Uncategorized

How to use Nmap like a Hacker

by CodebyCody

If you’ve spent five minutes looking around at anything related to hacking networks you’ve undoubtedly run across the tool NMAP. And if you’ve just followed what ever example you saw it used in you are missing out on one of the most powerful hacking tools out there. Lets start from the beginning about nmap it was developed by Gordon Lyon also know as fyodor in 1997. It was created for fun and in the hopes that people would find it useful. And fyodor if you’re reading this it really is. This tool comes by default on kali machines but if you are using an OS that doesn’t have it already installed I’ll go over installation right now.

Installing Nmap

Linux RPM Source and Binaries

Simple commands for downloading nmap to RPM Source Linux check out the following commands. If these don’t work for you check out the more detailed guide on the nmap site here

rpm -vhU https://nmap.org/dist/nmap-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/zenmap-7.80-1.noarch.rpm
rpm -vhU https://nmap.org/dist/ncat-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/nping-0.7.80-1.x86_64.rpm

Mac OS X Binaries

You can get a stable release installer for Mac OS here

Scanning for targets

Before you can start looking at open ports and what services reside there we have to see what hosts are up to begin with.

Scan single IProot@kali:~# nmap 127.0.0.1
Scan via domain nameroot@kali:~# nmap www.target.com
Scan range of IPsroot@kali:~# nmap 127.0.0.1-24
Scan a full subnetroot@kali:~# nmap 127.0.0.1/24
Scan based on IP text fileroot@kali:~# nmap -iL iplist.txt
Exclude host from Scanroot@kali:~# nmap --exclude 127.0.0.1
Exclude list from Scanroot@kali:~# nmap --excludefile ips.txt

OS and Service Detection

Now that we can see what host is up we should take a look at what Nmap can do in helping us determine the operating system and services on those hosts.

Detect OS and Servicesroot@kali:~# nmap -A 127.0.0.1
Standard Service Detectionroot@kali:~# nmap -sV 192.0.0.1
Aggressive Detectionroot@kali:~# nmap -sV --version-intensity 5 127.0.0.1
Banner Grabbingroot@kali:~# nmap -sV --version-intensity 0 127.0.0.1

Scanning for ports

While nmap has added a dizzying amount of functions and features port scanning is the core of what it does. Nmap recognizes six states when it comes to ports open, closed, filtered, unfiltered, open|filtered, and closed|filtered.

Scan Single Port (port 80)root@kali:~# nmap -p 80 127.0.0.1
Scan a range of portsroot@kali:~# nmap -p 22-80 127.0.0.1
Scan top 100 most common portsroot@kali:~# nmap -f 127.0.0.1
Scan all the portsroot@kali:~# nmap -p"*" 127.0.0.1
Scan results for open ports onlyroot@kali:~# nmap --open 127.0.0.1

Port Scanning Techniques

With Nmap you can set the type of scan you would like to do when you set off on a scan hunt. Depending on the type of scanning you do most often you will use one of the following on an almost every scan bases. But even if that is the case it never hurts to know what the other techniques for scanning are out there.

TCP SYN scan (default)root@kali:~# nmap -sS 127.0.0.1
TCP connect scanroot@kali:~# nmap -sT 127.0.0.1
UDP scanroot@kali:~# nmap -sU 127.0.0.1
SCTP INIT scanroot@kali:~# nmap -sY 127.0.0.1
TCP ACK scanroot@kali:~# nmap -sA 127.0.0.1
TCP Window scanroot@kali:~# nmap -sW 127.0.0.1

Outputting Formats

Lets finish this off with how you can store what nmap give you from these scans. Yes you could always pipe the standard out to a file but before you do that but check out what nmap can do right out of the box.

Default output to fileroot@kali:~# nmap -oN file.txt 127.0.0.1
Output to XMLroot@kali:~# nmap -oX file.xml 127.0.0.1
Output for grep friendly fileroot@kali:~# nmap -oG file.txt 127.0.0.1
Output in all formatsroot@kali:~# nmap -oA file 127.0.0.1

Conclusion

Nmap has far more to it then just what is listed here. Full books have been written on the subject including this one from the creator himself Nmap Network Scanning these will get you started in taking your nmap skills beyond simply running this command examples that are found on stackoverflow.