Saturday, January 9, 2016

Nmap Command For Network Admins

http://kalitut.blogspot.ca/2015/12/nmap-command-for-network-admins.html

some of the most used Nmap command Linux
Every network admin knows about Nmap every one of them use it or used it.
It’s one of the best, it’s best of the best originally it is a Linux-only utility,
But it was ported to:

Windows, Solaris, BSD variants, HP-UX, OS X, IRIX, AmigaOS

When a software get ported to all those OS it’s a mark for how important that software is,
Whatever you are trying to do as a network admin or a Penetration Tester you will need to work with Nmap one day
What is Nmap ?
Nmap ("Network Mapper") is an open source tool for network exploration and security auditing.
It was designed to rapidly scan large networks, yet it works fine against single hosts.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
With Nmap you can know:
What computers are running on a local network.
What IP addresses are running on a local network.
What is the operating system of your target machine.
What ports are open on the machine that you just scanned.
Find out if the system is infected with malware or virus.
Search for unauthorized servers or network service on your network.
Find and remove computers which don’t meet the organization’s minimum level of security.

While Nmap is commonly used for security audits, many systems and network administrators, find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
The software provides a number of features for probing computer networks we will try to learn some of the features together
Nmap originally written by Gordon Lyon first release in September 1997 Written in C, C++, Python, Lua

So now after knowing almost everything we need to know about Nmap we will start with the command list.

1) Nmap Scan a single host or an IP address (IPv4)
### Scan a single ip address ###
nmap 192.168.1.1
 
## Scan a host name ###
nmap exmple.com
 
## Scan a host name with more info###
nmap -v exmple.com
The output will show you some interesting open port and the MAC Address


2) Scan multiple IP address or subnet (IPv4)
nmap 192.168.1.1 192.168.1.2 192.168.1.3

## works with same subnet i.e. 192.168.1.0/24
nmap 192.168.1.1,2,3

## You can scan a range of IP address too:
nmap 192.168.1.1-20

## You can scan a range of IP address using a wildcard:
nmap 192.168.1.*

## Finally, you scan an entire subnet:
nmap 192.168.1.0/24

3) Read list of hosts/networks from a file (IPv4)
The -iL option allows you to read the list of target systems using a text file.
This is useful to scan a large number of hosts/networks.
Create a text file as follows:
Your Text file should look like this ( Test.txt )
facebook.com
Yahoo.com
192.168.1.0/24
192.168.1.1/24
10.15.23.7
localhost
Lets say the text file is in tmp
here is your commend

nmap -iL /tmp/test.txt
4) Excluding hosts/networks (IPv4)
When scanning a large number of hosts/networks you can exclude hosts from a scan:

nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254
OR exclude list from a file called /tmp/exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt
5) Turn on OS and version detection scanning script (IPv4)
The results of a scan might determine that a machine is listening on port 80, without knowing its corresponding OS and Web Server version makes the task of attempted compromise a “shot in the dark” methodology.
 NMap solve this dilemma by using OS and Version detection. The following commands:

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt
6) Check if a host/network is protected by a firewall

nmap -sA 192.168.1.254
nmap -sA exmple.com
7) Scan a host when protected by the firewall

nmap -PN 192.168.1.1
nmap -PN exmple.com
8) Scan an IPv6 host/address
The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here
nmap -6 exmple.com
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4
9) Scan a network and find out which servers and devices are up and running
This is known as host discovery or ping scan:

nmap -sP 192.168.1.0/24
Sample outputs:
Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second
10) Display the reason a port is in a particular state:

nmap --reason 192.168.1.1
nmap --reason exmple.com
11) Only show open (or possibly open) ports :

nmap --open 192.168.1.1
nmap --open exmple.com
12) Show all packets sent and received

nmap --packet-trace 192.168.1.1
nmap --packet-trace exmple.com
13) Show host interfaces and routes
This is useful for debugging (ip command or route command or netstat command like output using nmap)

nmap --iflist
Sample outputs:
nmap --iflist host interfaces and routes


14) Scan specific ports

map -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
 
## Scan TCP port 80
nmap -p T:80 192.168.1.1
 
## Scan UDP port 53
nmap -p U:53 192.168.1.1
 
## Scan two ports ##
nmap -p 80,443 192.168.1.1
 
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
 
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.exampl.com
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
 
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
 
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1
Sample outputs:
nmap --top-ports


15) Scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24
16) detect remote operating system?
You can identify a remote host apps and OS using the -O option:

nmap -O 192.168.1.1
nmap -O  --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1
Sample outputs:
remote operating system

17) detect remote services (server / daemon) version numbers:

nmap -sV 192.168.1.1
Sample outputs:


18) Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
If firewall is blocking standard ICMP pings, try the following host discovery methods:

nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1
19) Scan a host using IP protocol ping
nmap -PO 192.168.1.1
20) Scan a host using UDP ping
This scan bypasses firewalls and filters that only screen TCP:

nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1
21) Find out the most commonly used TCP ports using TCP SYN Scan

### Stealthy scan ###
nmap -sS 192.168.1.1
 
### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)
###  OS Fingerprinting ###
nmap -sT 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1
22) Scan a host for UDP services (UDP scan)
Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

nmap -sU nas03
nmap -sU 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2015-12-15 12:27 EST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT     STATE         SERVICE
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
161/udp  open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
 
Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

23) Scan for IP protocol
This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

nmap -sO 192.168.1.1
24) Scan a firewall for security weakness
The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254
 
## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254
 
## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX 192.168.1.254

25) Scan a firewall for packets fragments:

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
nmap -f 192.168.1.1
nmap -f fw2.nixcraft.net.in
nmap -f 15 fw2.nixcraft.net.in
## Set your own offset size with the --mtu option ##
nmap --mtu 32 192.168.1.1
26) Cloak a scan with decoys
The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:
nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5
27) Scan a firewall for MAC address spoofing:
### Spoof your MAC address ##
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
 
### Add other options ###
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
 
### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN --spoof-mac 0 192.168.1.1
28) How to save output to a text file
The syntax is:
nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1

Those are the most important commend for NMAP
but those days many want thing to be more simple easy just a click and it scan , for that we have Zenmap
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
you can download it from here Link

Hope you found what you want here , leave a comment let me know what you need i will do my best to help
and keep in mind learning the commend lines is very important sometime you just have to deal with it without a GUI Scanner.

No comments:

Post a Comment