NMAP is a network probe and security scanner, system managers and individuals can use this software to scan large networks, get information such as running and providing information. NMAP supports many scanning technologies, such as UDP, TCP Connect (), TCP SYN, FTP Agent (Bounce Attack), Reverse Sign, ICMP, FIN, ACK Scan, Xmas Tree, SYN Scan, NULL scan. NMAP also provides some advanced features, such as: passing the TCP / IP protocol stack feature detection operating system type, secret scan, dynamic delay and retransmission calculation, parallel scan, passing the host, bait scan, avoiding Open port filtering detection, direct RPC scan (no port shooting), fragment scanning, and flexible target and port settings. NMAP runs usually get a list of scanned host ports. Nmap always gives the service name (if possible), port number, status, and protocols of the Well Known port. The state of each port is: Open, Filtered, Unfiltered. 1. Open status means that the target host can use the Accept () system call to accept the connection at this port. 2.Filtered status indicates that the firewall, package filtering and other network security software masks this port, prohibiting NMAP to detect if it is open. 3.unfiltered means: This port is closed, and there is no firewall / package filter software to isolate the detection of NMAP. Typically, the status of the port is basically a UNFILTERED state, and only ports in the Unfiltered state are displayed only in the Filtered state in which most scanned ports are in a Filtered state.
Feature Options -sttcp Connect () Scan: This is the most basic TCP scan mode. Connect () is a system call that is provided by the operating system to open a connection. If the target port has a program listening, Connect () will successfully return, otherwise this port is unreachable. The biggest advantage of this technology is that you don't need root privileges. Any UNIX users can freely use this system call. This scan is easily detected that a large number of connection requests and error messages are recorded in the log of the target host.
-ss TCP Synchronous Scan (TCP SYN): This technique is often referred to as a half open scan because it does not have to open a TCP connection. You can send a TCP sync package (SYN) and then wait for a response. If the other party returns a SYN | ACK package, it indicates that the target port is listening; if returns the RST packet, it means that the target port does not listen to the program; if you receive a SYN | ACK package, the source host will issue an RST immediately. ) The data package is open and the connection of the target host, which actually has our operating system kernel to complete. The biggest benefit of this technology is that there are very few systems that can record this into the system log. However, you need root permissions to customize the SYN packet.
-SF -SF -SN Secret Fin Packet Scan, Christmas Tree (NULL) Scan mode: Even if SYN scan is not determined. Some firewalls and packet filtering software can monitor the SYN packet sent to the restricted port, and some programs such as Synlogger and Courtney can detect those scans. These advanced scanning methods can escape these interference.
-sp ping scan: Sometimes you just want to know which hosts are running on the network at this time. Send ICMP ECHO request packet by sending ICMP ECHO to each IP address in the network you specify, NMAP can complete this task. If the host is running, it will respond. Unfortunately, some sites are, for example, microsoft.com blocking the ICMP Echo request packet. However, in the default, NMAP can also send TCP ACK packets to the 80 port. If you receive an RST package, it means that the host is running. The third technology used by NMAP is: Send a SYN package and wait for an RST or SYN / ACK package. For non-root users, NMAP uses the connect () method. Note that NMAP performs PING scan in any case, and only subsequent scans will only be conducted only if the target host is running. This option is used if you just want to know if the target host is running without wanting other scans. -su UDP Scan: If you want to know which UDP (User Data Network Agreement, RFC768) service is available on a host, this scan method can be used. -SA ACK Scan: This advanced scanning method is usually used through the rule set of firewalls. Typically, this helps to determine a firewall is a relatively perfect or a simple package filter program, just blocking the SYN package. This scan is to send an ACK package to a particular port (using a random answer / serial number). If an RST package is returned, this port is marked as a UNFILTERED state. If nothing is returned, or returns a unreachable ICMP message, this port is classified into the Filtered class. Note that NMAP usually does not output the port of unfiltered, so all detected ports are usually not displayed in the output. Obviously, this scanning method cannot find ports in an open state.
