Hack This Site

What is nmap?

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.

Nmap is ...

* Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
* Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
* Portable: Most operating systems are supported, including Linux, Mcft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
* Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
* Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
* Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, and tutorials. Find them in multiple languages here.
* Supported: While Nmap comes with no warranty, it is well supported by the community and we appreciate bug reports and patches. If you encounter a problem, please follow these instructions.
* Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
* Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

And it works well in my Ubuntu Linux!

You can download it at their Homepage:

Code:
http://insecure.org/nmap/download.html

Ubuntu Users: Just run Sypnatic Package Manager and search for 'nmap'..

Once installed..you can run it with the terminal(Linux) or with a GUI(Linux/Windows)

NOTE: in Linux, you can download NmapFE which is a GUI version..

Here's what it looks like..^^

Ubuntu Interface:

We will tackle here on how to use Nmap in the Terminal..

here is the terminal/cmd syntax:

CODE :

Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, Mcft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan --traceroute: Trace hop path to each host --reason: Display the reason a port is in a particular state PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script=safe,intrusive --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-trace: Show all data sent and received --script-updatedb: Update the script database. OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T[0-5]: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <time>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Insecure.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection, Script scanning and Traceroute --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page.

But you might ask, why terminal/cmd while it has a GUI?

well, you can use GUI too..though it doesn't need a tutorial...get it? ^^

anyway..

you can see the syntax too by typing..

CODE :

nmap --help

Lets start with nmap's "scan me"..

type:
CODE :

nmap -v -A scanme.nmap.org

Explanation:
-v means your scan it in verbose mode, if you want to add verbosity level, type another v, i.e. -vv

-A means enable OS detection and Version detection, Script scanning and Traceroute

scanme.nmap.org is the host you want to scan..you can try other sites or an IP address..

Output:
CODE :

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-09-23 12:49 PHT Initiating Ping Scan at 12:49 Scanning 205.217.153.62 [1 port] Completed Ping Scan at 12:49, 0.31s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:49 Completed Parallel DNS resolution of 1 host. at 12:49, 0.02s elapsed Initiating Connect() Scan at 12:49 Scanning scanme.nmap.org (205.217.153.62) [1705 ports] Discovered open port 22/tcp on 205.217.153.62 Discovered open port 53/tcp on 205.217.153.62 Discovered open port 80/tcp on 205.217.153.62 Connect() Scan Timing: About 12.55% done; ETC: 12:53 (0:03:29 remaining) Completed Connect() Scan at 12:51, 122.49s elapsed (1705 total ports) Initiating Service scan at 12:51 Scanning 3 services on scanme.nmap.org (205.217.153.62) Completed Service scan at 12:52, 11.97s elapsed (3 services on 1 host) SCRIPT ENGINE: Initiating script scanning. SCRIPT ENGINE: nselib/ not a directory SCRIPT ENGINE: Aborting script scan. Host scanme.nmap.org (205.217.153.62) appears to be up ... good. Interesting ports on scanme.nmap.org (205.217.153.62): Not shown: 1700 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.2.2 ((Fedora)) 113/tcp closed auth Read data files from: /usr/local/share/nmap Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 134.955 seconds

Wow..thats a scan!

now, with more scanning..

NOTE: you must be root/have administrative privileges to enable this scan..

TCP: Fingerprinting - need to be root..

type:

Code:
CODE :

nmap -sT -sR -sV -O -F -PT scanme.nmap.org

-sT means do a Connect scan..

-sR means do a RPC Scan

-sV means do a Version Probe Scan

-O means Detect the host's OS

-F means scan most important ports

NOTE: in Ubuntu, you should type 'sudo' before nmap to be root..^^

Output:
CODE :

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-09-23 12:48 PHT SCRIPT ENGINE: nselib/ not a directory SCRIPT ENGINE: Aborting script scan. Interesting ports on scanme.nmap.org (205.217.153.62): Not shown: 1261 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.2.2 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Uptime: 8.531 days (since Sat Sep 15 00:05:05 2007) OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 77.847 seconds

ill tell you a little trick :D

You can find many ip-address in Google!

just type:

CODE :

inurl:iplog.txt

^^

=====================================
Thank you for reading this tutorial!

you can explore nmap!
discovering things yourself is a very good thing!! :>

=====================================

Donate

Challenges

Get Informed

Get Involved

Communicate

About HTS

Partners