TCP SYN scan):-SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
$nmap -sS 172.16.6.152

25. Check most commonly used Ports with TCP Syn
-sT (TCP connect scan):-TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
$nmap -sT 172.16.6.152

26. Perform a tcp null scan to fool a firewall
Null scan (-sN)-Does not set any bits (TCP flag header is 0)
$nmap -sN 172.16.6.152

27. Scan targets from a text file
$nmap -iL list-of-ips.txt

28. Scan all 65535 ports
$nmap -p- 172.168.6.152

29. IP Address information
$nmap –script=asn-query,whois,ip-geolocation-maxmind 172.16.6.152/24

30. Detect Heartbleed SSL Vulnerability
$nmap -sV -p 443 –script=ssl-heartbleed 172.16.6.152/24

31. HTTP Service Information
Gather page titles from HTTP services: $nmap –script=http-title 172.16.6.152/24
Get HTTP headers of web services: $nmap –script=http-headers 172.16.6.152/24
Find web apps from known paths: $nmap –script=http-enum 172.16.6.152/24

32. A scan to search for DDOS reflection UDP services
Scan for UDP DDOS reflectors : $nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 172.16.6.152/24

33. Nmap Output Formats
Save default output to file: $nmap -oN outputfile.txt 172.16.6.152
Save results as XML: $nmap -oX outputfile.xml 172.16.6.152
Save results in a format for grep: $nmap -oG outputfile.txt 172.16.6.152
Save in all formats: $nmap -oA outputfile 172.16.6.152

34. NSE Scripts
Scan using default safe scripts : $nmap -sV -sC 192.168.1.1
Get help for a script nmap : $–script-help=ssl-heartbleed
Scan using a specific NSE script: $nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts: $nmap -sV –script=smb* 192.168.1.1

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top