Some Nmap examples I thought I would post.

Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

Verbose Scan: nmap -v

This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

nmap -sS -O /24

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

nmap -v -iR 100000 -PN -p 80

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

nmap -sT -O 206.212.15.0-50

What this does is instruct nmap to scan every host between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

nmap -sT -O -oN sample.txt 206.212.15.0-50

Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

nmap -sT -O -oM sample.txt 206.212.15.0-50

*Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

-I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

-iR Use this command to instruct nmap to scan random hosts for you.

-p Port range option allows you to pick what port or ports you wish nmap to scan against.

-v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

-h Displays a quick reference of nmap’s calls

Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

nmap -v -v -sS -O 209.212.53.50-100

This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses 209.212.53.50 and 209.212.53.100. This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100

Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100

Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

nmap -sS -iR -p 80

Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap 127.0.0.1 This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

Detect promiscuous network devices or sniffers on a network

Old versions       nmap –script=promiscuous 10.0.1.0/24

New Versions     nmap -sV –script=sniffer-detect 10.0.1.0/24