What is Nmap?
Nmap is an open-source utility for network discovery. Network Mapper is a security
auditing and network scanning independent tool developed by Gordon Lyon. It is
used by network administrators to detect the devices currently running on the
system and the port number by which the devices are connected.
Many systems and network administrators are used for managing network
inventory, service upgrade schedules, monitoring hosts and service uptime.
Nmap Definition
At the top-level, Nmap is defined as a tool that can detect or diagnose services that
are running on an Internet-connected system by a network administrator in their
networked system used to identify potential security flaws. It is used to automate
redundant tasks, such as monitoring the service.
Working of Nmap
Nmap is convenient during penetration testing of networked systems. Nmap
provides the network details, and also helps to determine the security flaws present
in the system. Nmap is platform-independent and runs on popular operating
systems such as Linux, Windows and Mac.
Nmap is a useful tool for network scanning and auditing purposes.
o It can search for hosts connected to the Network.
o It can search for free ports on the target host.
o It detects all services running on the host with the help of operating system.
o It also detects any flaws or potential vulnerabilities in networked systems.
It is effortless to work with the Nmap. With the release of a new graphical user
interface called GenMap User, it performs many tasks such as saving and comparing
scan results, scanning the results in a database, and visualize the network system
topology graphically, etc.
Advantages of Nmap
Nmap has a lot of advantages that make it different from other network scanning
tools. Nmap is open-source and free to use.
Some other advantages are listed below.
o It is used for auditing network systems as it can detect new servers.
o It will search for subdomain and Domain Name System
o With the help of Nmap Scripting Engine (NSE), interaction can be made with
the target host.
o It determines the nature of the service in the host and performs whether the
host is a mail service or a web server.
Essential skills
Nmap offers various technologies to scan the networks, such as TCP Connect
scanning, FTP bounce scanning, TCP reverse identification scanning, etc. to scan the
Network. One should start with Nmap to learn all of the techniques.
Why should we use Nmap?
If you are a network administrator, it is required to check target hosts,
determine free and occupied ports, and perform security vulnerability scans. It
offers all utilities, whether we need to monitor a single host or multiple hosts.
Nmap is used for regular network audits. Nevertheless, it can perform redundant
tasks such as managing network inventory, scheduling service upgrades, and
monitoring various uptime and downtime services.
It also lists the status of services such as open, filtered, unfiltered or closed.
The output is extended to reverse operating system type, MAC address, device
type, and also DNS names.
Types of Nmap scan
Different types of scans can be done using Nmap.
TCP Scan
It completes a three-way handshake between you and a closet target system.
The TCP scan is very noisy and cannot be detected with almost any effort because
services can log onto the sender IP address and trigger an intrusion detection
system.
UDP Scan
The UDP scan is used to check if there is a UDP port and listening for incoming
requests to the target the machine. Unlike the TCP, UDP has no mechanism to react
with positive acceptability, so there is a chance for false-positive scan
results. UDP scans are used to reveal Trojan horses, which run on a UDP port or to
reveal the hidden RPC services. These scans are slow because the machines slow
down their responses to such traffic as a precaution.
SYN Scan
It is another form of TCP scan. Nmap crafts a sync packet, the first packet sent to
establish is a TCP connection.
ACK Scan
ACK scans are used to determine a particular port that has been filtered. It proves to
be extremely helpful when trying to check for firewalls and their current regulations.
Bang Scan
The bang scan is like SYN scans. It sends the TCP fin packet instead of RST packet
(reset packet) if it receives the input so that false scans and negativity are seen in the
scan. But it may be under the radar of some IDS programs and many
countermeasures.
Full Scan
The null scan is very secretive, and as the name suggests what they do - they set all
header fields to zero. It is not a valid packet, and targets will not know how to deal
with packet.
Xmas Scan
Computers running windows will not respond to X MAS scans due to the way they
implement their TCP stack. A set of flags triggered within a scanning packet derives
its Name that is sent for scanning. XMAS scans are used to manipulate PSH,
URG and FIN flags in TCP headers.
RPC Scan
RPC scans are used to search for machines that respond to Remote Procedure Call
services (RPC). It allows remote to run on a particular machine under a particular set
of connections. The RPC service can run on various ports. Therefore, regular scans are
challenging to detect if RPC services are running.
IDE Scan
IDE scan is the most secure scan as packets are bounced from external hosts. Control
is not required on the host, but the host must fulfil a specific set of conditions.
Nmap Functions
Most of Nmap's standard functions are executed by using a single command.
There are the following Nmap functions, as follows:
1. Ping Scanning
The ping scanning gives information about every active IP on your Network. We can
perform a ping scan by using the below command:
1. #nmap-sn<target>
2. -PS/PA/PU/PY[portlist]: TCP SYN/ ACK, UDP or SCTP discovery to given ports.
2. Port Scanning
Port scanning is one of the most popular forms of reconnaissance ahead of a hack,
helping attackers determine which ports are most susceptible.
There are many ways to execute port scanning using Nmap.
1. # sS TCP SYN scan
2. # sT TCP connect scan
3. # sU UDP scans
4. # sY SCTP INIT scan
5. # sN TCP NULL
3. Host scanning
Host scanning provides a detailed description of a particular host or IP address. As
mentioned above, you can scan a host using the following command:
1. # Nmap -sp <target IP range>
4. OS Scanning
OS scanning is the most powerful feature of Nmap. It sends TCP and UDP packets to
a port and analyzes the response when using this type of scan. It compares the
response to a database of operating systems and returns information on a host's OS.
To run the OS scan, use the command, given below:
1. Nmap -O <target IP>
5. Scan the Most Popular Ports
If you are running Nmap on a home server, this command is easy. It scans 'popular'
ports for a host. You can use the command given below to scan the popular ports:
1. Nmap - Top-ports 20 192.168.1.106
Replace "20" with the number of ports you want to scan. It gives a brief output that
details the most common ports status and allows you to see if you have any
unnecessarily open ports.
6. Output to a file
If we want the output of results of Nmap scan of any file, you can add an extension
to the command.
1. Add:-oN output.txt
The command is the output of results to a text file.
1. -oX output.xml
7. Disable DNS Name Resolution
Finally, we can speed up your Nmap scan by using the -n parameter to disable
inverted DNS resolution. It is useful to perform a wide network scan.
For example, add-en to turn off the DNS resolution for the required ping scans.