When I was very new to Hacking, I check a post nmap commands for beginners.
At that time I was confused by nmap. I was totally unable to understand what nmap is? How to use it? What is the use of it?. It is a handy tool in cybersecurity. It is an open source tool.
I’m sure if you are beginner you will too.
So what is nmap
It is networking scanning tool. It is used to gather information about any network. If you want to find service (http, FTP, ssh, etc.) running on a computer, the Operating system of any device, etc then you can use nmap.
How can it help in hacking?
It helps a lot. It shows service version, running service. Sometimes service is not up to then we can exploit that system and much more.
For example, you can find how can computer needs to take down web server using DDoS attack 😀
What is the port number?
For identity, every computer has the different IP address. Like so every separate service has the different port number. It helps us in security etc.
Right now you are connected to my blog using port number 443 (https runs on port number 443). If any site run has http protocol, then it will run on port number 80.
While scanning in nmap, you will see different port number running services.
There are total 65535.
Hope it will help if you if you are still unable to understand this then let me know by comments I will be happy to help you:).
Nmap practical guide
In Kali Linux, parrot sec it is pre-installed. But you can install it in windows too.
Nmap has both GUI (graphical user interface) and CLI (command line interface) user interface.
For GUI run zenmap. But I like command line interface. It does not matter which UI are you using both do the same work.
Open terminal and type nmap it will show you help menu
Let’s assume your target is opentechinfo.com. I will scan my site during this tutorial because I have full permission to do that.
nmap -vv opentechinfo.com
Let me explain this
-vv mean verbose output. It shows what is going on while scanning. Just run nmap opentechinfo.com and then with -vv you will know what the use of it is.
Here are results
Here 126.96.36.199 is my website IP address. I told you about ports. It finds four ports open with running service. REASON is the way how it finds running service. Ignore it at that time. If you want to know then let me know by comment section.
Ok, You can specify the port number too. Here is example
nmap -vv -p 1-5000 opentechinfo.com
Here are results
It finds ten open ports with different service cool. Off course more ports less speed.
Ok, Now we will try to find operating System. Just pass -O before opentechinfo.com.
Note: nmap is part of Linux commands so it is case sensitive -o is the wrong syntax. Use -O (capital O)
Here are results
No OS matcher for the host. Actually, nmap use some scripts sometimes it works sometimes not. But here is another way to Find operating system. There is two primary OS used for the web server.
- Redhat (Linux distribution)
- IIS ( Microsoft Windows)
Using nmap, you can scan a full network or a range of Ip address. It is beneficial. Suppose I want to find the connected device to my network.
First of all, I will find Default gateway (router IP address) Because all other Ip address will be same just different subnet (Ip address is like xxxx.xxxx.xxx.xxx. last digits knows as subnet)
How to find Router Ip address.
Just type route.
So I will scan 192.168.43.1/255. Here is command
nmap -vv 192.168.43.1-255
It will examine the whole network. 255 mean last address (why 255 last it is part of Ip address). Here are results
At that time only two devices were connected to my network. You can pass -sn argument for saving time. Basically -sn scan one port per host. It saves our time.
It also finds Mac address using mac address we can find hardware manufacturer. Just type first three characters in Google. In my case, these are CB:0B: CB. From Google, I found this. That’s true I’m using Xiaomi device (using internet by mobile hotspot). Nmap does not always find mac address.
It is not a good way to scan network here is another way to find total device connected to your network with Ip address.
nmap -sn 192.168.43.1/24 | grep “Nmap scan report for”
Here is the screenshot of above command.
I choose 192.168.43.1 because my router or default gateway start from 192.168.43.1 but your gateway will be something different you can find using route command.
Let’s do something serious
I told you that nmap helps us to find how many bots required to take down web server down using DDoS attack here are commands
To find is can target take down using dos attack.
nmap -vv -script dos opentechinfo.com
It will take sometime As you can see only 6.68% is complete and I need too much time.
But 14% it reacher directly to 99%
After 2 hours it is still not complete. I’m going to close the terminal. Actually, it depends upon website security.
You can find vulnerability using Nmap too
Run this command
nmap -vv –script vuln opentechinfo.com
Here are results
Saving results to a file
Here is what I found using nmap
Just pass -oN then filename, it will save the result to File. o Means output N meaning normal file. You can keep results in XML file just pass -x argument.
Here is example
nmap opentechinfo.com -oN opentechinfo.txt
No need to pass .xml it is my mistake Here is how the file looks.
Pro Tip: Run this command nmap -script dos opentechinfo.com -oN saveresult.txt; shutdown
This command will scan target and then save to File then turn off the computer. I run this command then go to sleep :).
Introduction to Zenmap
As I told you above zenmap is GUI version of nmap. To launch this type zenmap in terminal
You can install zenmap in window or mac os too. Zenmap is very straightforward as you can see in the screenshot.
Here target input field where you type your target Ip address or website.
Profile is related to scan. You will find enough profiles. By default, it is Intense scan. Here are some other profiles like Regular scan, quick scan, etc. For now, I will leave it as an Intense scan.
Command is basically nmap command you can modify it, or it will be changed when you change profile.
zenmap have some advantages it shows better output. You can find total Hosts in Hosts tab from service services running by the particular host.
Host details also show results in an excellent way. Here is the screenshot.
If you scan the whole network, you find all hosts under the Hosts tab.
If you have any suggestion, problem let me know by comments. I will be happy to help you.