Professional Documents
Culture Documents
Ports to scan Range : You can specify a range of ports to be scanned. Valid ports
are between 1 and 65535.
Ports to scan List : You can specify a comma separated list of ports to be scanned.
Detect service version : In this case Nmap will try to detect the version of the
service that is running on each open port. This is done using mul ple techniques
like banner grabbing, reading server headers and sending specific requests.
Detect opera ng system : If enabled, Nmap will try to determine the type and
version of the opera ng system that runs on the target host. The result is not
always 100% accurate, depending on the way the target responds to probe
requests.
Don't ping host: If enabled, Nmap will not try to see if the host is up before
scanning it (which is the default behavior). This op on is useful when the target
host does not respond to ICMP requests but it is actually up and it has open ports.
Fundamentally, an idle scan consists of three steps that are repeated for each port:
Probe the zombie's IP ID and record it.
Forge a SYN packet from the zombie and send it to the desired port on the target.
Depending on the port state, the target's reac on may or may not cause the
zombie's IP ID to be incremented.
Probe the zombie's IP ID again. The target port state is then determined by
comparing this new IP ID with the one recorded in step 1.
A er this process, the zombie's IP ID should have increased by either one or two. An
increase of one indicates that the zombie hasn't sent out any packets, except for its reply
to the a acker's probe.
This lack of sent packets means that the port is not open (the target must have sent the
zombie either a RST packet, which was ignored, or nothing at all). An increase of two
indicates that the zombie sent out a packet between the two probes.
This extra packet usually means that the port is open (the target presumably sent the
zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from
the zombie). Increases larger than two usually signify a bad zombie host.
To launch a stealth scan of the en re class 'B' networks 166.66.0.0 and 166.67.0.0
for the popularly exploitable imapd daemon :
nmap -Up 143 166.66.0.0/16 166.67.0.0/16
To do a standard tcp scan on the reserved ports of host <target> :
nmap target
To check the class 'C' network on which warez.com sits for popular services (via
fragmented SIN scan) :
nmap -fsp 21,22,23,25,80,110 warez.com/24
To scan the same network for all the services in your /etc/services via (very fast)
TCP scan :
nmap -F warez.com/24
To scan secret.pathe c.net using the p bounce a ack off of p.pathe c.net : nmap -
Db p.pathe c.net secret.pathe c.net
To find hosts that are up in the the adjacent class C's 193.14.12, .13, .14, .15, ... ,
.30 :
nmap -P '193.14.[12-30].*'
If you don't want to have to quote it to avoid shell interpreta on, this does the
same thing :
nmap -P 193.14.12-30.0
Output :
Sign :- ____________________
Nmap has a mul ple of op ons and when you first start playing with this excellent tool it
can be a bit daun ng.
Network ports are the entry points to a machine that is connected to the Internet. A
service that listens on a port is able to receive data from a client applica on, process it and
send a response back.
Malicious clients can some mes exploit vulnerabili es in the server code so they gain access
to sensi ve data or execute malicious code on the machine remotely. That is why tes ng
for all ports is necessary in order to achieve a thorough security verifica on.
Port scanning is usually done in the ini al phase of a penetra on test in order to discover
all network entry points into the target system. Port scanning is done differently for TCP
ports and for UDP ports that's why we have different tools.
In below figure , the a acker first sends a SYN probe packet to the port he wishes to test.
Upon receiving a packet from the port with the SYN and ACK flags set, he knows that the
port is open. The a acker completes the three-way handshake by sending an ACK packet
back.
If, however, the target port is closed, the a acker receives an RST/ACK packet directly back,
as shown in Figure below.
Ports to scan Common : This op on tells Nmap to scan only the top 100 most
common TCP ports (Nmap -F).
Ports to scan List : You can specify a comma separated list of ports to be scanned.
Detect service version : In this case Nmap will try to detect the version of the
service that is running on each open port. This is done using mul ple techniques
like banner grabbing, reading server headers and sending specific requests.
Detect opera ng system : If enabled, Nmap will try to determine the type and
version of the opera ng system that runs on the target host. The result is not
always 100% accurate, depending on the way the target responds to probe
requests.
Don't ping host: If enabled, Nmap will not try to see if the host is up before
scanning it (which is the default behavior). This op on is useful when the target
host does not respond to ICMP requests but it is actually up and it has open ports.
Sign :- ____________________