Nmap is a port scanner included in many distributions of Linux and other UNIX like systems. It can be used to scan machines in a network in a variety of different ways.
Command Line Options
-AEnables OS detection and Version detection, Script scanning and Traceroute
-P0Treat all hosts as online (skip host discovery)
-sSTCP SYN scan
-sTTCP connect scan
-sATCP ACK scan
-sWTCP window scan
-sMTCP maimon scan
-sNTCP null scan
-sFtcp FIN scans
-sXtcp xmas scans
-sXtcp xmas scans
-p <port ranges>Only scan specified ports
Nmap is run from the command line, so you run it just like all other command line programs. For the most part,
nmap will run without needing root access, but for certain scans, you will have to be root. This is because
nmap sometimes needs to create raw packets.
Things To Try
scanme.nmap.org with the different flags listed above from
netsec-playground.cs.northwestern.edu. You can use sudo from netsec-playground. Look through the output and see how the scan results differ. A typical
nmap command line looks like this:
$ sudo nmap -A -sS -P0 -p 1-65535 scanme.nmap.org
Nmap allows you to easily scan an entire subnet. Before running this command, discuss with your partner which IP addresses it will scan. Be careful when scanning subnets, though. If you specify something like 22.214.171.124/1 by accident, you'll actually be scanning half of the internet.
$ sudo nmap -A -sS -P0 126.96.36.199/31
You can run the following scan without root privilege. Why?
$ nmap -sT -p 1-65535 scanme.nmap.org
Read the man page:
$ man nmap
Try scanning the vulnerable VM with nmap used for the Nessus lab at 10.13.143.128. There is a service located in the port range 1400-1600, use ncat and nmap to exploit it (maybe with the help of some searching online). Note that you will have to scan from hamsa since the VM is firewalled and therefore you cannot use scans that require root access.
Copyright 2008 the following:
Sam McIngvale email@example.com
Jim Spadaro firstname.lastname@example.org
Whitney Young email@example.com
All rights reserved. Permission to reproduce this document in whole or in part must be obtained from the authors.