-SW Scan for the sliding window: This advanced scanning technology is very similar to the ACK scan, except that it can detect ports in an open state, because the size of the sliding window is irregular, and some operating systems can report their size. These systems include at least: some versions of AIX, Amiga, Beos, BSDI, CRAY, TRU64 UNIX, DG / UX, OpenVMS, Digital UNIX, OpenBSD, OpenStep, QNX, Rhapsody, Sunos 4.x, Ultrix, Vax, VxWorks. A full list can be obtained from the documentation list from the NMAP-HACKERS Mail 3 list.
-SR RPC scan: This method is used in combination with other different port scan methods of NMAP. Select all ports in the open state to issue a Null command for the SunRPC program to determine if they are RPC ports. If yes, it is determined which software and its version number. So you can get some information about the firewall. The bait scan is now not used in conjunction with RPC scans.
-B FTP rebound attack: FTP protocol (RFC 959) has a very interesting feature that supports agent FTP connections. That is, I can connect from Evil.com to the FTP server Target.com, and you can ask this FTP server to send anywhere on the Internet! Parameters passing to the -b function option are the FTP server you want to be a proxy. The syntax format is: -b uname: password @ Server: Port.
General options, these contents are not required, but it is useful. -P0 Before scanning, you don't have to ping the host. Some networks of firewalls do not allow ICMP ECHO requests to use this option to scan these networks. Microsoft.com is an example, so when you scan this site, you should always use the -p0 or -pt 80 option.
-Pt scan, use TCP ping to determine which host is running. NMAP is not to implement this function by sending an ICMP Echo request packet and then waiting for a response, but a TCP ACK package is sent to the target network (or a single host) and then waited for a response. If the host is running, it will return the RST package. This option is only valid when the PING package is blocked in the target network / host. -PS For root users, this option allows NMAP to use SYN packs instead of the ACK package to scan the target host. If the host is running, returns an RST package (or a SYN / ACK package).
-Pi Set this option to let NMAP use real ping (ICMP ECHO request) to scan the target host is running. Use this option to let NMAP discover the running host, NMAP will also observe your direct subnet broadcast address. Direct Subnet Broadcast Address Some external accessible IP addresses, convert external packets into an introverted IP broadcast package, send it to a computer subnet. These IP broadcast packets should be deleted because they will cause a denial of service attack (eg, smurf).
-Pb This is the default ping scan option. It uses both ACK (-pt) and ICMP (-PI) in parallel scanning. If the firewall can filter one of the packages, use this method, you can pass through the firewall.
-O This option activates scanning of TCP / IP fingerprinting features to get the logo of the remote host. In other words, NMAP uses some techniques to detect the characteristics of the target host operating system network protocol stack. NMAP uses this information to establish a fingerprint feature of the remote host, compare it and known operating system fingerprint feature database, you can know the type of the target host operating system.
-I This option opens the reverse flag scan function of NMAP. -F This option allows NMAP to send SYN, FIN, Xmas, NULL using a debris IP packet. Use a debris packet to increase the pack filtering and intrusion detection system, so that it cannot know your attempt. However, you should use this option with caution! Although the packing filter and firewall do not prevent this method, there are many networks that do not disabate the fractions of the packet for performance. Note This option cannot be used on all platforms. It works well in Linux, FreeBSD, OpenBSD, and other UNIX systems.
-V redundant mode. It is highly recommended to use this option, which gives more details during the scan. Use this option, you can get a half-time effect. Use the -d option to get more detailed information.
-H Quick reference options.
-on Redirects the scan results to a readable file logfilename.
-Resume a network scan may be interrupted due to Control-C or network loss, etc., using this option to make the scan to the previous scan. LogFileName is a log file that is canceled, which must be a readable form or a machine to resolve. Moreover, the following scans can not increase the new option, only the same options as the scanned scan is used. NMAP will then make new scans in the last successful scan in the log file.
-il reads the target of scanning from the InputFileName file. In this file, there is a list of hosts or networks, by the space bar, tab, or the Enter key as the split. If you use -il, NMAP reads the host name from the standard input stdin. You can get more detailed information from the specified target section.
-ir Let NMAP randomly select the host to scan.
