NMAP COMPLETE TUTORIAL

NMAP TUTORIAL

Four Types of switches 

1.Synchronous Scans

2.Ping Scans

3.Time Scans

4.Output Type

Synchronous Scan:
All synchronous scans start with “-s”(without quotes), note that the ‘s’ denoting synchronous is not capital. Now a basic synchronous scan command is written as follows,

nmap -s[synchronous scan type] ip_address

---------------------------------------------------------

-sT Synchronous TCP scan

-sS Synchronous Stealth scan(This type of scan most of the time goes undetected by remote system)

-sF Synchronous FIN Scan(Sends FIN packets with RST flag)

-sX XMAS tree scan(A packet is known as XMAS when its all flag are set)

-sU UDP scan

-sN NULL Scan

-sP Ping Scan

-sO Protocol Scan

-sA ACK Scan

-sW Windows Scan

-sR Remote Procedure Call

-sL List DNS

-sI IDLE scan(A scan done with spoofed IP Address)

How to remember all synchronous scans: After reading above switch list you must have noted all types of scans appears to start with first letter capital of its own spelling placed next to “-s” except protocol scan which uses O. So practically you don’t need to remember anything other than which type of scan you want to perform then post fix “-s” with its capital letter. Isn’t that easy, now consider you want to scan aaa.bbb.ccc.ddd for its open ports and DNS entries. Note what you want,

-List DNS that means L

so this will be your command,

nmap aaa.bbb.ccc.ddd -sL

If you want to scan UDP protocol then type,

nmap aaa.bbb.ccc.ddd -sO UDP

Note: No two Synchronous Scans can be combined together.

nmap -sS -sU aaa.bbb.ccc.ddd is illegal.

Ping Scan: All Ping scans start with “-P”, note that P is capital and denotes ping. Now basic ping scan command is written as,

nmap -P[ping scan type] ip_address

-------------------------------------

-Pn No Ping

-PT TCP Ping

-PA ACK Ping

-PU UDP Ping

-PO Protocol Scan

-PS Synchronous Ping

-PI ICMP Ping Echo

-PB UDP ICMP timestamp

-PM ICMP Net Mask or Masked Scan

Now note the next option appearing after P is first letter capital of word’s own spelling except protocol ping and timestamp ping. As shown earlier everytime p from protocol will be replaced by O in scan type. To remember timestamp switch remember last letter p in timestamp appears like B.

Time Scans: Time switches are denoted by capital T.

-T Paranoid 300 seconds between scans

-T Sneaky 15 seconds between scans

-T Polite 4 seconds between scans

-T Normal Runs parallel scans

-T Aggressive 1.25 sec/probe

-T Insane 0.3 sec/probe

To remember time scans first we arrange times in descending order.

300 15 4 - 1.25 0.3

My friend is Paranoid who Sneaks around networks,

300 15

He appears Polite Normally but is Aggressive to the level of Insanity.

4 - 1.25 0.3

I think that will do. All time switches are appended at last of nmap command

nmap aaa.bbb.ccc -sS -T Polite

Output Type: It just formats output as you want. Always starts with “-o”

-oN Normal Output

-oX XML Output

-oG Grapple Output

-oA All Output

I don’t think now to explain how to remember them.

Other Important Switches:

--traceroute works similar as any other trace route program

-R Resolve DNS along with port scan

-v Scan in verbose mode
-O OS Scan

-----------------------------------------------------

So here’s an example to create scan:

1.Create a Stealth Synchronous scan with normal output with 15 seconds between each scan. Resolve DNS and use verbose mode?

Ans:

-Scan Type Synchronous means “-s”

-Subtype stealth “-sS”

-Use verbose “-sS -v”

-Resolve DNS “-sS -v -R”

-Normal Output “-sS -v -R -oN”

-15 seconds between scans “-sS -v -R -oN -T Sneaky”

So the answer is,

nmap aaa.bbb.ccc -sS -v -R -oN -T Sneaky

Following are for you try yourself,

2.Create a Ping protocol scan with 0.3 seconds scan difference between ports.

3.Create a Synchronous UDP scan with xml output use verbose mode.