Nmap is the de facto open source tool for network scanning. Developed by Gordon Fyodor way back in 1997, Nmap remains one of the most popular tools used by a professional in the cybersecurity or computer networks industry. It is also the tool of choice in the reconnaissance and footprinting step of penetration testing and hacking, in general. (It was also the tool of choice for Trinity in The Matrix Reloaded!)
Knowing how important hand-holding is for a beginner in the cybersecurity industry, I felt the need to have a simple tutorial for Nmap. Considering the immense size of its features, I've broken down the tutorial into multiple parts. I have described Nmap and its features in the way that I learned it and in the same sequence.
In the entire tutorial, I've used Nmap on Ubuntu 16.04:
nikhilh@ubuntu:~$ uname -aLinux ubuntu 4.15.0-32-generic #35~16.04.1-Ubuntu SMP Fri Aug 10 21:54:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
If you need a tutorial on Zenmap (the official Nmap GUI), let me know and I'll build a tutorial for it!
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Setup
Installing Nmap on Ubuntu from source
Step 1: Get the latest source package
nikhilh@ubuntu:~$ curl -o nmap-7.70.tgz https://nmap.org/dist/nmap-7.70.tgz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12.3M 100 12.3M 0 0 5011k 0 0:00:02 0:00:02 --:--:-- 5012k
It is important to download through HTTPS and not HTTP. Even though you may find a nmap-7.70.tgz in your file list, it will likely contain only error statements when downloaded through HTTP.
nikhilh@ubuntu:~$ tar -xf nmap-7.70.tgz
Step 3: Configuration
This step ensures that system dependent values are set and makefiles are created.
nikhilh@ubuntu:~$ cd nmap-7.70/
nikhilh@ubuntu:~/nmap-7.70$ ./configure
checking whether NLS is requested... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
...
...
Configured with: ndiff zenmap nping openssl zlib libssh2 lua ncat
Configured without: localdirs nmap-update
Type make (or gmake on some *BSD machines) to compile.
This compiles the source package and readies it for installation. The nmap script is available for use at this point.
g++ -MM -I./liblinear -I./liblua -I./libdnet-stripped/include -I./libssh2/include -I./libpcre -I./libpcap -I./nbase -I./nsock/include -DHAVE_CONFIG_H -DNMAP_NAME=\"Nmap\" -DNMAP_URL=\"https://nmap.org\" -DNMAP_PLATFORM=\"x86_64-unknown-linux-gnu\" -DNMAPDATADIR=\"/usr/local/share/nmap\" -D_FORTIFY_SOURCE=2 charpool.cc
...
...
gcc -o ncat -g -O2 -Wall -L../libpcap ncat_main.o ncat_connect.o ncat_core.o ncat_posix.o ncat_listen.o ncat_proxy.o ncat_ssl.o base64.o http.o util.o sys_wrap.o http_digest.o ncat_lua.o ../nsock/src/libnsock.a ../nbase/libnbase.a -lssl -lcrypto -lpcap ./../liblua/liblua.a -lm -ldl
make[1]: Leaving directory '/home/nikhilh/nmap-7.70/ncat'
This installs any newly compiled library from step 4.
nikhilh@ubuntu:~/nmap-7.70$ sudo make install
Compiling libnetutil
cd libnetutil && make
make[1]: Entering directory '/home/nikhilh/nmap-7.70/libnetutil'
...
...NPING SUCCESSFULLY INSTALLED
make[1]: Leaving directory '/home/nikhilh/nmap-7.70/nping'
NMAP SUCCESSFULLY INSTALLED
PATH = $PATH:/home/nikhilh/nmap-7.70
Installing nmap on Ubuntu from apt-get
nikhilh@ubuntu:~$ sudo apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:2 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
...
...
Fetched 1,853 kB in 1s (1,258 kB/s)
Reading package lists... Done
nikhilh@ubuntu:~$ sudo apt-get install nmap
Unpacking nmap (7.01-2ubuntu2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up nmap (7.01-2ubuntu2) ...
As you can see, when using apt-get, nmap 7.01 was installed whereas when installing from source, I installed nmap-7.70. If the release version (at this time, 7.01) is too far away from the most recent version (7.70), then you should install nmap from the source package. In this tutorial series, I'm using nmap-7.70.
Checking nmap version
nikhilh@ubuntu:~$ nmap -V
Nmap version 7.70 ( https://nmap.org )Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.3 openssl-1.0.2g nmap-libssh2-1.8.0 libz-1.2.8 nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
Debugging using nmap
Display all nmap options
nikhilh@ubuntu:~$ nmap -h
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
...
....