-p
-F fast scan mode, only the ports listed in the nmap-services file. Obviously than scanning all 65535 ports are fast. -D uses a bait scan method to scan the target network / host. If NMAP uses this method to scan the target network, then from the point of view of the target host / network, the scan is emitted from other hosts (DECOY1, etc.). Thus, even if the IDS (intrusion detection system) of the target host, it is impossible to know which one is really initiated, which is innocent. This scanning method can effectively deal with, for example, routing tracking, response-dropping, etc., which can hide your IP address well. Each bait hostname uses a comma-separated, you can also use the Me option, which represent your own host, and the bait host name is mixed together. If you put me on the sixth or later position, some port scan detection software will not display your IP address at all. If you don't use a ME option, NMAP will randomly increasing your IP address in the bait host. Note: Host you use as a bait should be running or you just occasionally send SYN packets to the target. Obviously, if there is only one host run on the network, the target will be easily determined which host is scanned. Perhaps, you have to use the ip address of the bait instead of its domain name, so that the log of the bait network will not leave a record on your log. -S
-e tells NMAP which interface to send and accept packets. NMAP automatically detects this interface, if it is invalid, you will tell you.
-g Set the source port of the scan. Some natural firewalls and packages of the package filters allow the source port to be DNS (53) or FTP-DATA (20) package through and implement connections. Obviously, if an attacker changes the source port to 20 or 53, the firewall can be destroyed. When using UDP scan, first use 53 port; use TCP scanning, first use the No. 20 port. Note that the NMAP will use this port only when scanning this port. For example, if you can't make a TCP scan, NMAP automatically changes the source port, even if you use the -g option. -R tells NMAP not to disrupt the order of the scanned port.
-M Settings When performing a TCP Connect (), how many sockets are used to perform parallel scans. Use this option to reduce scanning speed and avoid remote target downtime.
Purpose options Use the following options to control NMAP scanning TIMING: -t Sets the time-to-time policy of NMAP. Paranoid: In order to avoid the detection of IDS, the scanning speed is extremely slow, all of the NMAP serial all scans, send a package every at least 5 minutes; Sneaky: Almost, just 15 seconds; polite: no increase Large network load avoids the downtime, serial, each detection, and enables each detection to have a spacing of 0.4 seconds; Normal: NMAP default options, not as possible without network overload or host / port loss Scan quickly; aggressive: Set a 5 minute timeout limit so that the scan time for each host does not exceed 5 minutes, and the waiting time for each detection response does not exceed 1.5 seconds;
--Host_timeout Sets the time to scan a host, in milliseconds. By default, there is no timeout limit.
--MAX_RTT_TIMEOUT Sets the waiting time for each detection, in milliseconds. If you exceed this time limit, retransmit or timeout. The default is approximately 9000 milliseconds. --min_rtt_timeout When the response of the target host is very fast, NMAP shortens the timeout of each detection. This will increase the speed of the scan, but may lose some of the more response times. Using this option, let NMAP wait for at least you specified at least every time you specify, in milliseconds.
- Initial_RTT_Timeout Sets the timeout value of the initial detection. General This option is only useful only to scan a host with a firewall protected using the -p0 option. The default is 6000 milliseconds.
--max_parallelism sets the maximum parallel scan number.
--max_parallelism 1 means only one port is scanned. This option is also valid for other parallel scans, such as Ping Sweep, RPC Scan.
--scan_delay is set between two probes, and NMAP must wait for time. This option is primarily used to reduce the load of the network.
Example nmap -v target.example.com Scan all TCP ports of host target.example.com. -v opens the redundancy mode.
Nmap -ss -o target.example.com/24 Scan of all 255 IP addresses on the network where target.example.com is located. At the same time, the fingerprint characteristics of each host operating system are also detected. Need root privileges.
NMap -SX -P 22, 53, 110, 143, 4564 128.210. *. 1-127 initiates Christmas tree scans to 255 possible 8-bit subnets in Class B IP Address 128.210. Determine if these systems have opened SSHD, DNS, POP3D, IMAPD, and 4564 ports. Note Christmas Tree Scan is invalid for Micro $ OFT system because its protocol stack is defective.
Nmap -v --randomize_hosts -p 80 *. *. 2.3-5 Scan only the specified IP range, sometimes used to sampling this Internet. NMAP will look for a web server on the IP address of the IP address on the Internet. 2.3, .2.4, .2.5 IP address.
Host -l Company.com | Cut-D -F 4 | ./nmap -v -il lists all hosts of the Company.com network, so that NMAP scans. Note: This command is used under GNU / Linux. If you are in other platforms, you may want to use other commands / options.
