How to use Nmap complete guide
Nmap ("Network Mapper") is a free and open-source utility for arranging revelation and security evaluating. Numerous frameworks and system heads likewise think that it's helpful for errands, for example, arrange stock, overseeing administration redesign timetables, and observing host or administration uptime.
Nmap utilizes crude IP packets in novel manners to figure out what hosts are accessible on the system, what administrations (application name and form) those hosts are offering, what working frameworks (and OS versions) they are running, what sort of bundle channels/firewalls are being used, and many different attributes. It was intended to quickly examine huge systems, however, it works fine against single hosts. Nmap runs on all significant PC working frameworks
first, we need to install Nmap in our system Nmap works fine with lots of platforms
Nmap utilizes crude IP packets in novel manners to figure out what hosts are accessible on the system, what administrations (application name and form) those hosts are offering, what working frameworks (and OS versions) they are running, what sort of bundle channels/firewalls are being used, and many different attributes. It was intended to quickly examine huge systems, however, it works fine against single hosts. Nmap runs on all significant PC working frameworks
first, we need to install Nmap in our system Nmap works fine with lots of platforms
ex- all Linux flavors such as fedora, parrot, Kali Linux, etc. also in android using Termux.
the choice is always your..
I have given a tutorial to install Nmap in Termux check it out here..
the choice is always your..
I have given a tutorial to install Nmap in Termux check it out here..
how to install nmap in termux
or you can simply use the command
in Termux type command.
apt install nmappkg get nmap
nmapnow you can use nmap using commands like.
nmap -v -A 192.168.0.0
some advance commands for Nmap
- spoof or decoy scan
Nmap allows us to use decoy IP addresses in order that it's like many IP addresses are scanning the target.
When we are scanning machines that aren't ours, we frequently want to cover our IP (our identity). Obviously, every packet must contain our source address alternatively the response from the target system won't know where to return to.
nmap -sS 192.168.0.0 -D 10.0.0.1,10.0.0.2,10.0.0.4
When we are scanning machines that aren't ours, we frequently want to cover our IP (our identity). Obviously, every packet must contain our source address alternatively the response from the target system won't know where to return to.
nmap -sS 192.168.0.0 -D 10.0.0.1,10.0.0.2,10.0.0.4
- Output to a File
many times we need output of scans for later references and use with other tools. to save lots of output in NMAP simply use -oN switch.
add -oN command and after that name of the file you want to output in. Here, I have used a file named "nmapscan.txt"
nmap -sS 192.168.89.191 -oN nmapscan
now cat this output to see what's in it using the command
cat nmapscan
add -oN command and after that name of the file you want to output in. Here, I have used a file named "nmapscan.txt"
• OS detection, service detection in ports
-A is all in one command we can use to detect OS, Services, script scanning and traceroute with ports status..
there are many vulnerabilities and exploits you can find for system services and use it in exploitation.
nmap -A (target IP)
 |
| Nmap os and other services detection |
•Port Scanning Techniques:
port scanning is a fully automated process using tools such as NMAP and Nessus which are very efficient to use. there are lots of scanning techniques over there but I will share some important of them.
NMAP ping sweeps
NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.
 |
| Nmap ping sweep |
ARP scan (Address Resolution Protocol) :
In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communicate parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
nmap --arp-type ARP (target IP)
 |
| Nmap ARP scan |
TCP connect scan:
TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.
this image shows how it works..
to find TCP ports in Nmap use command..
 |
| working of TCP protocol |
nmap -sT (IP address)
 |
| TCP ports scan in Nmap |
Half-open scan:
while TCP connection it does not connect with the server so it's stealthy scan
like TCP scan we send syn packet first.
then the server sends syn/ack packet to us..
but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..
nmap -sS (target Ip)
TCP XMAS Scan
It is used to identify listening ports on the targeted system. The scan manipulates the PSH, URG, and FIN flags of the TCP header. it sends reset response when ports are close and do not respond when a port is open
use this Nmap command..
nmap -sX (target Ip)
TCP FIN Scan
This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got
In FIN flag while closed ports send a reset response and
TCP packets sent to the target open ports don't respond.
In FIN flag while closed ports send a reset response and
TCP packets sent to the target open ports don't respond.
nmap -sF (target Ip)
TCP ACK Scan:
sometimes active websites also do not send ICMP ping in answer.
by using TCP ACK Scan attacker can see the port status by an acknowledgment received
use command in Nmap
by using TCP ACK Scan attacker can see the port status by an acknowledgment received
use command in Nmap
nmap -sA (target Ip)
Null Scan:
Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet
nmap -sN (target Ip)
NSE SCRIPTS
just to know how to use NSE-Scripts here is an example of NetBIOS Enumeration
Here in image Nmap nbtstat NSE script is used to enumerate NetBIOS..
 |
| Nmap NetBIOS script |
Conclusion
Nmap is a very useful tool in scanning and enumeration it gives us a whole lot of information about the victim.. which is further helpful in exploitation and other hacking techniques.
Happy Hacking.. 😊
