Scribd
Upload
46 views14 pages

Manual

The document is a lab manual for using Nmap, a free and open-source network scanner, detailing various scanning techniques such as basic scans, port scanning, and OS detection. It covers commands for scanning specific IPs, ranges, and using scripts for advanced detection, as well as methods for stealth scanning and firewall evasion. Additionally, it explains how to save results, perform DNS enumeration, and utilize the Nmap Scripting Engine for vulnerability detection.

Uploaded by

bs290094
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views14 pages

Manual

The document is a lab manual for using Nmap, a free and open-source network scanner, detailing various scanning techniques such as basic scans, port scanning, and OS detection. It covers commands for scanning specific IPs, ranges, and using scripts for advanced detection, as well as methods for stealth scanning and firewall evasion. Additionally, it explains how to save results, perform DNS enumeration, and utilize the Nmap Scripting Engine for vulnerability detection.

Uploaded by

bs290094
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Exercise Lab Manual: Network scanning using Nmap

Nmap (Network Mapper) is a free and open-source network scanner. It is used to


discover hosts and services running on them in a computer network by sending packets and
analyzing the responses. Nmap provides a number of features for probing computer networks,
including host discovery and service and operating system detection, etc. These features are
extensible using scripts that provide more advanced service detection. In this exercise, you will learn,
how to use Nmap for various scanning activities and use Nmap scripts for important activities.
1. Basic Nmap Scan against IP or host
nmap 192.168.45.130
Now, if you want to scan a hostname, simply replace the IP for the host
For example, nmap cdac.in

2. Scan specific ports or scan entire port ranges on a local or remote server.
nmap -p 1-65535 localhost
In this example, we scanned all 65535 ports for our local host computer.
Nmap is able to scan all possible ports.
3. Nmap is able to scan all possible ports, but it can also scan specific ports

nmap -p 80,443 192.168.45.130


You can also scan specific ports, which will report faster results.

4. Scan multiple IP addresses


Nmap -p 192.168.45.130,138
You can also scan consecutive IP addresses.
5. Scan IP ranges
Use Nmap to scan entire CIDR IP ranges, for example:
nmap 192.168.45.0/24
You can also use Nmap to scan entire CIDR IP ranges.

Use wildcards to scan the entire C class IP range, for example:


nmap 192.168.45.*

If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude”
option.
nmap 192.168.45.* --exclude 192.168.45.138
6. Scan the most popular ports
nmap --top-ports 20 192.168.45.1.130
Using “–top-ports” parameter along with a specific number lets you scan the top X most
common ports for that host.

Nmap maintains a
database of the ports
which are usually open on
Internet machines, known
as top ports.

nmap --top-ports 20 localhost


7. Scan hosts and IP addresses reading from a text file
Let’s suppose user creates a list.txt file that contains these lines inside:

nmap -iL site.txt

The “-iL” parameter lets user read from that file, and scan all those hosts listed in it.

8. Save your Nmap scan results to a file


exporting/saving user results into a text file:
nmap -oN output.txt google.com
9. Scan + OS and service detection with fast execution
Using the “-A” parameter enables you to perform OS and service detection, and at the same
time combining this with “-T4” for faster execution. See the example below:
nmap -A -T4 scanme.nmap.org

nmap may control the speed of scanning also (very slow (-T0) to extremely aggressive
(-T5))
10. Detect service/daemon versions
This can be done by using -sV parameters

11. Scan using TCP or UDP protocols


Standard TCP scanning output:
nmap –sT 192.168.45.2

UDP scanning results using “-sU” parameter:


12. Finding multiple live hosts in the network
Start a ping scan for live hosts using the following command.

Nmap will return a list of all detected hosts.

13. Performing idle scanning using nmap(zombie scanning)


Open port scenario

Closed port scenario


filtered port scenario

Performing idle scanning using nmap(zombie scanning)


filtered port scenario

14. Finding the system with incremental ip-id

15. Performing idle scanning using nmap(zombie scanning)


Idle scan is the ultimate stealth scan. An attacker to send some packets to the target
from his real IP address in order to get scan results back. One upshot of idle scan is that
intrusion detection systems will generally send alerts claiming that the zombie
machine has launched a scan against them. So it can be used to frame some other party
for a scan. A unique advantage of idle scan is that it can be used to defeat certain packet
filtering firewalls and routers. IP source address filtering is a common (though weak)
security mechanism for limiting machines that may connect to a sensitive host or
network. Simply specify the zombie hostname to the -sI option and Nmap does the rest.

16. Bypassing firewall using fragmentation


Nmap gives the option to the user to set a specific MTU (Maximum Transmission
Unit) to the packet. This is similar to the packet fragmentation technique.
During the scan, Nmap will create packets with a size based on the number that
we will give. In this example, we gave the number 24, so the Nmap will create 24-
byte packets, causing confusion to the firewall.
Keep in mind that the MTU number must be a multiple of 8 (8, 16, 24, 32, etc.).

17. Stealthy scan to avoid firewall detection


Nmap has an option that simplifies and streamlines the process of performing TCP
stealth scans. You can easily use the -sS command to perform TCP stealth scans
with Nmap
18. Using Nmap Script engine

One of Nmap’s greatest features is “Nmap Scripting Engine” (known as NSE). Using
NSE we can do sophisticated version detection, vulnerability detection, backdoor
detection etc.

CVE detection using Nmap


➢ One of Nmap’s greatest features “Nmap Scripting Engine” (known as NSE). Using NSE is
crucial in order to automate system and vulnerability scans. For example, if user want to
run a full vulnerability test against his target, user can use these parameters:
➢ Where vuln is a script with known vulnerability databases included.
Nmap --script vuln 192.168.45.130

Downloading vulnerability script


The following commands will install the vulscan script along with all the databases
mentioned:
• git clone https://github.com/scipag/vulscan scipag_vulscan
• ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
• Run
• Nmap –sV –Pn –T5 –script vulscan<target ip>
19. DNS Enumeration
The following command will try to discover hosts’ services using the DNS Service
Discovery protocol. It sends a multicast DNS-SD query and collects all the
responses.

nmap --script=broadcast-dns-service-discovery scanme.nmap.org


➢ Following command will try to enumerate DNS hostnames by brute force
guessing of common subdomains. With the dns-brute.srv argument, dns-brute
will also try to enumerate common DNS SRV records
nmap -T4 -p 53 --script dns-brute scanme.nmap.org

You might also like