How to start with Nmap, alias first 10 commands

A well-known open-source security program called Nmap (Network Mapper) is used to find hosts and services on a computer network and to map out the topology of the network. It may be utilized to check for open ports and identify operating systems, services, and vulnerabilities on hosts.

Network exploration and security audits are Nmap’s two main applications. It is a useful tool for network managers and security experts since it can be used to swiftly and effectively scan big networks.

Nmap can be run from the command line or via a graphical user interface. It is available for Windows, Linux, and macOS. Nmap can also be extended with custom scripts and plugins to add additional functionality.
Nmap (Network Mapper) is a versatile security tool that offers several key functions for network exploration, management, and security auditing.

Here are some of the key features of Nmap include:

Host Discovery: Nmap can be used to scan a network to determine which hosts are available and online. This is useful for network administrators to verify which hosts are connected to the network.

Port Scanning: Nmap can scan a target host or network to determine which ports are open and what services are running on those ports. This can help identify potential security vulnerabilities that could be exploited by attackers.

Operating System Detection: Nmap can be used to determine the operating system of a target host or network by analyzing network traffic and other characteristics.

Service Detection: Nmap can be used to detect the type of services running on a target host or network, such as web servers, email servers, and file-sharing services.

Version Detection: Nmap can be used to determine the version numbers of services running on a target host or network. This information can be used to identify vulnerabilities in specific software versions.

Scriptable Interaction: Nmap can be customized using scripts and plugins to perform more advanced tasks, such as detecting vulnerabilities, testing firewalls, and detecting network misconfigurations.

Network Mapping: Nmap can be used to create a map of the network topology, which can be useful for network administrators to understand the layout of the network and identify potential security issues.

Overall, Nmap is a powerful tool for network administrators and security professionals to explore and manage computer networks and identify potential security vulnerabilities

Here are some first 10 basic commands that you should know:

Basic Scan: This is the simplest scan and it scans for open ports on the target host.

nmap <target>

Executing nmap <target> on the target host will do a basic scan that includes locating open ports and starting service version detection. The command’s output will include details about the target host and its open ports, including each port’s status (open, closed, filtered, etc.) and the service that is now using it. The output will also contain any device-specific data that can be gleaned from the target, along with information on the operating system. Depending on the command flags used and the complexity of the target network, the output will vary.

example of what the output of nmap <target> might look like:

In this example, nmap <target> is scanning the host target.example.com with IP address 192.168.0.1. The output shows that the host is up and responsive with a low latency of 0.0032 seconds. The scan discovered three open ports: SSH on port 22, HTTP on port 80, and HTTPS on port 443. The report also indicates that there are 999 closed ports that were not shown in the output. Finally, the report displays a summary of the scan showing that one IP address was scanned and one host was found to be up. The scan was completed in 0.06 seconds.

Real example:

Host Discovery: To scan a network for available hosts, use the following command:

nmap -sn <target network>

For example:

nmap -sn 192.168.1.0/24

the -sn option to set Nmap to perform a “ping scan” or “host discovery scan” instead of a port
scan. The -sn option instructs Nmap to send ICMP echo requests (ping) to each host in the
specified IP address range (192.168.1.0/24 in this case) to determine which hosts are up
and running on the network. This type of scan is also known as a “ping sweep” and can be
used to quickly identify which hosts are online and available for further scanning or
investigation.

example of what the output of nmap -sn <target network> might look like:

Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-04 10:00 EST
Nmap scan report for 192.168.1.1
Host is up (0.0084s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0052s latency).
Nmap scan report for 192.168.1.23
Host is up (0.011s latency).
Nmap scan report for 192.168.1.34
Host is up (0.014s latency).
Nmap scan report for 192.168.1.65
Host is up (0.015s latency).
Nmap scan report for 192.168.1.99
Host is up (0.018s latency).
Nmap scan report for 192.168.1.125
Host is up (0.022s latency).
Nmap scan report for 192.168.1.254
Host is up (0.035s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 3.05 seconds

In this example, a ping scan of the 192.168.1.0/24 network range, which contains 256 IP addresses, was carried out using the nmap -sn command. The result displays the IP addresses and response times of the hosts that responded to the ping scan (latency). Eight hosts were discovered to be operational in this scenario on the network.

Port Scanning: To scan a host for open ports, use the following command:

nmap -p <port number> <target host>

The nmap -p <port number> <target host> command will scan the specified port number(s) on the target host and report which ports are open, closed, or filtered.

A real example, running the command nmap -p 80 kybersec.me will scan port 80 on example.com and produce output like:

The -p option sets the port(s) to scan. Commas or hyphens can be used to separate several ports or to specify a range of ports. In contrast, nmap -p 1-100 example.com will scan all ports on the website in the range of 1 to 100. As an illustration, nmap -p 80,443 example.com will scan both ports 80 and 443 on the website.

