NMAP in Linux Examples

Satish Tiwary's picture
namp in linux

NMAP in Linux Examples(Tested on Rhel)

From a long time nmap has been used as a network monitoring and scanning tool for system admins even geeks and hackers and members from security department used this tool for penetration testing.

 

Nmap OS fingerprinting works on the technique that it  used to sending up to 16 TCP, UDP, and ICMP probes to known open and closed ports of the target machine and then listen for responses.

 

 

NMAP  Utility is used to scan ports on a machine, either local or remote machin

(just u require ip-address/hostname to scan).

It could be installed on windows, Sun Solaris machines too.

It can be used to scan large networks as well as small networks. So u can say it can be used to scan any kind of network.

to scan a particular system for open ports

#nmap hostname

 

[root@satish ~]# nmap satish.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:36 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
605/tcp open  unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.107 seconds

 

this will help u scan the particular host u want to know about or whom u want to scan.

 

Example2 : How will you go for scanning a single port on a machine

#nmap –p 22 hostname

Here hostname is satish.com

So lets start scanning a single port i.e port 22 on host satish.com

 

[root@satish ~]# nmap -p 22 satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:19 IST
Interesting ports on satish.com (192.168.1.1):
PORT   STATE SERVICE
22/tcp open  ssh
 
Nmap finished: 1 IP address (1 host up) scanned in 0.016 seconds

 

 

 

Now This will scan for 22 port is open on a host or not.

And yeah here –p indicates port number and 22 is port number for ssh server.

 

Example3 : What if i want to scan only ports?

 

#nmap –F hostname

 

[root@satish ~]# nmap -F satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:18 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1236 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
 
Nmap finished: 1 IP address (1 host up) scanned in 0.084 seconds

 

 

 

-F is for fast scan and this will not do any other scanning like IP address, hostname, operating system, and uptime etc.

It’s very much fast.

 

Example4 : Give an example what will you do for scanning only TCP ports(i.e we dont need to scan udp port here and we do this for optimize monitoring)

 

#nmap –sT hostname

 

[root@satish ~]# nmap -sT satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:22 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
605/tcp open  unknown
 
Nmap finished: 1 IP address (1 host up) scanned in 0.078 seconds

 

Here s stands for scanning and T isays that all ports are TCP ports

 

Example5 : How to scan only UDP ports(i.e here we want to scan only udp ports not tcp)

 

#nmap –sU hostname

 

[root@satish ~]# nmap -sU satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:23 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1482 closed ports
PORT     STATE         SERVICE
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
602/udp  open|filtered unknown
631/udp  open|filtered unknown
1023/udp open|filtered unknown
 
Nmap finished: 1 IP address (1 host up) scanned in 1.371 seconds

 

Here the Letter U indicates UDP port .

 

Exmaple6 : Scanning for ports and to get what is the version of different services running on that machine
 

 

#nmap –sV hostname

 

[root@satish ~]# nmap -sV satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:25 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.2.3 ((Red Hat))
111/tcp open  rpcbind  2 (rpc #100000)
605/tcp open  status   1 (rpc #100024)
 
Nmap finished: 1 IP address (1 host up) scanned in 11.164 seconds

 

V indicates version of each network service running on that host

 

Example7 : How to check which protocol is supported by the remote system?

 

#nmap –sO hostname

 

[root@satish ~]# nmap -sO satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:28 IST
Interesting protocols on satish.com (192.168.1.1):
Not shown: 250 closed protocols
PROTOCOL STATE         SERVICE
1        open          icmp                    
2        open|filtered igmp                    
6        open          tcp                     
17       open          udp                     
41       open|filtered ipv6                    
255      open|filtered unknown                 
 
Nmap finished: 1 IP address (1 host up) scanned in 1.228 seconds

 

 

Example8 : How to scan a system for operating system and uptime details? explain with an example.

 

# nmap -O hostname

 

[root@satish ~]# nmap -O satish.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:29 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
605/tcp open  unknown
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=1/23%Tm=50FFECC5%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=2748CB%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=2748F7%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=2748FC%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
 
Uptime 0.052 days (since Wed Jan 23 18:14:59 2013)
 
Nmap finished: 1 IP address (1 host up) scanned in 9.672 seconds

 

Note:

-O here tells about operating system scan along with default port scan

  • Here T2 sends a TCP null (no flags set) packet with the IP DF bit set and a window field of 128 to an open port.

  • Here T3 sends a TCP packet with the SYN, FIN, URG, and PSH flags set and a window field of 256 to an open port. The IP DF bit is not set.

  • Here T4 sends a TCP ACK packet with IP DF and a window field of 1024 to an open port.

  • Here T5 sends a TCP SYN packet without IP DF and a window field of 31337 to a closed port.

  • Here T6 sends a TCP ACK packet with IP DF and a window field of 32768 to a closed port.

  • Here T7 sends a TCP packet with the FIN, PSH, and URG flags set and a window field of 65535 to a closed port. The IP DF bit is not set.

 

Example9 : How will you start Scanning a network?

#nmap networkID/subnetmask

As i have mentioned above so by watching For the above command you can try in this way

#nmap 192.168.1.0/24

 

[root@satish ~]# nmap 192.168.1.0/24
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-01-23 19:31 IST
Interesting ports on satish.com (192.168.1.1):
Not shown: 1676 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
605/tcp open  unknown
 
Nmap finished: 256 IP addresses (1 host up) scanned in 5.654 seconds

 

Rate this article: 
Average: 4.1 (25 votes)

Comments

As always ... awesome explanation ...!! gr8 job..

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.