nmap scanning | Learn Nmap

By | August 14, 2022

In this blog, I will teach you different types of Nmap scanning techniques and how to use each Nmap scanning technique one by one with examples. This is a detailed article on Nmap scanning and how to defend it.

Nmap ping scan:

Nmap ping scan is used to check whether the target host is up or down.

nmap -sn ipAddressOfTarget

Quick Scan Through Nmap

nmap -T4 -F IpAddressOfTarget

This will scan in a second

Quick scan plus:

nmap -sV -T4 -o -F –version-light ipAddressOfTarget

Quick Traceroute

nmap -sn –traceroute ipAddressOfTarget

Regular Scan:

nmap ipAddressOfTarget

This scan will check for the first 1000 ports by default

Intense Scan:

nmap -T4 -A -v 192.168.56.101

This is the most detailed scan

Intense scan no ping

nmap -T4 -A -v -Pn IpAddressOfTarget

This is an intense scan but without ping

Intense scan plus UDP scan

nmap -sS -sU -T4 -A -v IpAddressOfTarget

This is an intense scan and will scan UDP also

Intense Scan, all TCP ports

nmap -p 1-65535 -T4 -A -v ipAddressOfTarget

this is an intense scan and will scan all the TCP ports

Slow Comprehensive scan:

nmap -sS -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 – PY -g 53 –script “default or (discovery and safe)” IpAddressOfTarget

List Scan

-sL

This tells the Nmap that lists all the hosts that will be scanned.

Nmap performs the reverse resolution on hosts
That validates that what are you planning to scan

For Example:

nmap -sL NeworkThatYouWantToScan

or

nmap -sL DomainName

if you want to scan a specific subnet then

namp -sL DomainName.com/27

This scan will do reverse resolution and will not check whether it is online or offline but it only do reverse resolution and validation of the list of hosts that are present in the given subnet that we want to scan

Ping Scan (-sn)

This scan is used for host discovery
Ping scan is used to find a list of available hosts
This scan sends ICMP and TCP packets by default to check whether the host is up or down

Nmap is doing a host discovery by default but if we specify -sn (ping scan), tells Nmap that only performs the (target enumeration) host discovery in reverse DNS resolution phases before moving to the output phase.

The ping scan is useful for finding the available hosts on the network

By default, Nmap sends an ICMP echo request, TCP Syn to 443, TCP Ack to 80 and an ICMP stamp request. If you want to check for other ports the -PS option can be used.

The main object here is that Nmap should not only determine the port state but also get a response from the host to verify whether the host is alive or not.

For Example:

nmap -sn NetworkIp/Subnet –dns-servers DnsServerIP
nmap -sn 192.168.0.0/27 –dbs-servers 192.168.0.5

Nmap will do a target enumeration host discovery with the default port options and reverse DNS resolution and then output the results to us on screen

Selective Scan:

Selective scan means that you should scan a specific range of IPs for which you are permitted to Scan.

Be selective while you are scanning, It is necessary to ensure that you are only scanning your network, not another network for which you are not authorized to scan.

You should exclude any devices for which you are not authorized to scan.

Check for devices with certain ports open.

Scanning Specific Hosts and Subnets

Subnets can be provided in CIDR notation
A range of IP is entered using a hyphen
Host names can be provided directly it means that You can use hostnames instead of IPs if available
Nmap also have an exclude option through which You can exclude specific devices from the scan using

–exclude switch

through –exclude you can specify devices in a range to exclude from the scan.

For example:

To list scan the range of IP addresses and want to exclude a certain domain like

namp -sL ipRange –exclude ActiveDirectoryHostName

or

namp -sL 192.168.0.2-10 –exclude courseshub.org

Sending a List of Hosts and Networks to Nmap:

You can also provide a list of host and network IP addresses to Nmap

-iL option followed by a filename.txt to provide to Nmap to scan it

For example

nmap -sL -iL KnownIpAddress.txt

This will scan a list of IP addresses from a file knownipaddress.txt

This method is useful when the list of IP addresses is known

nmap -sL -iL KnownIpAddress.txt

This command input the list of hostnames which is stored in knownIpAddresses in our case and -sL runs a list scan.

-iR

This option is used for random scan

The -iR option tells Nmap to generate a list of a random list of IP addresses for scanning

This option has no practical use in internal security testing. Because the random
list of IP addresses may not contain IPs of our internal network.

This option was discovered for research purposes in order to generate a list of random IPs on a public network to discover vulnerabilities

Defense Against the Host discovery:

Defending against the ping Scan:

As we have learned that Nmap uses a ping scan to detect hosts that are online.
When you want to defend against ping scan, then you should block ICMP traffic, for that purpose you should configure a host or network firewall to block ICMP traffic.

Nmap also sends TCP packets to ports 80 and to 443, to prevent this you should also configure a host or network firewall to drop TCP packets for ports 80 and 443.

If these services are not needed on your host then you can block them in your firewall.

port 80 and port 443 are usually blocked on those hosts that are usually not configured as web servers. blocking these ports will not allow anyone to run a ping scan against your host. The best strategy is to block these ports on those devices which are not acting as a web server and allow open on those devices which are acting as a server.

Leave a Reply

Your email address will not be published. Required fields are marked *