In this blog, I will teach you different types of Nmap scanning techniques and how to use each Nmap scanning technique one by one with examples. This is a detailed article on Nmap scanning and how to defend it.
Nmap ping scan:
Nmap ping scan is used to check whether the target host is up or down.
nmap -sn ipAddressOfTarget
Quick Scan Through Nmap
nmap -T4 -F IpAddressOfTarget
This will scan in a second
Quick scan plus:
nmap -sV -T4 -o -F –version-light ipAddressOfTarget
Quick Traceroute
nmap -sn –traceroute ipAddressOfTarget
Regular Scan:
nmap ipAddressOfTarget
This scan will check for the first 1000 ports by default
Intense Scan:
nmap -T4 -A -v 192.168.56.101
This is the most detailed scan
Intense scan no ping
nmap -T4 -A -v -Pn IpAddressOfTarget
This is an intense scan but without ping
Intense scan plus UDP scan
nmap -sS -sU -T4 -A -v IpAddressOfTarget
This is an intense scan and will scan UDP also
Intense Scan, all TCP ports
nmap -p 1-65535 -T4 -A -v ipAddressOfTarget
this is an intense scan and will scan all the TCP ports
Slow Comprehensive scan:
nmap -sS -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 – PY -g 53 –script “default or (discovery and safe)” IpAddressOfTarget
List Scan
-sL
This tells the Nmap that lists all the hosts that will be scanned.
Nmap performs the reverse resolution on hosts
That validates that what are you planning to scan
For Example:
nmap -sL NeworkThatYouWantToScan
or
nmap -sL DomainName
if you want to scan a specific subnet then
namp -sL DomainName.com/27
This scan will do reverse resolution and will not check whether it is online or offline but it only do reverse resolution and validation of the list of hosts that are present in the given subnet that we want to scan
Ping Scan (-sn)
This scan is used for host discovery
Ping scan is used to find a list of available hosts
This scan sends ICMP and TCP packets by default to check whether the host is up or down
Nmap is doing a host discovery by default but if we specify -sn (ping scan), tells Nmap that only performs the (target enumeration) host discovery in reverse DNS resolution phases before moving to the output phase.
The ping scan is useful for finding the available hosts on the network
By default, Nmap sends an ICMP echo request, TCP Syn to 443, TCP Ack to 80 and an ICMP stamp request. If you want to check for other ports the -PS option can be used.
The main object here is that Nmap should not only determine the port state but also get a response from the host to verify whether the host is alive or not.
For Example:
nmap -sn NetworkIp/Subnet –dns-servers DnsServerIP
nmap -sn 192.168.0.0/27 –dbs-servers 192.168.0.5
Nmap will do a target enumeration host discovery with the default port options and reverse DNS resolution and then output the results to us on screen
Selective Scan:
Selective scan means that you should scan a specific range of IPs for which you are permitted to Scan.
Be selective while you are scanning, It is necessary to ensure that you are only scanning your network, not another network for which you are not authorized to scan.
You should exclude any devices for which you are not authorized to scan.
Check for devices with certain ports open.
Scanning Specific Hosts and Subnets
Subnets can be provided in CIDR notation
A range of IP is entered using a hyphen
Host names can be provided directly it means that You can use hostnames instead of IPs if available
Nmap also have an exclude option through which You can exclude specific devices from the scan using
–exclude switch
through –exclude you can specify devices in a range to exclude from the scan.
For example:
To list scan the range of IP addresses and want to exclude a certain domain like
namp -sL ipRange –exclude ActiveDirectoryHostName
or
namp -sL 192.168.0.2-10 –exclude courseshub.org
Sending a List of Hosts and Networks to Nmap:
You can also provide a list of host and network IP addresses to Nmap
-iL option followed by a filename.txt to provide to Nmap to scan it
For example
nmap -sL -iL KnownIpAddress.txt
This will scan a list of IP addresses from a file knownipaddress.txt
This method is useful when the list of IP addresses is known
nmap -sL -iL KnownIpAddress.txt
This command input the list of hostnames which is stored in knownIpAddresses in our case and -sL runs a list scan.
-iR
This option is used for random scan
The -iR option tells Nmap to generate a list of a random list of IP addresses for scanning
This option has no practical use in internal security testing. Because the random
list of IP addresses may not contain IPs of our internal network.
This option was discovered for research purposes in order to generate a list of random IPs on a public network to discover vulnerabilities
Defense Against the Host discovery:
Defending against the ping Scan:
As we have learned that Nmap uses a ping scan to detect hosts that are online.
When you want to defend against ping scan, then you should block ICMP traffic, for that purpose you should configure a host or network firewall to block ICMP traffic.
Nmap also sends TCP packets to ports 80 and to 443, to prevent this you should also configure a host or network firewall to drop TCP packets for ports 80 and 443.
If these services are not needed on your host then you can block them in your firewall.
port 80 and port 443 are usually blocked on those hosts that are usually not configured as web servers. blocking these ports will not allow anyone to run a ping scan against your host. The best strategy is to block these ports on those devices which are not acting as a web server and allow open on those devices which are acting as a server.