Nmap Scanning



Nmap best known as hacker’s best friend may it be ethical or criminal is one of the best known network scanners available today. Today nearly each and every hacker uses nmap as network scanning tool and even pen-testing tools are bundled with Nmap as basic port scanning tool. Nmap can scan network, ports, services and also garb OS. This tutorial is written keeping this in mind that everyone should be able to grasp all commands and switches given in this tutorial in single reading. Do you think it’s impossible so why not give a try.

First we divide switches into four types,
1.Synchronous Scans
2.Ping Scans
3.Time Scans
4.Output Type



Synchronous Scan:All synchronous scans start with “-s”(without quotes), note that the ‘s’ denoting synchronous is not capital. Now a basic synchronous scan command is written as follows,

nmap -s[synchronous scan type] ip_address
----------------------------------------------
-sT Synchronous TCP scan
-sS Synchronous Stealth scan(This type of scan most of the time goes undetected by remote system)

-sF Synchronous FIN Scan(Sends FIN packets with RST flag)
-sX XMAS tree scan(A packet is known as XMAS when its all flag are set)
-sU UDP scan
-sN NULL Scan
-sP Ping Scan
-sO Protocol Scan
-sA ACK Scan
-sW Windows Scan
-sR Remote Procedure Call
-sL List DNS
-sI IDLE scan(A scan done with spoofed IP Address)

How to remember all synchronous scans: After reading above switch list you must have noted all types of scans appears to start with first letter capital of its own spelling placed next to “-s” except protocol scan which uses O. So practically you don’t need to remember anything other than which type of scan you want to perform then post fix “-s” with its capital letter. Isn’t that easy, now consider you want to scan aaa.bbb.ccc.ddd for its open ports and DNS entries. Note what you want,
-List DNS that means L

so this will be your command,
nmap aaa.bbb.ccc.ddd -sL

If you want to scan UDP protocol then type,
nmap aaa.bbb.ccc.ddd -sO UDP

Note: No two Synchronous Scans can be combined together.
nmap -sS -sU aaa.bbb.ccc.ddd is illegal.

Ping Scan: All Ping scans start with “-P”, note that P is capital and denotes ping. Now basic ping scan command is written as,

nmap -P[ping scan type] ip_address
-------------------------------------
-Pn No Ping
-PT TCP Ping
-PA ACK Ping
-PU UDP Ping
-PO Protocol Scan
-PS Synchronous Ping
-PI ICMP Ping Echo
-PB UDP ICMP timestamp
-PM ICMP Net Mask or Masked Scan

Now note the next option appearing after P is first letter capital of word’s own spelling except protocol ping and timestamp ping. As shown earlier everytime p from protocol will be replaced by O in scan type. To remember timestamp switch remember last letter p in timestamp appears like B.

Time Scans: Time switches are denoted by capital T.

-T Paranoid 300 seconds between scans
-T Sneaky 15 seconds between scans
-T Polite 4 seconds between scans
-T Normal Runs parallel scans
-T Aggressive 1.25 sec/probe
-T Insane 0.3 sec/probe

To remember time scans first we arrange times in descending order.
300 15 4 - 1.25 0.3

My friend is Paranoid who Sneaks around networks,
300 15
He appears Polite Normally but is Aggressive to the level of Insanity.
4 - 1.25 0.3

I think that will do. All time switches are appended at last of nmap command
nmap aaa.bbb.ccc -sS -T Polite

Output Type: It just formates output as you want. Always starts with “-o”

-oN Normal Output
-oX XML Output
-oG Grapple Output
-oA All Output

I don’t think now to explain how to remember them.

Other Important Switches:
--traceroute works similar as any other trace route program
-R Resolve DNS along with port scan
-v Scan in verbose mode
-O OS Scan
-----------------------------------------------------
So here’s an example to create scan:
1.Create a Stealth Synchronous scan with normal output with 15 seconds between each scan. Resolve DNS and use verbose mode?
Ans:
-Scan Type Synchronous means “-s”
-Subtype stealth “-sS”
-Use verbose “-sS -v”
-Resolve DNS “-sS -v -R”
-Normal Output “-sS -v -R -oN”
-15 seconds between scans “-sS -v -R -oN -T Sneaky”

So the answer is,
nmap aaa.bbb.ccc -sS -v -R -oN -T Sneaky

Following are for you try yourself,
2.Create a Ping protocol scan with 0.3 seconds scan difference between ports.
3.Create a Synchronous UDP scan with xml output use verbose mode.

------------------------------------------------------------------------------------
I hope we covered most of the switches in possible easy way. Feel free to comment if anyhow you felt the article wasn’t that easy as I expected or it was worth praise. Please feel free to share link to this article on your blog or facebook page if you think anyhow it became useful to you. Thank You for visiting and your comments are most welcome.  


Comments

Post a Comment

Popular posts from this blog

Attacks Against Weak Token Generation

Attacks Against Weak Token Generation During our last post to this we discusses about basics of Session Management Attack which is also known as session hacking. In this post we will have a look on how you can attack weak token generation method to attack session management. Following are most common methods of generating weak tokens, Using meaningful tokens Predictable token generation Adding time dependent variations in tokens Now some important things before we discus real hack steps. In applications that use standard cookie mechanism for transmitting session tokens, it is easy to identify which item of data contains the token. In other cases it needs real brain work to identify them. Many web developers add extra tokens to cookies to fool hackers for example an application might add 14 tokens to yours browser's store, out of which only six are responsible for session management no matter what value other eight have only six of them will hand...
Read more

Some Terminologies You Should Know About Trojans

Image
Some Terminologies You Should Know About Trojans in this following post we will discus some most frequently used terminologies that we usually hear when word Trojan pops out. They are discussed here because after knowing them you'll be able to understand how attacker manages to circulate RAT server, hide its presence and also bypasses firewall rules. Over And Covert Channel: A channel here describes means of communication. An overt channel means legal, obvious or known where as covert means hidden and concealed. In other words overt means legal means of communication whereas covert means illegal means of communication. In technical terms overt channel follows rules by TCP/IP suite where as covert channel exploit weakness of TCP/IP model for illegal communication. Wrappers: Wrappers are programs that helps binding two files together. They can bind either multiple files of same extension or multiple files with multiple extension. Wrappers are ...
Read more