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Verbose output
nikhilh@ubuntu:~$ nmap -v scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:12 PDT
Initiating Ping Scan at 06:12
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:12, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:12
Completed Parallel DNS resolution of 1 host. at 06:12, 0.01s elapsed
Initiating Connect Scan at 06:12
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 06:12, 22.11s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.093s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 22.32 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:12 PDT
Initiating Ping Scan at 06:12
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:12, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:12
Completed Parallel DNS resolution of 1 host. at 06:12, 0.01s elapsed
Initiating Connect Scan at 06:12
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 06:12, 22.11s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.093s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 22.32 seconds
From the verbose output we can see nmap is doing two things in parallel:
- Resolving the hostname through DNS.
- Pinging the host (ICMP echo) before scanning.
- This is to ensure that nmap scans only those hosts which respond to its pings (or in other words, those hosts which are alive).
- If the host does not respond, nmap assumes the host is down and does not scan it.
- Many a time ICMP is blocked by a firewall or maybe ICMP is disabled. In those cases, scan using the "No Ping" option -Pn.
Additional verbose output
nikhilh@ubuntu:~$ nmap -vv scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:22 PDT
Initiating Ping Scan at 06:22
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:22, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:22
Completed Parallel DNS resolution of 1 host. at 06:22, 0.01s elapsed
Initiating Connect Scan at 06:22
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 06:22, 10.09s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.10s latency).
Scanned at 2018-08-18 06:22:23 PDT for 11s
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
31337/tcp open Elite syn-ack
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds
Initiating Ping Scan at 06:22
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:22, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:22
Completed Parallel DNS resolution of 1 host. at 06:22, 0.01s elapsed
Initiating Connect Scan at 06:22
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 06:22, 10.09s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.10s latency).
Scanned at 2018-08-18 06:22:23 PDT for 11s
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
31337/tcp open Elite syn-ack
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds
When using the "Additional Verbose" option, nmap also displays the reasoning behind the port states, besides the usual verbose information. In this case, port 22 is declared an "open" port because it replied with a SYN-ACK packet to nmap's SYN packet.
Debugging
nikhilh@ubuntu:~$ nmap -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:26 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 06:26
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:26, 0.10s elapsed (1 total hosts)
Overall sending rates: 20.16 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 06:26
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 06:26, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 06:26
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed Connect Scan at 06:26, 24.04s elapsed (1000 total ports)
Overall sending rates: 83.53 packets / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.098s latency).
Scanned at 2018-08-18 06:26:04 PDT for 25s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
31337/tcp open Elite syn-ack
Final times for host: srtt: 98331 rttvar: 25056 to: 198555
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 06:26
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:26, 0.10s elapsed (1 total hosts)
Overall sending rates: 20.16 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 06:26
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 06:26, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 06:26
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed Connect Scan at 06:26, 24.04s elapsed (1000 total ports)
Overall sending rates: 83.53 packets / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.098s latency).
Scanned at 2018-08-18 06:26:04 PDT for 25s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
31337/tcp open Elite syn-ack
Final times for host: srtt: 98331 rttvar: 25056 to: 198555
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds
Points to note:
- ALL the parameters specified under timing report can be modified using nmap options.
- -d can be used when -v or -vv does not provide enough information to debug an issue. Example: Name resolution is not working. Which DNS server is being used to resolve the hostname? Use the debug option to check.
- Debug levels can be provided, such as -d1 or -d7. Levels range from 1-9 with 9 having the most information.
Reason for port state
As seen before in the additional verbose option section, Nmap provides the reason behind the port state. This option is useful when you just want the port state reason and not the clutter of verbose information.
nikhilh@ubuntu:~$ nmap --reason scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:35 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.11s latency).
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
Nmap done: 1 IP address (1 host up) scanned in 28.77 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:35 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.11s latency).
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
Nmap done: 1 IP address (1 host up) scanned in 28.77 seconds
Trace packets
nikhilh@ubuntu:~$ nmap --packet-trace scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 10:56 PDT
CONN (0.1522s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.1524s) TCP localhost > 45.33.32.156:443 => Operation now in progress
By default, nmap scans the top 1000 ports that it expects to be open (or in other words, the top 1000 most commonly used ports). So, the --packet-trace option has a huge output and you would do well with the more option or perhaps redirect the output to a file.
Scanning specific ports would help in decreasing the output.
nikhilh@ubuntu:~$ nmap -p80 --packet-trace scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:45 PDT
CONN (0.0510s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.0516s) TCP localhost > 45.33.32.156:443 => Operation now in progress
CONN (0.1329s) TCP localhost > 45.33.32.156:80 => Connected
NSOCK INFO [0.1340s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.1340s] nsock_connect_udp(): UDP connection requested to 127.0.1.1:53 (IOD #1) EID 8
NSOCK INFO [0.1340s] nsock_read(): Read request from IOD #1 [127.0.1.1:53] (timeout: -1ms) EID 18
NSOCK INFO [0.1340s] nsock_write(): Write request for 43 bytes to IOD #1 EID 27 [127.0.1.1:53]
NSOCK INFO [0.1340s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.1.1:53]
NSOCK INFO [0.1340s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.1.1:53]
NSOCK INFO [0.1390s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [127.0.1.1:53] (72 bytes): .............156.32.33.45.in-addr.arpa..................scanme.nmap.org.
