NMAP Basic Tutorial

Original address: http://drops.wooyun.org/tips/2002

0x00 Nmap Introduction

Nmap (Network Mapper) is a security scanner designed by Gordon Lyon to detect hosts and services on a computer network. In order to draw a network topology diagram, Nmap sends a specially crafted packet to the target host and then parses the returned packet. Nmap is a powerful tool for enumerating and testing networks.

Nmap Features:

Host probing: detects hosts on the network, such as those that respond to TCP and ICMP requests, ICMP requests, and open special ports. Port Scan: Probes the ports that are open to the target host. Version detection: Probe the target host's network service, determine its service name and version number. System detection: Probe the target host's operating system and network equipment hardware characteristics. Support for the authoring of probe scripts: using Nmap's scripting engine (NSE) and the LUA programming language.

Nmap can scan out the target details including, DNS inverse, device type, and MAC address.

(DNS reverse Solution details Http://www.debouncer.com/reverse-dns-check)

0x01 Nmap Typical uses:

0x02 Nmap Installation

Nmap can download the latest version to http://nmap.org/download.html

Nmap installation, follow the prompts wizard, next, next to install.

Enter the command prompt (cmd), enter Nmap, you can see the help information of nmap, indicating that the installation was successful.

0x03 nmap Command operation

Note: Please use the various devices to build a simulated network environment (such as virtual machines, mobile phones and other devices), the moral and legal permission to test. Otherwise, you know.

1, Nmap Simple scan

Nmap sends an ARP ping packet by default to detect ports that are open to the target host in the 1-10000 range.

Command syntax:

1	nmap <target ip address>

Explanation: The target IP address is your destination host's IP addresses

Example:

1	nmap 10.1.1.254

Effect:

2, Nmap simple Scan, and the results of the return detailed description of the output.

Command syntax:

1	nmap -vv 10.1.1.254

Description: The-VV parameter sets the detailed output of the result.

Example:

1	nmap -vv 10.1.1.254

Effect:

3. Nmap Custom Scan

Nmap defaults to scan for port numbers in the range of target 1-10000. We can use the parameter-p to set the port number we are going to scan.

Command syntax:

1	nmap -p(range) <target IP>

Explanation: (Rangge) for the port (range) to be scanned, the port size cannot exceed the 65535,target IP destination IP address

Example: Scan target host port # 1-50:

Effect:

Example: Scan target host port # 1-100:

Effect:

Example: Scan target host port # 50-500:

Effect:

4, Nmap designated port scan

Sometimes do not want to probe all the ports, just want to 80,443,1000,65534 these special ports to scan, we can also use the parameter p to configure.

Command syntax:

1	nmap -p(port1,port2,port3,...) <target ip>

Example:

1	nmap -p80,443,22,21,8080,25,53 10.1.1.254

Effect:

5, Nmap Ping Scan

Nmap can be scanned using a Ping method similar to the Window/linux system.

Command syntax:

1	nmap -sP <target ip>

Explanation: SP Set scan mode is ping scan

Example:

1	nmap -sP 10.1.1.254

Effect:

6, NMAP route tracking

Router tracking function, can help network administrators understand the network traffic situation, but also is a good network Manager assistant tool! Router tracking can easily investigate the network nodes from the location of our computer to the target site, and can see the time spent through each node (Baidu Encyclopedia)

Command syntax:

1	nmap --traceroute<target ip>

Example:

1	nmap --traceroute8.8.8.8 (google dns服务器ip)

Effect:

7, Nmap can also be set to scan the IP under a network segment

Command syntax:

1	nmap -sP <network address > </CIDR>

Explanation: The subnet mask set for you by CIDR (/24,/16,/8, etc.)

Example:

1	nmap -sP 10.1.1.0 /24

Effect:

Example:

1	nmap -sP 10.1.1.1-255

Effect:

The top two are the hosts that scan the 10.1.1.0/24 network segment.

which

windown:10.1.1.103

Android:10.1.1.101

8, Nmap operating system type of detection

Nmap detects the type of operating system the host is running through the target-open port. This is an important step in information gathering that can help you find vulnerable services on a specific operating system.

Command syntax:

1	nmap -O <target ip>

Example:

1	nmap -O 10.1.1.254

Effect:

Example:

1	nmap -O 10.1.1.101 （扫描android手机）

Effect:

Nmap cannot scan the machine by default, and if you want to scan your computer, you can scan it through a virtual machine.

Example:

1	nmap -O 10.1.1.103（Windows 7 SP2 Home Premium ）

Effect:

9, Nmap Universal switch

The sub-option settings contain 1-10000 port ping scans, operating system scans, script scans, route traces, and service probes.

Command syntax:

1	nmap -A <target ip>

Example:

1	nmap -A 10.1.1.254

Effect:

10, nmap command hybrid scan

Command hybrid scan, can be done similar to the function of parameter-a, but can be refined to the special requirements we need.

Command syntax:

1	nmap -vv -p1-1000 -O <target ip>

Example:

1	nmap -vv -p1-1000 -O 10.1.1.105

Effect:

Example: The 80,8080,22,23 port of the target host is scanned and the target is routed and the operating system is probed.

1	nmap -p80,8080,22,23 -traceroute-O 10.1.1.254

Effect:

NMAP provides these parameters, according to their own needs, flexible combination of use.

Due to the limited personal level, if there is a mistake welcome pointed out.

NMAP Basic Tutorial