One might be curious to understand how network intruders get to know which ports are open on a computer? Or maybe how they detect which services are being run by the system without any prior permission of the network admin. Well, anybody can do this stuff and even more than this using an easy-to-use utility called Nmap.
Nmap is short for "Network MAPper," Nmap is a port scanner used by network security experts, network researchers, and network admins. It is often used for security scanning, simply to determine which services the system is running, to take the records of the operating system and various applications running on a system, the version of firewall a system is utilizing, or to have a quick inspection of the local network. In brief, a very useful tool to deal with.
Basic Usage
The fundamental syntax of Nmap command is as follows :
nmap [Scan Type] [Options] [Target]
To begin with, let's consider that we want to know which operating system is running on our computer system. To do this, use the following command;
nmap [Scan Type] [Options] [Target]
To begin with, let's consider that we want to know which operating system is running on our computer system. To do this, use the following command;
Of course, you will need root privileges to run this command along with some patience.
The most basic and default scan among all is the one that doesn't use any parameters but the target is your local IP address.
The most basic and default scan among all is the one that doesn't use any parameters but the target is your local IP address.
Prior to scanning any target port, Nmap will try to transmit an ICMP request to check whether the remote system is active. This will save time at the time of scanning a number of hosts as Nmap doesn't waste time in making attempts to explore the hosts that are offline.
Don’t ping -PN
If we use this option, Nmap simply won’t send any ICMP echo requests to the target/s.
This type of scan is helpful when we want to perform a quick survey of the target network to observe the hosts that are active, without any need to scan the target hosts for open ports.
ARP Ping scan
This –PR option will start to execute an ARP (Address Resolution Protocol) ping scan on the specified target host.-PR option is applied by default at the time of scanning the local network. This sort of search is much quicker than other ping processes. As LAN hosts can not block ARP requests, this method is more appropriate to be used.
NOTE: ARP Ping scan will work only on those targets which are in your subnet range.
Port Scanning Choices
Fast scan
The –F option will execute a scan for only 100 ports that are used most frequently.
Typically, Nmap will scan the 1000 most frequently used ports. This option decreases that to 100 which improves the port scanning speed drastically.
Scan only specific ports
The -p option will inform Nmap to scan the specific port(s).
To check if the HTTP port is open:
To check if the HTTP port is open:
You may also scan several ports by separating the port numbers with a comma (,). You can also mention a port range to be scanned with the use of a hyphen (-).
The above command will scan ports 22, 23, 443, and ports ranging from 50 to 100 and will show only OPEN ports among them.
Scan Ports by name
We can also use -p option to scan well-known ports by their names.
The above command will scan telnet (23) and FTP (21) ports and show their status.
All Ports Scan
The -p option along with a “*” is used to scan all the TCP/IP ports (which are 65,535 in number) on the target host.Select TCP or UDP protocol
Finally, using option -p we may also select some ports to scan depending upon which protocol they use- either TCP or UDP.Service version detection
The -sV option is used to determine the version of different services running on a host.
This finishes an overview of a most commonly used Linux command by network experts - NMAP and its parameters that are frequently used.