πŸ‘οΈNmap

https://www.kali.org/tools/nmap/ https://nmap.org/

Introduction to Nmap

Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Basic command

nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X

    β€’ -p- -> Scans all the ports from 0 to 65535 available on the IP
    β€’ -sC -> Runs default scripts
    β€’ -sV -> version enumeration or service version
    β€’ -O  -> OS enumeration
    β€’ -A  -> Enumerate all the stuff as much as it can
    β€’ -T4 -> fast as time 4 (default is 3)
    β€’ -oA -> store the output on 3 types of format(nmap, gnmap, xml)

Cheatsheet for nmap

This cheat sheet was prepared by https://www.stationx.net/nmap-cheat-sheet/. You can also check out the cheatsheet. I've attached the file belowπŸ‘‡πŸ»

https://www.stationx.net/nmap-cheat-sheet/

Switches in nmap which you might need to know

SwitchDescription

-sA

ACK scan

-sF

FIN scan

-sI

IDLE scan

-sL

DNS scan (list scan)

-sN

NULL scan

-sO

Protocol scan (tests which IP protocols respond)

-sP

Ping scan

-sR

RPC scan

-sS

SYN scan

-sT

TCP connect scan

-sW

Window scan

-sX

XMAS scan

-A

OS detection, version detection, script scanning and traceroute

-PI

ICMP ping

-Po

No ping

-PS

SYN ping

-PT

TCP ping

-oA

output the results in 3 types of format(nmap, gnmap, xml)

-oN

Normal output

-oX

XML output

-T0 through -T2

Serial scans. T0 is slowest

-T3 through -T5

Parallel scans. T3 is slowest

--min-rate

Minimum packet sent for second

Port specific NSE scripts

Using NSE we can perform specific enumeration or exploitation on a host.

ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

We can also use nmap to discover hosts in a given IP subnet.

Note: In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section.

nmap -sn 10.10.1.1-254 -vv -oA nmapHostsOutput
    β€’ -sn -> Disable Port scanning
    β€’ -vv -> verbose mode
    β€’ -0A -> output the results in 3 types of format(nmap, gnmap, xml)

Bypassing Firewall

SwitchExampleDescription

-f

nmap -f 10.10.10.10

-g

nmap -g 80 10.10.10.10

Port Manipulation

-mtu

nmap -mtu 8 10.10.10.10

Crunching down Packets to 8 Byte

-D RND

nmap -D RND:10 10.10.10.10

Perform Decoy Scan and Generates Random non-reserved IP

β€”data 0xdeadbeef

nmap 10.10.10.10 --data 0xdeadbeef

Send the binary data 0's and 1's

--data-string "Ph34r my l33t skills"

nmap 10.10.10.10 --data-string "Ph34r my l33t skills"

Send strings as payload

--data-length 5

nmap --data-length 5 10.10.10.10

--randomize-hosts

nmap --randomize-hosts 10.10.10.10

send request to a IP from Random non-reserved IP

--badsum

nmap --badsum 10.10.10.10

Sends Bad or Bongus TCP/USP Checksum

To bypass firewall or monitoring system is suggests to use -T0 or -T1 flags.

-T# - nmap Timing templates - optimize and speed up scanning (higher is faster)

  • -T0 - paranoid (possible IDS evasion, slow)

  • -T1 - sneaky (possible IDS evasion, slow)

  • -T2 - polite (less bandwidth and target machine resources, slow)

  • -T3 - normal (default scan)

  • -T4 - aggressive (reasonably fast, modern and reliable network)

  • -T5 - insane (extraordinarily fast network)

  • the lower the number the slower the scan

Zenmap

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

Official Zenmap link
  • I strongly recomend you to go with Zenmap for the exam point of view.

  • When you started your exam, the first objective you have to do is that start Zenmap (GUI Version of Nmap) scan on your windows machine.

  • The reason is that in Parrot OS you may find it hard to parse all the IPs because the green colour with the terminal might overwhelm you. Instead, the Zenmap GUI would be useful to find out the services, OS running on that IP with a cute User Interface.

  • Trust me!πŸ’ͺ🏻 this would be the great life-changer of your exam.

  • I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense.

Other Resources

https://media.x-ra.de/doc/NmapCheatSheetv1.1.pdf

https://www.youtube.com/watch?v=PS677owUk-c

Last updated