Exp-06
Services Enumeration using Nmap
Aim: To learn all the given commands for the Enumeration in NMAP
Learning Objective: To understand the working of each command and use
them appropriately and learn the usage of each of them while working on
Security aspects of Network in Enumeration.
Learning Outcome: Understood the usage of each and every command in
NMAP for the Enumeration.
Commands:
Here are some common operations that can be performed with nmap. We will
run them all with sudo privileges to avoid returning partial results for some
queries. Some commands may take a long while to complete:
Scan for the host operating system:
1. sudo nmap -O scanme.nmap.org
Skip network discovery portion and assume the host is online. This is useful if
you get a reply that says “Note: Host seems down” in your other tests. Add this to
the other options:
2. sudo nmap -PN scanme.nmap.org
Scan without preforming a reverse DNS lookup on the IP address specified. This
should speed up your results in most cases:
3. sudo nmap -n scanme.nmap.org
Scan a specific port instead of all common ports:
5. sudo nmap -sT scanme.nmap.org
To scan for UDP connections,
6. sudo nmap -sU scanme.nmap.org
Scan for every TCP and UDP open port:
7. sudo nmap -n -PN -sT -sU -p- scanme.nmap.org
A TCP “SYN” scan exploits the way that TCP establishes a connection.
To start a TCP connect ion, the requesting end sends a “synchronize request”
packet to the server. The server then sends a “synchronize acknowledgment”
packet back. The original sender then sends back an “acknowledgment” packet
back to the server, and a connection is established.
A “SYN” scan, however, drops the connect ion when the first packet is returned
from the server. This is called a “half-open” scan and used to be promoted as a
way to surreptitiously scan for ports, since the application associated with that
port would not receive the traffic, because the connection is never completed.
This is no longer considered stealthy with the adoption of more advanced
firewalls and the flagging of incomplete SYN request in many configurations.
8. sudo nmap -sS scanme.nmap.org
A stealthier approach is sending invalid TCP headers, which, if the host
conforms to the TCP specifications, should send a packet back if that port is
closed. This will work on non-Windows based servers.
You can use the “-sF”, “-sX”, or “-sN” flags. They all will produce the response
we are looking for:
9. sudo nmap -PN -p 80 -sN scanme.nmap.org
To see what version of a service is running on the host, you can try this
command. It tries to determine the service and version by testing different
responses from the server:
10. sudo nmap -PN -p 80 -sV scanme.nmap.org Finally, you can use nmap to
scan multiple machines.
To specify a range of IP addresses with “-” or “/24” to scan a number of
hosts at once, use a command like the following:
11. sudo nmap -PN xxx.xxx.xxx.xxx / yy
Or scan a network range for available services with a command like this:
12. sudo nmap -sP xxx.xxx.xxx.xxx / yy
There are many other command combinations that you can use, but this should
get you started on exploring your networking vulnerabilities.
13. nmap -sn 10.11.1.0/24
Ping sweep the network
14. nmap -p- -sV 10.11.1.0/24
Full TCP port scan with service version detection.
15. nmap -v -A -T4 10.11.1.0/24
17. nmap -A -oA my-scan 10.11.1.0/24
Creates files with three major formats at once
FLAG DESCRIPTION
-oN Normal Nmap format
-oG Grepable format
-oX XML format
-oS s|<rIpt kIddi3 format
-oA Output in three major formats at once