Nmap or Network Mapper is undoubtedly the best reconnaissance tool used by modern penetration testers. This open-source application has come a long way since its inception and proved to be a game-changer in network security. Nmap is widely used to determine critical information of a single network or range of networks. There’s an unending list of robust Nmap commands which allow security researchers to spot vulnerabilities in a network. Malicious users also heavily leverage Nmap for determining an entry point to unauthorized networks. Moreover, a large library of pre-built scripts makes Nmap more powerful than ever.
➥Scan Range of IP Addresses:
Scanning multiple hosts at the same time is also very easy using Nmap. You can do this via simply entering the IP or hostnames one after another. The below example demonstrates this for you.
➥Additional Port Scanning Methods:
Nmap can discover and inspect all types of ports. The next examples demonstrate how to scan for UDP ports, use wildcards, etc. To do UDP port scanning, use the following command.
To scan both TCP and UDP ports, use the following syntax.
To search something over MySQL:
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 192.168.1.1
Nmap allows users to investigate why a certain port is in some specific state. You’ll need to utilize the –reason option for getting such results. The next command demonstrates this in action:
The -O flag enables OS detection for a host or range of hosts:
These Nmap commands might fail to recognize some OS, especially if they’re protected using firewalls. The next example shows you how to use aggressive OS detection for overcoming this:
It’s very common for testers to stumble upon firewalls or intrusion detection systems that reject Nmap’s scanning attempts. Thankfully, robust Nmap commands allow users to get around this issue by giving them firewall information. The below commands will demonstrate this for you:
This is the best Nmap command to discover remote hosts as of now. Since no firewalls can block ARP requests, this is a useful technique for seasoned network testers:
➥ Default Safe Scripts:
The http-enum.nse NSE script sends over 2000 queries for common files and directories. You can use this script to get critical information on whether some known services exist on a remote server or not.
You can use the Nmap http-title script for obtaining the titles of remote web pages. This can be extremely helpful at deducing the content of remote servers. Check out the below command to see this into action.
The below command will utilize all NSE scripts that belong to the categories’ discovery and brute. So, it will try to discover available hosts and try to brute-force them:
Nmap allows you to use the wildcard character “*” for selecting all scripts that match some criteria. The following command will utilize all scripts that start with ssh. ⚠️
The SSL Heartbleed vulnerability is a well-known attack surface for starting malicious attackers. The next command checks whether a host contains this vulnerability using the NSE script heartbleed.
Digging up IP information is one of the first tasks remote attackers do when checking up on a target. Some essential IP information includes whois data, geolocation, etc. The next command illustrates Nmap’s usage in such passive reconnaissance.
Check TLS version:
➥ Expressions for Getting Help (and Finding Scripts):