INTRODUCTION

TO NMAP
By
Gopalsamy Rajendran
$ uname -a

Security Analyst @ Securight Technologies Pvt Ltd

Owasp Cuddalore Chapter Leader
Volunteer @ Kerala Cyberdome
Youtuber | Blogger | Technical Speaker
Certified EC-Council Security Analyst
Proud Civil Engineer ( Since 2018 )
$ cat Context.txt

What is Nmap?
Target Specification
Host Discovery
Scanning Techniques
Version Detection
Timing and scan speed
Output
NSE ( Nmap Scripting Engine )
What is Nmap ?

Network mapper
Network Discovering Tool
Identify Live hosts in the network.
Open Ports, Service version Detection and OS Detection.
Vulnerabilities Discovery
Target Specification:
-iL Include List of IP
--exclude Port Range scan
--excludefile Exclude list of IP

Host Discovery:
-sL Include List of IP to scan
-sP Ping Scan

Other efficient way of host discovery is arp-scan

Port Specification:
-p Particular port scan
-p 22-200 Port Range scan
-p- Scan all ports
-F Scan 100 Ports
--top-ports Scan top ports
-p-65535 Scan from 1 and ends at 65535
Commands:
nmap -A -p 22 <target>
nmap -A -p 22-445 <target>
nmap -A -p- <target>
nmap -F <target> 
nmap --top-ports <target>
nmap -p-65535 <target>
Various Scanning Techniques:

TCP SYN Scan (-sS)

TCP Connect Scan (-sT)
UDP Scan (-sU)
Ping Scan (-sP)
Service Version Detection (-sV)
Idle Scan (-sI)
Xmas, Null, Fin ( -sX, -sN, -sF )
Flags explanation:

SYN  - Synchronize
ACK  - Acknowledge
RST - Reset
FIN  - Final 
NULL - Nothing
TCP Connect Scan (-sT)
Full Open scan
Establish connection to the target
Uses three way handshake ( syn,ack,rst )
High chance of getting logged
Find only TCP port not UDP
Command: nmap -sT <target>

Port open Port close

TCP SYN Scan (-sS)
Half-Open scanning
Sends SYN packets to the target
Won't create a session
Less possibility of getting logged
Fast and reliable
Command: nmap -sS <target>

Port open Port close

UDP Scan (-sU)
Slow scanning
Find only UDP Port
Don't forget to run UDP scan on the given target

Command: nmap -sU <target>

Port Reachable

Port open Port close

Xmas Scan (-sX)
Sends Fin/Urg/Push flag
No reply - open
Reply with RST - Closed

Command: nmap -sX <target>

Port open Port close

Null Scan (-sN)
No flags will be sent
No reply - open
Reply - Closed

Command: nmap -sN <target>

Port open Port close

Fin Scan (-sF)
Fin flags will be sent
No reply - open
Reply - Closed
Command: nmap -sF <target>

Port open Port close

Service Version Scan (-sV)
Used to find services version
Details about the services

Command: nmap -sV <target>

Idle Scan (-sI)

Use another System to scan the target

Command: nmap -sI <target>

Timing Scan (-T)
T0 - Paranoid 
T1 - Sneaky 
T2 - Polite
T3 - Normal
T4 - Aggressive
T5 - Insane
Command: nmap -sV -A -T3 <target>
Output (-O)
oN - Normal Output
oX - XML Output 
oA - All formats
--open - Shows only open ports
ndiff - Shows difference b/w two files

Commands:
nmap -A -oN <target>
nmap -A -oX <target>
nmap -A -oA <target>
nmap -A <target> --open
ndiff result.xml result2.xml
Doubts ??
 @hackison @hackison.official
@infosectamil [email protected] @infosectamil