NMAP in Linux Examples
NMAP in Linux Examples(Tested on Rhel)
From a long time nmap has been used as a network monitoring and scanning tool for system admins even geeks and hackers and members from security department used this tool for penetration testing.
Nmap OS fingerprinting works on the technique that it used to sending up to 16 TCP, UDP, and ICMP probes to known open and closed ports of the target machine and then listen for responses.
NMAP Utility is used to scan ports on a machine, either local or remote machin
(just u require ip-address/hostname to scan).
It could be installed on windows, Sun Solaris machines too.
It can be used to scan large networks as well as small networks. So u can say it can be used to scan any kind of network.
to scan a particular system for open ports
#nmap hostname
[root@satish ~]# nmap satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:36 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
605/tcp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 0.107 seconds
this will help u scan the particular host u want to know about or whom u want to scan.
Example2 : How will you go for scanning a single port on a machine
#nmap –p 22 hostname
Here hostname is satish.com
So lets start scanning a single port i.e port 22 on host satish.com
[root@satish ~]# nmap -p 22 satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:19 IST
Interesting ports on satish.com (192.168.1.1):
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 0.016 seconds
Now This will scan for 22 port is open on a host or not.
And yeah here –p indicates port number and 22 is port number for ssh server.
Example3 : What if i want to scan only ports?
#nmap –F hostname
[root@satish ~]# nmap -F satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:18 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1236 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
Nmap finished: 1 IP address (1 host up) scanned in 0.084 seconds
-F is for fast scan and this will not do any other scanning like IP address, hostname, operating system, and uptime etc.
It’s very much fast.
Example4 : Give an example what will you do for scanning only TCP ports(i.e we dont need to scan udp port here and we do this for optimize monitoring)
#nmap –sT hostname
[root@satish ~]# nmap -sT satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:22 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
605/tcp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 0.078 seconds
Here s stands for scanning and T isays that all ports are TCP ports
Example5 : How to scan only UDP ports(i.e here we want to scan only udp ports not tcp)
#nmap –sU hostname
[root@satish ~]# nmap -sU satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:23 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1482 closed ports
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
602/udp open|filtered unknown
631/udp open|filtered unknown
1023/udp open|filtered unknown
Nmap finished: 1 IP address (1 host up) scanned in 1.371 seconds
Here the Letter U indicates UDP port .
Exmaple6 : Scanning for ports and to get what is the version of different services running on that machine
#nmap –sV hostname
[root@satish ~]# nmap -sV satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:25 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((Red Hat))
111/tcp open rpcbind 2 (rpc #100000)
605/tcp open status 1 (rpc #100024)
Nmap finished: 1 IP address (1 host up) scanned in 11.164 seconds
V indicates version of each network service running on that host
Example7 : How to check which protocol is supported by the remote system?
#nmap –sO hostname
[root@satish ~]# nmap -sO satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:28 IST
Interesting protocols on satish.com (192.168.1.1):
Not shown: 250 closed protocols
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 open udp
41 open|filtered ipv6
255 open|filtered unknown
Nmap finished: 1 IP address (1 host up) scanned in 1.228 seconds
Example8 : How to scan a system for operating system and uptime details? explain with an example.
# nmap -O hostname
[root@satish ~]# nmap -O satish.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:29 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
605/tcp open unknown
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=1/23%Tm=50FFECC5%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=2748CB%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=2748F7%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=2748FC%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Uptime 0.052 days (since Wed Jan 23 18:14:59 2013)
Nmap finished: 1 IP address (1 host up) scanned in 9.672 seconds
Note:
-O here tells about operating system scan along with default port scan
Here T2 sends a TCP null (no flags set) packet with the IP DF bit set and a window field of 128 to an open port.
Here T3 sends a TCP packet with the SYN, FIN, URG, and PSH flags set and a window field of 256 to an open port. The IP DF bit is not set.
Here T4 sends a TCP ACK packet with IP DF and a window field of 1024 to an open port.
Here T5 sends a TCP SYN packet without IP DF and a window field of 31337 to a closed port.
Here T6 sends a TCP ACK packet with IP DF and a window field of 32768 to a closed port.
Here T7 sends a TCP packet with the FIN, PSH, and URG flags set and a window field of 65535 to a closed port. The IP DF bit is not set.
Example9 : How will you start Scanning a network?
#nmap networkID/subnetmask
As i have mentioned above so by watching For the above command you can try in this way
#nmap 192.168.1.0/24
[root@satish ~]# nmap 192.168.1.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:31 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
605/tcp open unknown
Nmap finished: 256 IP addresses (1 host up) scanned in 5.654 seconds
Today's Most Popular
Most Commented
Sarath Pillai
Satish Tiwary
Comments
As always ... awesome
As always ... awesome explanation ...!! gr8 job..
Add new comment