Security Stuff!!
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode
  1. Hamza Megahed
  2. /
  3. NMAP
  4. /
  5. Nmap 1

Nmap 1

Nmap or Network Mapper, it’s a security scanner for scan ports, OS fingerprinting, banners and others ) in range of network or a specific machine, Nmap written by Faydor
Now we want to use this program to scan our system to know what banners will shown to attacker, and open ports that is not useful to my system and i have to close it or shutdown these services that works on these ports.

Nmap options

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP bounce scan

sS

it’s TCP SYN the default scanning operation and it’s fast and can scan larg range of ports in seconds, Nmap scan TCP ports by making half open connection (when pc1 want to connect with pc2 by TCP port by three hand shake, it’s occur by sequence 1- pc1 send SYN packet 2- pc2 send SYN/ACK packet 3- pc1 send ACK packet) this called three hand shake, so in half open connection there is no ACK packet, it’s more safe and stealthy

sT

it’s TCP connect(), it’s also scan TCP ports but with complete three hand shake, it’s establish a connection between client and server, it’s not stealthy.

sU

used to scan UDP ports.

sY

(Stream Control Transmission Protocol), it’s combining most characteristics of TCP and UDP protocols, it’s equivalent to TCP SYN scanning (make half open connection)
For more information

usage

Simply by command nmap -technique ip address or host name for example: nmap -sS localhost let’s apply this command nmap -sS localhost 

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-26 02:25 EEST  
Interesting ports on example (127.0.0.1):  
Not shown: 997 closed ports  
PORT     STATE SERVICE  
111/tcp  open  rpcbind  
631/tcp  open  ipp  

Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds

Means i have just two ports open (111 and 631) services (rpcbind and ipp) and by applying nmap -sU localhost 

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-26 02:43 EEST  
Interesting ports on example (127.0.0.1):  
Not shown: 997 closed ports  
PORT     STATE         SERVICE  
111/udp  open|filtered rpcbind  
631/udp  open|filtered ipp  
5353/udp open|filtered zeroconf  

Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds

Now i have three UDP ports open but filtered (by firewall)

OS detection

To detect OS by using command nmap -O ip_address or host_name

Service and Version Detection

To detect services name and version of demons that runs on these services by using command nmap -sV ip_address or host_name
You can detect both OS and Service and Version by using command nmap -A ip_address or host_name