Nmap is probably the most used port scanner in the world. It can be used to identify live hosts, scan TCP and UDP open ports, detect firewalls, get versions of services running in remote hosts, and even, with the use of scripts, find and exploit vulnerabilities.
In this recipe, we will use Nmap to identify all the services running on our target application's server and their versions. We will do this in several calls to Nmap for learning purposes, but it can be done using a single command.
nmap -sn 192.168.56.102
nmap 192.168.56.102
nmap -sV -O 192.168.56.102
Nmap is a port scanner, this means that it sends packets to a number of TCP or UDP ports on the indicated IP address and checks if there is a response. If there is, it means the port is open; hence, a service is running on that port.
In the first command, with the -sn
parameter, we instructed Nmap to only check if the server was responding to the ICMP requests (or pings). Our server responded, so it is alive.
The second command is the simplest way to call Nmap; it only specifies the target IP address. What this does is ping the server; if it responds then Nmap sends probes to a list of 1,000 TCP ports to see which one responds and then reports the results with the ones that responded.
The third command adds the following two tasks to the second one:
-sV
asks for the banner—header or self identification—of each open port found, which is what it uses as the version-O
tells Nmap to try to guess the operating system running on the target using the information collected from open ports and versionsOther useful parameters when using Nmap are:
-sT
: By default, when it is run as a root user, Nmap uses a type of scan known as the SYN scan. Using this parameter we force the scanner to perform a full connect scan. It is slower and will leave a record in the server's logs but it is less likely to be detected by an intrusion detection system.-Pn
: If we already know that the host is alive or is not responding to pings, we can use this parameter to tell Nmap to skip the ping test and scan all the specified targets, assuming they are up.-v
: This is the verbose mode. Nmap will show more information about what it is doing and the responses it gets. This parameter can be used multiple times in the same command: the more it's used, the more verbose it gets (that is, -vv
or -v -v -v -v).-p N1,N2,…,Nn
: We might want to use this parameter if we want to test specific ports or some non-standard ports, where N1 to Nn are the port numbers that we want Nmap to scan. For example, to scan ports 21, 80 to 90, and 137, the parameters will be: -p 21,80-90,137
.--script=script_name
: Nmap includes a lot of useful scripts for vulnerability checking, scanning or identification, login test, command execution, user enumeration, and so on. Use this parameter to tell Nmap to run scripts over the target's open ports. You may want to check the use of some Nmap scripts at: https://nmap.org/nsedoc/scripts/.3.14.131.47