Skip to main content

ads by google

Download Nmap,txt,Pdf file from download button:

A Guide To Port Scanning Using Nmap

In TCP, ports are the ends of logical connections which are used for carrying long term conversations. And, Port Scanning is the process of acquiring information on the open and closed ports in systems, mainly with the purpose of getting information on what services and software are running behind them.
8 Nmap is a commonly used software for Port Scanning. In this article, I would explain how to use nmap for Port Scanning.

Numbering of Ports


Ports are specified by numbers ranging from 1 to 65535.
Out of these port numbers, port numbers
-> 0 – 1023 are used by various services of the Operating Systems.
-> 1024 – 49151 are registered to be used by certain services.
-> 49152 – 65535 are not registered and can be used for private use.

Installing nmap

In a Linux system, nmap can be easily installed following a few steps.
For example, in Ubuntu, it can be installed using :
Nmap easy tutorial
#sudo apt-get insall nmap

Nmap Test Server

Nmap reveals lots of information about a host. Many a times attackers use nmap for malicious purposes. So, Port Scanning using nmap should not be tested on other machines without properly getting approval from the owner of the machine. Scanme.nmap.org is a test machine maintained by nmap developers for learning purpose. If someone wants to test Port Scanning using nmap for learning purpose, she can use this machine.

Port Scanning using nmap

In this article, I would explain some most commonly used nmap commands and their outputs.

1. To check list of common ports

One can see the list of common ports used in a system using the following command :
# less /etc/services
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
.......

2. Nmap with no arguments

To list ports used by various services in a host :
# sudo nmap scanme.nmap.org
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
31337/tcp open Elite

3. Print software version in a host

To print version of software that are using the ports in the host :
# sudo nmap -sV scanme.nmap.org
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
25/tcp open smtp?
80/tcp open http Apache httpd 2.4.7
31337/tcp open tcpwrapped

4. Scan for host Operating System

Nmap can also detect OS running in remote host.
# sudo nmap -O scanme.nmap.org
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
31337/tcp open Elite
Device type: general purpose|WAP|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (86%)
Aggressive OS guesses: Linux 2.6.18 (86%), DD-WRT v23 (Linux 2.4.34) (85%), OpenWrt Kamikaze 8.09 (Linux 2.6.25.20) (85%), Linux 2.6.15 (Ubuntu) (85%), Linux 2.6.15 - 2.6.26 (85%), Linux 2.6.23 (85%), Linux 2.6.27.21-grsec (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 21 hops

5. Scan a number of hosts at once

Nmap can scan more than one hosts at a time.
For example, the following command will scan hosts ranging from IP addreses 192.123.1.1 to 192.123.1.255 :
# sudo nmap 192.168.1.1-255
You can also use -PN option to skip host discovery.
The following command can scan hosts ranging from 10.0.0.1 to 10.0.255.254 : # sudo nmap -PN 10.0.0-255.1-254
Alternatively, the following format also can be used :
# sudo nmap -PN 192.122.0.0/16
This would scan hosts of 65535 IP addresses in the range from 192.122.0.0 to 192.122.255.255

6. Do reverse DNS resolution

You can use the following command to tell nmap to do reverse DNS resolution on the active IP addresses it finds in the range of 192.123.0.0 to 192.123.0.255 :
# sudo nmap -PN -R 192.123.0.0-255

7. Do not do reverse DNS resolution

Alternatively, you can use the following command to tell nmap not to do reverse DNS resolution on the active IP addresses it finds in the range of 192.123.0.0 to 192.123.0.255 :
# sudo nmap -PNn 192.123.0.0-255

8. Exclude hosts from scanning

The following command would exclude the host with IP address 192.123.0.10 while scanning ports of hosts ranging from 192.123.0.0 to 192.123.0.255 :
# sudo nmap -PN -n 192.123.0.0-255 --exclude 192.123.0.10
To exclude more than one host, you can separate the IP addresses of those hosts using comma (,) :
# sudo nmap -PN -n 192.123.0.0-255 --exclude 192.123.0.10, 192.123.0.11

9. Fast scan

You can use -F option with nmap to do fast scanning. This would scan fewer ports than the default scan. # sudo nmap -F

10. Select random targets

You can use -iR option to scan hosts randomly in the specified IP address range. For example, the following command would scan hosts randomly in the range from 192.123.0.0 to 192.123.0.255 : # sudo nmap -PN -iR 0 192.123.0.0-255
Here, the option '0' specifies to scan unlimited number of hosts within the range. You can specify other positive numbers to specify the maximum number of hosts to be scanned.

