Results 1 to 2 of 2

Thread: Nmap Tutorial

  1. #1
    Senior Member
    Join Date
    Oct 2001

    Exclamation Nmap Tutorial

    I am aware that this kind of thing isn't exactly what we want all the script kiddies and so on to learn, but there are people on AntiOnline who will find this information useful from a security point of view, not from a hacking point of view. The abundance of total idiots on AntiOnline is not my problem, and I am merely providing information for those who can be responsible enough to know when to use it and when not to...
    I take no responsibility for anything anyone does having read this. Its your own dumb fault. If you are reading this for illegal intentions, do not proceed beyond this point.

    That said, i can post the tutorial now.

    Using NMAP

    This tutorial goes through some examples of using nmap, and gives you a
    rundown of the options available, and whether you need root privileges to
    use them.

    Nmap is perhaps the greatest port scanner of all time, and thus a very
    useful tool. If someone were to launch an attack against your network,
    running nmap would more than likely give them vital information. The
    purpose of this tutorial is not to teach people how to run nmap against
    others networks with the goal of breaking into them, it is to teach you
    how you can test the security of your own network, firewall etc. with the
    aim of improving your overall security.

    Basic Scanning
    nmap's standard TCP scan is the TCP connect() scan. This scan is usually
    easy to detect by firewalls and IDS systems, however it is the best an
    unprivileged user can do, nmap requires root to perform the more
    sophisticated (and less easily detectable) scans.

    nmap -sT

    is the standard command for a TCP Connect scan. This scan type connects
    to each port between 1 and 1024, plus those listed in nmap-services which
    are of interest (eg ports known to be used by trojans or other vulnerable

    UDP Scanning
    As well as TCP scans, nmap offers a UDP scan option, -sU:

    nmap -sU

    This option scans for ports open on the UDP protocol.

    SYN Scans
    The TCP SYN scan requires root privileges for raw socket support. The TCP
    SYN scan doesn't establish a full connection to a host, so it is more
    difficult to detect. Most modern Intrusion Detection Systems do check for
    excess SYNs floating around though, and if every port is scanned in order
    it doesn't take much to piece together that a portscan is going on, most
    IDS' can do that.

    nmap -sS

    is the typical TCP SYN scan command.

    Other Scans
    These scans are all similar to the SYN scan, in that the require root
    privileges to use, but are not particularly so easy to detect (IDS's look for
    SYN scans but not necessarily these ones).
    -sF - FIN Scan (Sends FIN packets instead of SYN)
    -sX - Xmas Tree Scan (I don't know the specifics of this one)
    -sN - Null Scan (Pretty obvious I think)
    These scans will *not* work against an MS Windows box due to the way Microsoft
    chose to ignore the rest of the world as usual and do things their own way.
    This can be useful, however, because you can vaguely determine OS type based
    on running a SYN and a NULL. If the SYN shows up open ports, but NULL doesn't,
    you're probably looking at a Windows box. (Of course, this usage is more or
    less obsolete now with the -O OS Fingerprinting option of nmap)

    Ping Options
    nmap will ping the host to check that it is alive before scanning. Some hosts
    block ICMP Echo Requests (pings), however, so the scan will fail but the host
    will still be up. There is an option to not ping the target, but scan anyway.
    Of course, this runs the risk of scanning a box that isn't there, but its a
    risk you have to take:

    nmap offers different options for timing its scans. The 'normal' option is
    fine for most purposes, but to avoid detection, slower timing can be used, or
    to get a scan completed quickly, faster timing can be used. the timing option
    has the following format:
    -T <timeoption>
    where <timeoption> can be any of the following:
    0 (Paranoid)
    1 (Sneaky)
    2 (Polite)
    3 (Normal)
    4 (Aggressive)
    5 (Insane)
    You can use either the number or the phrase, e.g.:
    nmap -sS -P0 -T 2
    nmap -sS -P0 -T Polite
    both of those commands do the same thing.

    OS Fingerprinting
    nmap has TCP/IP fingerprinting support, which can help determine remote OS
    type, and other useful information such as uptime.
    This option is simple:

    You can set a series of decoy hosts, to reduce chances of being detected. The
    option for these is:
    which is the -D parameter, followed by a string of decoys, separated by commas

    Port Range
    nmap's default behaviour is to scan ports 1-1024 (the so called 'reserved'
    ports), plus those known to be 'interesting' (trojan ports, for example). You
    can change this behaviour as follows:
    -p <portrange>
    nmap -sS -P0 -p 1-1024 <--- Scan 1-1024 only
    nmap -sS -P0 -p 1-65535 <--- Scan all 65535 ports
    nmap -sS -P0 -p 25 <--- Scan port 25 only
    nmap -sS -P0 -p 25,80,110-1024 <--- Scan port 25, port 80, and ports 110-1024

    Further Reading
    nmap man pages
    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)

  2. #2
    Junior Member
    Join Date
    Aug 2019
    Thanks for the great tutorial, recently I have written a long article on Nmap, and i hope that will be helpful for newbies
    Here is the link to the post

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts