Network Scanner NMAP

Nmap best known as hacker’s best friend may it be ethical or criminal is one of the best known network scanners available today. Today nearly each and every hacker uses nmap as network scanning tool and even pen-testing tools are bundled with Nmap as basic port scanning tool. Nmap can scan network, ports, services and also garb OS. This tutorial is written keeping this in mind that everyone should be able to grasp all commands and switches given in this tutorial in single reading. Do you think it’s impossible so why not give a try.

First we divide switches into four types,

1.Synchronous Scans

2.Ping Scans

3.Time Scans

4.Output Type

Synchronous Scan:All synchronous scans start with “-s”(without quotes), note that the ‘s’ denoting synchronous is not capital. Now a basic synchronous scan command is written as follows,

nmap -s[synchronous scan type] ip_address

----------------------------------------------

-sT Synchronous TCP scan

-sS Synchronous Stealth scan(This type of scan most of the time goes undetected by remote system)

-sF Synchronous FIN Scan(Sends FIN packets with RST flag)

-sX XMAS tree scan(A packet is known as XMAS when its all flag are set)

-sU UDP scan

-sN NULL Scan

-sP Ping Scan

-sO Protocol Scan

-sA ACK Scan

-sW Windows Scan

-sR Remote Procedure Call

-sL List DNS

-sI IDLE scan(A scan done with spoofed IP Address)

How to remember all synchronous scans: After reading above switch list you must have noted all types of scans appears to start with first letter capital of its own spelling placed next to “-s” except protocol scan which uses O. So practically you don’t need to remember anything other than which type of scan you want to perform then post fix “-s” with its capital letter. Isn’t that easy, now consider you want to scan aaa.bbb.ccc.ddd for its open ports and DNS entries. Note what you want,

-List DNS that means L

so this will be your command,

nmap aaa.bbb.ccc.ddd -sL

If you want to scan UDP protocol then type,

nmap aaa.bbb.ccc.ddd -sO UDP

Note: No two Synchronous Scans can be combined together.

nmap -sS -sU aaa.bbb.ccc.ddd is illegal.

Ping Scan: All Ping scans start with “-P”, note that P is capital and denotes ping. Now basic ping scan command is written as,

nmap -P[ping scan type] ip_address

-------------------------------------

-Pn No Ping

-PT TCP Ping

-PA ACK Ping

-PU UDP Ping

-PO Protocol Scan

-PS Synchronous Ping

-PI ICMP Ping Echo

-PB UDP ICMP timestamp

-PM ICMP Net Mask or Masked Scan

Now note the next option appearing after P is first letter capital of word’s own spelling except protocol ping and timestamp ping. As shown earlier everytime p from protocol will be replaced by O in scan type. To remember timestamp switch remember last letter p in timestamp appears like B.

Time Scans: Time switches are denoted by capital T.

-T Paranoid 300 seconds between scans

-T Sneaky 15 seconds between scans

-T Polite 4 seconds between scans

-T Normal Runs parallel scans

-T Aggressive 1.25 sec/probe

-T Insane 0.3 sec/probe

To remember time scans first we arrange times in descending order.

300 15 4 - 1.25 0.3

My friend is Paranoid who Sneaks around networks,

300 15

He appears Polite Normally but is Aggressive to the level of Insanity.

4 - 1.25 0.3

I think that will do. All time switches are appended at last of nmap command

nmap aaa.bbb.ccc -sS -T Polite

Output Type: It just formates output as you want. Always starts with “-o”

-oN Normal Output

-oX XML Output

-oG Grapple Output

-oA All Output

I don’t think now to explain how to remember them.

Other Important Switches:

--traceroute works similar as any other trace route program

-R Resolve DNS along with port scan

-v Scan in verbose mode
-O OS Scan

-----------------------------------------------------

So here’s an example to create scan:

1.Create a Stealth Synchronous scan with normal output with 15 seconds between each scan. Resolve DNS and use verbose mode?

Ans:

-Scan Type Synchronous means “-s”

-Subtype stealth “-sS”

-Use verbose “-sS -v”

-Resolve DNS “-sS -v -R”

-Normal Output “-sS -v -R -oN”

-15 seconds between scans “-sS -v -R -oN -T Sneaky”

So the answer is,

nmap aaa.bbb.ccc -sS -v -R -oN -T Sneaky

Following are for you try yourself,

2.Create a Ping protocol scan with 0.3 seconds scan difference between ports.

3.Create a Synchronous UDP scan with xml output use verbose mode.

------------------------------------------------------------------------------------

I hope we covered most of the switches in possible easy way. Feel free to comment if anyhow you felt the article wasn’t that easy as I expected or it was worth praise. Please feel free to share link to this article on your blog or facebook page if you think anyhow it became useful to you. Thank You for visiting and your comments are most welcome.