NSOCK INFO [0.1390s] nsock_read(): Read request from IOD #1 [127.0.1.1:53] (timeout: -1ms) EID 34
NSOCK INFO [0.1390s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [0.1390s] nevent_delete(): nevent_delete on event #34 (type READ)
CONN (0.1388s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.2192s) TCP localhost > 45.33.32.156:80 => Connected
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 10:56 PDT
CONN (0.1522s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.1524s) TCP localhost > 45.33.32.156:443 => Operation now in progress
...
...
CONN (2.0804s) TCP localhost > 45.33.32.156:135 => Operation now in progress
CONN (2.0805s) TCP localhost > 45.33.32.156:22 => Operation now in progress
...
...
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 33.72 seconds
Scanning specific ports would help in decreasing the output.
nikhilh@ubuntu:~$ nmap -p80 --packet-trace scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:45 PDT
CONN (0.0510s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.0516s) TCP localhost > 45.33.32.156:443 => Operation now in progress
CONN (0.1329s) TCP localhost > 45.33.32.156:80 => Connected
NSOCK INFO [0.1340s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.1340s] nsock_connect_udp(): UDP connection requested to 127.0.1.1:53 (IOD #1) EID 8
NSOCK INFO [0.1340s] nsock_read(): Read request from IOD #1 [127.0.1.1:53] (timeout: -1ms) EID 18
NSOCK INFO [0.1340s] nsock_write(): Write request for 43 bytes to IOD #1 EID 27 [127.0.1.1:53]
NSOCK INFO [0.1340s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.1.1:53]
NSOCK INFO [0.1340s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.1.1:53]
NSOCK INFO [0.1390s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [127.0.1.1:53] (72 bytes): .............156.32.33.45.in-addr.arpa..................scanme.nmap.org.
NSOCK INFO [0.1390s] nsock_read(): Read request from IOD #1 [127.0.1.1:53] (timeout: -1ms) EID 34
NSOCK INFO [0.1390s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [0.1390s] nevent_delete(): nevent_delete on event #34 (type READ)
CONN (0.1388s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.2192s) TCP localhost > 45.33.32.156:80 => Connected
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Display host networking
This displays the networking interfaces and routes present on your local system.
nikhilh@ubuntu:~$ nmap --iflist
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:54 PDT
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
ens33 (ens33) 192.168.182.136/24 ethernet up 1500 00:0C:29:1F:AA:9A
ens33 (ens33) fe80::d4b2:e8c0:389a:9330/64 ethernet up 1500 00:0C:29:1F:AA:9A
lo (lo) 127.0.0.1/8 loopback up 65536
lo (lo) ::1/128 loopback up 65536
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.182.0/24 ens33 100
169.254.0.0/16 ens33 1000
0.0.0.0/0 ens33 100 192.168.182.2
::1/128 lo 0
fe80::d4b2:e8c0:389a:9330/128 ens33 0
fe80::/64 ens33 256
ff00::/8 ens33 256
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:54 PDT
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
ens33 (ens33) 192.168.182.136/24 ethernet up 1500 00:0C:29:1F:AA:9A
ens33 (ens33) fe80::d4b2:e8c0:389a:9330/64 ethernet up 1500 00:0C:29:1F:AA:9A
lo (lo) 127.0.0.1/8 loopback up 65536
lo (lo) ::1/128 loopback up 65536
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.182.0/24 ens33 100
169.254.0.0/16 ens33 1000
0.0.0.0/0 ens33 100 192.168.182.2
::1/128 lo 0
fe80::d4b2:e8c0:389a:9330/128 ens33 0
fe80::/64 ens33 256
ff00::/8 ens33 256
I'm working in an VMWare environment where the ethernet interface eth* was renamed to ens* at boot time.
nikhilh@ubuntu:~$ dmesg | grep ens33
[ 5.362864] e1000 0000:02:01.0 ens33: renamed from eth0
[ 12.909788] IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
[ 12.924958] e1000: ens33 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 12.929544] IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
[ 12.929908] IPv6: ADDRCONF(NETDEV_CHANGE): ens33: link becomes ready
It is however, possible to rename the interface name but not necessary at this point.
Specify a networking interface
nikhilh@ubuntu:~$ nmap -e ens33 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:59 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:59 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds
This scans the target machine by sending/receiving the packets on the specified interface (in this case, ens33) only.
That's it for part 1! I understand there was a lot of information in this post and some of the options may not have made sense to you right now, but we'll get there. If there are any questions, comment below and I'll get back to you as soon as I can!
In the next part, we'll scan networks (legally) and make sense of the output.
No comments:
Post a Comment