Nmap is a free and open source tool for network discovery and security auditing. It was written by Fyodor and allows users to identify hosts on a network, determine services and operating systems running on them, and discover vulnerabilities. The document outlines the basic anatomy of a scan, describing the DNS lookup, ping, reverse DNS lookup, and scan steps. It also covers different scan types like TCP SYN, connect, ping, and UDP scans as well as useful options for excluding or including targets, specifying port numbers, and adjusting ping behavior. Later modules discuss operating system and version detection, stealth scanning techniques, timing options, and randomizing scans.

1. NmapThe Network Scanner http://null.co.in/ http://nullcon.net/

2. Module 1: Getting Started http://null.co.in/ http://nullcon.net/

4. Written By Fyodor

5. http://insecure.org

6. Free!

7. Open source, Constant developmenthttp://null.co.in/ http://nullcon.net/

9. TCP – Transmission Control Protocol

10. UDP – User datagram protocol

11. ICMP – Internet control message protocolhttp://null.co.in/ http://nullcon.net/

13. (Unless you u an IP address)

14. Step 2 :Nmap “Pings” the remote device

15. (This is not an ICMP echo Request)

16. Step 3: Reverse DNS lookup

17. Step 4: Do the scan!

18. Step 5: Analyze the scan resultshttp://null.co.in/ http://nullcon.net/

19. Module 2: Basic Scans http://null.co.in/ http://nullcon.net/

21. TCP connect() scan (-sT)

22. Ping scan (-sP)

23. UDP scan (-sU)http://null.co.in/ http://nullcon.net/

25. Excluding from command line or a file

26. Using a file to list your targets

27. Port Number options

28. Limit your scans

29. Focus your effortshttp://null.co.in/ http://nullcon.net/

31. Command line only

32. Must specify each time

33. --excludefile <exclude_filename>

34. One option excludes many hosts

35. Keep your list handy!http://null.co.in/ http://nullcon.net/

37. Address can be separated by tabs,spaces, or lineshttp://null.co.in/ http://nullcon.net/

39. -p<port range>

40. -p 23,34,43,123-144http://null.co.in/ http://nullcon.net/

42. Default pings

43. ARP ping

44. ICMP and TCP ACK ping

45. TCP SYN ping

46. UDP ping

47. Don’t ping before scanninghttp://null.co.in/ http://nullcon.net/

49. An Nmap ping does not(necessarily) refers to an ICMP echo request

50. We can disbale this ping requirement with -P0(zero) http://null.co.in/ http://nullcon.net/

52. For the remote ip subnet nmap uses

53. ICMP echo request &

54. A TCP ACK on port 80http://null.co.in/ http://nullcon.net/

56. Systems with Firewalls & Filter

57. One port open ,one port closed.

58. Version detection(-sV)http://null.co.in/ http://nullcon.net/

60. Often called “stealth” scans

61. One frame transmitted, one frame received

62. Thesestealth scans never appears in application logs.

63. Microsoft Windows doesn’t responds to these stealth scans.http://null.co.in/ http://nullcon.net/

65. Filtered or unfiltered(not open!)http://null.co.in/ http://nullcon.net/

67. -T1/sneaky

68. -T2/Polite

69. -T3/Normal

70. -T4/Aggressive

71. -T5/Insanehttp://null.co.in/ http://nullcon.net/

73. Rearrange the Nmap hosts in an Nmap scan

74. Makes it difficult to see a pattern

75. Completely random target addresses

76. (-iR <num _host>)

77. Useful for finding specific services

78. Nmap –sS –PS80 –iR 0 –p 80http://null.co.in/ http://nullcon.net/

79. Thank you http://null.co.in/ http://nullcon.net/