The first approach of every hacker is information gathering because without proper information you can not exploit your target. So what kind of data about your target is valuable for you. The answer is very simple if you could know what OS, Network, Service, etc is your target using then it’s easy to exploit.
We will discuss how can we get so much infomation about our target using NMAP.
Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Nmap is used to determine what hosts are available on the network, what services those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
You can download Nmap from it’s website for windows otherwise in Linux or parrot it is pre-installed. So Lets began
NMAP scan Types
I. TCP Connects
Syntax : nmap -sT <Target-IP> [-P<ports>]
- TCP connect scan completes the 3-Way handshake
- This is noisy because the services can log the sender IP address and might trigger intrusion Detection systems.
II. TCP SYN (stealth/half-open)
Syntax : nmap -sS <Target-IP> [-P<ports>]
- This Scan type is also known as half-open scanning because it never actually open a full TCP connection.
- Only Two steps of 3 way handshake happen
III. Null Scan
Syntax : nmap -sN <Target-IP> [-P<ports>]
- For non-windows server protected by a firewall this can be a way to get through.
- Another very stealthy scan that sets all the TCP header flag to off or null. In null scan no flag is set.
IV. UDP Scan
Syntax : nmap -sU <Target-IP> [-P<ports>]
- UDP scanning utilizes UDP and ICMP packets to discover the status of a port.
V. FIN Scan
Syntax : nmap -sF <Target-IP> [-P<ports>]
- Non-windows servers protected by a firewall, this can be a way to get through.
- Stealthy sneak through stateless firewalls and packets filters, by turning on different TCP flags like FIN. In FIN scan fin flag is set.
VI. XMAS Scan
Syntax : nmap -sX <Target-IP> [-P<ports>]
- Sets all the TCP headers flag to FIN, URG,PHS
- For Non-window server protected by firewall this can be a way to get through.
VII. ACK Scan
Syntax : nmap -sA <Target-IP> [-P<ports>]
- Sets all the TCP header flag to ACK
- The ACK scan isn’t meant to discover the open/closed status of ports.
VIII. IDLE or ZOMBIE Scan
Syntax : nmap -sI <Zombie-IP> [-P<ports>] <Target-IP>
- In this scan, we need a “Zombie” in order to perform an idle scan.
- It is only used for malicious attacks in order to hide your identity and scan hosts.
- Typically harder to perform these days as firewalls detects and blocks.
IX. Scanning an IP
Syntax : nmap <Target-IP>
- You can scan a target by simply typing the target IP and nmap will start scanning for default 1000 ports.
- You can add -v to see verbose output.
Scanning a Range of IPs :
Syntax : nmap <IP address – range> (example: nmap 192.168.43.1-215)
X. Host Subnet Scan
At first calculate IP address (ipcalc <IP address>)
Syntax : nmap <Host network> -v
- Example: nmap 192.168.43.0/24 -v
- To Scan fast simply add -F at the end.
There are so many Script of Nmap but these are the important Script which is used on the regular basis. if you have to know about all the script than you can checkout Nmap files all the scripts are available there.
I hope This blog will help you in your day to day task of scanning and gathering information about your target. if you have any suggestions leave a comment.