Operating System Detection: To detect the operating system of a target host, use the following command:

nmap -O <target host>

nmap -O: This command attempts to identify the operating system running on the target host. It uses a variety of techniques such as TCP/IP stack fingerprinting and TTL analysis to make an educated guess about the OS. Output includes the OS name and the confidence level of the guess.

example of what the output of nmap -O <target host> might look like:

nmap -O 192.168.1.1

In this example, Nmap identified the target host as a router running Linux 2.6.X. The detection’s confidence level is not stated in this output, but it can change depending on the network properties that Nmap can examine.

Service/Version Detection: To detect the services running on a target host, use the following command:

nmap -sV <target host>

Example:
nmap -sV 192.168.1.1

example of what the output of nmap -sV <target host> might look like:

In this example, Nmap has scanned the target host at IP address 192.168.1.1 and has identified several open ports, including SSH (port 22), HTTP (ports 80 and 8080), HTTPS (port 443), and RPC (port 111). For each open port, Nmap has attempted to determine the version number of the service running on that port and has reported back the results. In this case, the SSH service is running version 7.9p1 of OpenSSH on Debian 10, the HTTP and HTTPS services are running version 2.4.38 of Apache httpd on Debian, and the RPC service is running version 2-4. Nmap has also detected that the host is running Linux as its operating system. Overall, the -sV option provides valuable information about the software running on
a target host or network that can be used to identify potential vulnerabilities or misconfiguration.

Real example:

Aggressive Scan: This is an intensive scan and tries to gather as much information as possible about the target host.

nmap -A <target host>

The nmap -A command uses the -A option to enable more aggressive scanning options in Nmap. This option instructs Nmap to perform OS detection, version detection, script scanning, and traceroute on the target host. The -A option is a shorthand for enabling several other options that provide additional information about the target and its network environment. Here’s a brief overview of what the -A option includes: OS detection(-O): Attempts to determine the operating system of the target host based on characteristics of its network responses.

Version detection(-sV): Attempts to determine the version numbers of the services running on the target host by sending probes to each open port and analyzing the responses.

Script scanning(-sC): Executes a set of Nmap scripts against the target host to identify potential vulnerabilities or misconfiguration.

Traceroute(–traceroute): Determines the network path to the target host by identifying the routers and gateways between the source and target.

By using the -A option, Nmap can provide a more comprehensive and detailed scan of the target host and its network environment. However, the aggressive nature of these options can also generate more traffic and potentially cause disruptions or trigger security alerts, so it’s important to use caution and obtain permission before using this option on a live network.

Example:

nmap -A 192.168.1.1

example of what the output of nmap -A <target host> might look like:

This command performs a more aggressive scan and tries to identify the operating system and software versions running on the target machine. In this example, Nmap has identified that the target is running a Linux-based operating system with a kernel version between 3.2 and 4.4, and is also running several open services including telnet, HTTP on ports 80 and 8080, and Samba file sharing on ports 139 and 445. The output also includes information about the server software versions and some information about the web pages hosted on the HTTP servers. Finally, the report indicates that the scan took 4.05 seconds to complete.

Scriptable Interaction:To use Nmap scripts to perform more advanced tasks, use the following command:

nmap –script=scriptname target.host.com

the command uses the –script option to specify a specific Nmap script to run against the target host. Nmap scripts are small programs that can be used to automate and extend Nmap’s functionality by performing tasks such as vulnerability detection, service enumeration, and network analysis. The –script option allows you to choose from a wide variety of pre-existing scripts that are included with Nmap, or you can create your own custom scripts to suit your specific needs.
When you specify a script using the –script option, Nmap will execute that script against the target host and report back the results. The output of the script may include information about the services running on the target host, potential vulnerabilities or misconfiguration, or other useful details about the host or network environment. By using scripts, you can automate certain aspects of the scanning process and obtain more detailed information about the target host without having to manually perform each step of the analysis.

For example, if you wanted to run the Nmap script called “vuln” to detect a specific vulnerability on a target web server, you could use the following command:

nmap –script=vuln target.host.com

example of what the output of nmap –script=vuln target.host.com might look like:

In this example, the vuln Nmap script is used to search for known vulnerabilities in the target’s services. The output shows that the target has three open ports (22/TCP, 80/TCP, and 443/TCP), and the results of several host scripts, including the vulners script. The vulners script has identified that the target is running Nginx version 1.15.12, which is vulnerable to several HTTP/2 request smuggling attacks (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516, CVE-2019-9517, and CVE-2019-9518).

This information can be used by security professionals to identify and remediate vulnerabilities in their systems. In this case, the vulnerability in Nginx can be addressed by upgrading to a version that is not vulnerable to these attacks.