11. Scan a specific port

You can scan a specific port in a host using the -p option with nmap. For example, the following command will scan for port 8000 of the host : # sudo nmap -p 8000 scanme.nmap.org PORT STATE SERVICE
8000/tcp filtered http-alt

12. Scan for port ranges

You can also scan more than one ports at a time with a specific range of port numbers.
For example, the following command will scan ports with port numbers ranging from 1 to 10 in the target host :
# sudo nmap -p1-10

13. TCP connect scan

This is the default TCP scan type. It scans the target machine by establishing TCP connection with the host using connect() system call. # sudo nmap -sT

14. UDP scan

The following command can be used to scan UDP ports of a target host :
# sudo nmap -sU

15. TCP SYN scan

SYN scan is a popular scanning option. It can scan thousands of ports quickly without getting hampered by the restrictive firewalls.
This technique is a half-open scanning technique. It does not open a full TCP connection. Instead, it sends a TCP SYN packet and waits for a response. The port is considered open if a SYN packet is received in response.
# sudo nmap -sS

16. TCP ACK scan

This scan is normally used to get information on firewalls rulesets in the target host and to know whether the rules are stateful and which ports are filtered.
# sudo nmap -sA

17. TCP Windows scan

This scan is quite similar to TCP ACK scan, the only difference is it relies on implementation details of certain systems to differentiate open ports from closed ones.
# sudo nmap -sW

18. TCP Null, FIN and Xmas scan

These three scan types are exactly same in behavior, only difference is they set different TCP flags in probe packets to scan ports in the target host. Null Scan – It does not set any bits, i.e. TCP flag header is null. # sudo nmap -sN
FIN Scan – It sets just the TCP FIN bit. # sudo nmap -sF
TCP Xmas Scan - It sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.# sudo nmap -sX

19. Print host interfaces and routes

This scanning option is mainly used for debugging routing problems. It prints the interface list and system routes as detected by nmap.# sudo nmap -iflist

20. Save output to a file

You can save scanning output of nmap using -o option.
For example, -oA option is used to store scan results in normal, XML, and grepable formats at once.# sudo nmap -PN -n 192.123.1.1-255 -oA scan-output
# vi scan-output
scan-output.gnmap
scan-output.nmap
scan-output.xml

Comments

Post a Comment

Popular posts from this blog

ANDRO TECH Complete and professional tutorials to Hack WPA/WPA2 Wifi All Posts Install Kali Linux In VMware How To Crack WPA/WPA2 with Kali Kali.org Disclaimer How To Hack WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng Written by Shudarshan Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows applications that claim they can hack WPA; don’t get them! They’re just scams, used by professional hackers, to lure newbie or wannabe hackers into getting hacked themselves. There is only one way that hackers get into your network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools. If you feel you ha
How to use Termux App for Android : Terminal Emulator and Linux environment Termux is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically.Additionall packages are available using the APT package manager. Developer: Fredrik Fornwall Download link: Steps and Instructions : 1.Download Termux app and install it.Open Termux and wait for its complete installation. 2.Now, for first time you need to use this command (as shown in screenshot): apt update 3.Now,we can use apt command.To know how to use apt , click on Help in Termux app (Long press in Termux Terminal window will bring menu ) 4.To get list of available packages,use this command: apt list 5.To install any package,say python ,use this command: apt install python 5.To search any package,say python. Use this command: apt search python 6.To remove/uninstall a package,say python , use