Save Output to File: This saves the output of the Nmap scan to a file.

nmap -oN <file name><target host>

Example:

nmap -oN scan.txt 192.168.1.1

The -oN option in Nmap sets the output format to normal format, which is a human-readable text format that includes information about the scan results. The output is saved to a file specified by the user, with the filename following the -oN option. For example, the command nmap -oN output.txt target.com will run a scan on target.com and save the output to output.txt in normal format.

if the command nmap -oN output.txt 192.168.0.1 is run in a terminal with the current working directory /home/user/, the output file output.txt will be created in the same directory as /home/user/output.txt.

real example of what the output of nmap -on might look like:

nmap -oN scanresult.txt kybersec.me

This command runs a basic Nmap scan on the kybersec.me host and saves the output to a file called scanresult..txt in normal format.

Using the -oN option allows you to save the output of your Nmap scans to a file, which can be useful for documentation or further analysis. The normal format is designed to be human-readable and provides a good balance of detail and conciseness. However, if you need to parse Nmap output with a script or another tool, you may want to consider using a different output format such as XML or JSON.

The -oN option can be used to specify various output formats for Nmap scans. In addition to the normal output format (which is the default), other output formats that can be used with -oN include:

-oX filename.xml: saves the output in XML format
-oG filename.gnmap: saves the output in grepable format
-oA basename: saves the output in all formats (normal, XML, and grepable) with the given basename

These options provide more flexibility for how you can use and analyze Nmap output.

For example, XML output can be easily parsed by scripts or other tools, while grepable output can be searched and filtered using standard Unix utilities such as grep and awk.

Here are some examples of how to use these options:

nmap -oX output.xml target.com – save the output in XML format

nmap -oG output.gnmap target.com – save the output in grepable format

nmap -oA scan_results target.com – save the output in all formats with basename “scan_results”

Using these options, you can customize the way that Nmap output is saved and use the format that is best suited to your needs.

TCP SYN Scan: This is a fast scan that uses TCP SYN packets to identify open ports on the target host.

nmap -sS <target>

The -sS option tells Nmap to use SYN scan, which is the default TCP scanning method in Nmap. SYN scanning involves sending an SYN packet to the target’s designated port and then waiting for an answer. The target will respond with an SYN-ACK packet to confirm that the port is open and listening if it is. A RST packet will be returned by the target if the port is closed. This method is used by Nmap to find out which ports are open and which are closed on the target host.

example of what the output of nmap -sS <target> might look like:

In this example, the -sS the option is used to perform a TCP SYN scan on the target example.com. The output displays the open ports along with their corresponding service name and state, as well as a port that is filtered.

Real example:

UDP Scan: This scans for open UDP ports on the target host.

nmap -sU <target>

The -sU option is used to specify that Nmap should perform a UDP scan instead of a TCP scan. UDP scans are useful for discovering services that use UDP protocols, such as DNS, DHCP, and SNMP.

When the -sU option is used, Nmap sends UDP packets to various ports on the target system and waits for a response. The ports that are scanned by default are 53 (DNS), 67, and 68 (DHCP), 69 (TFTP), 123 (NTP), 161 (SNMP), and 389 (LDAP).

UDP scanning can be more challenging than TCP scanning since UDP is connectionless and does not provide a mechanism for verifying that a packet has been received. This means that some UDP services may not respond to probes, and false positives may occur.

example of what the output of nmap -sU <target> might look like:

In this illustration, Nmap has scanned the target and found several open UDP ports as well as the services that are using those ports. Due to the stateless nature of the protocol, UDP scanning can be more difficult than TCP scanning, which means that results might not be as accurate or comprehensive as with TCP scanning.

Security experts might find potential vulnerabilities in the target system by looking at which ports are open and what services are using them.
For instance, the target system may be exposed to known exploits if Nmap detects that it is running an outdated version of a specific service, such as a web server. Similarly to this, Nmap’s discovery of a port that shouldn’t be open could point to a flaw or incorrect configuration.

A number of variables, such as the program being used on the port, its version, and the configuration of the system, affect how vulnerable an open port is. However, some ports are historically more vulnerable than others due to the type of services they typically run.

As a bonus here are some examples of ports that have been historically vulnerable:

Port 21 (FTP): FTP servers are often vulnerable to brute-force attacks, in which an attacker
repeatedly guesses usernames and passwords until they gain access. Additionally, FTP
servers can be used to upload malicious files to a target system.
Port 22 (SSH): SSH servers are often targeted by brute-force attacks and can be vulnerable
to remote code execution attacks if they are not properly configured.
Port 23 (Telnet): Telnet servers transmit data in plain text, which makes them vulnerable to
interception and tampering. Additionally, Telnet servers are often targeted by brute-force
attacks.
Port 25 (SMTP): SMTP servers are often targeted by spam and phishing campaigns.
Additionally, poorly configured SMTP servers can be used to relay spam or other malicious
messages.
Port 80 (HTTP): HTTP servers are often targeted by web application attacks, such as SQL
injection and cross-site scripting (XSS) attacks.
It’s important to note that any open port can potentially be vulnerable, so it’s important to
properly secure all open ports on a system.