Open Source Software Technical Articles

Want the Best of the Wazi Blogs Delivered Directly to your Inbox?

Subscribe to Wazi by Email

Your email:

Connect with Us!

Current Articles | RSS Feed RSS Feed

Nmap Network Probing Cheatsheet

  
  
  

Nmap is a powerful utility for scanning your network and discovering all kinds of information about who is on it and what they're doing. You can discover used and unused IP addresses, hostnames, services, and operating systems, and their versions – information that can help you monitor who is on your network, and lead you to unsafe or unauthorized servers.



Nmap is included in all Linux distros, and the project also offers binaries for Mac OS X and Windows.


Nmap is a great tool for finding out who is on your network, and listing used and unused IP addresses. This command finds all live hosts in the specified network range and their hostnames:



$ nmap -sn 192.168.1.0/24


The -n option disables DNS lookups, so this version is a little faster when you don't need to see hostnames:



$ nmap -sn -n 192.168.1.0/24


Nmap's -sL option lists all addresses in a specified target range. It doesn't send any packets to network hosts, so it won't tell you if hosts are up or down, but it does reverse DNS lookups, so it's a useful tool for testing the correctness of your DNS configuration. Use this to see if your reverse DNS configuration is correct and complete, and if you have any entries for non-existent hosts. The grep '(' incantation weeds out the empty addresses and displays only the addresses that have reverse DNS records:



$ nmap -sL 192.168.1.0/24 | grep '('


This handy one-liner finds all unused IP addresses in an address range and stores them in a plain text file:



$ nmap -v -sn 192.168.1.0/24 | grep down | awk '{print $5}' > filename.txt


A good way to understand what these compound commands do is to run them one part at a time, like this:



$ nmap -v -sn 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-12-11 20:00 PST
Initiating Ping Scan at 20:00
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 20:00, 10.37s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 20:00
Completed Parallel DNS resolution of 256 hosts. at 20:00, 0.01s elapsed
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.1 [host down]
Nmap scan report for server1.green.net (192.168.1.2)
Host is up (0.010s latency).
Nmap scan report for 192.168.1.3 [host down]
[...]

$ nmap -v -sn 192.168.1.0/24 | grep down
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.1 [host down]
Nmap scan report for 192.168.1.3 [host down]
[...]

$ nmap -v -sn 192.168.1.0/24 | grep down | awk '{print $5}'
192.168.1.0
192.168.1.1
192.168.1.3
[...]



You can make a list of the IP addresses of hosts that are up, so you can track who is on your network and keep an eye out for visitors who shouldn't be there, and check for duplicate addresses:



$ nmap -sn 192.168.1.0/24 |grep -o '192.168.1.*' | sed 's/[ \)]*$//' 


Port and Operating System Detection



Nmap can probe your network hosts to learn all sorts of interesting things, such as what operating systems they are running, what services, and the service versions. Version information is especially valuable because you don't want to be caught running outdated, insecure software. This deceptively short command digs deeply into what your servers are exposing to the network:



$ nmap -A 192.168.1.0/24
Nmap scan report for server1.green.net (192.168.1.3)
Host is up (0.0082s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.1p1 Debian 7ubuntu4 (protocol 2.0)
| ssh-hostkey: 1024 06:fd:72:16:0d:fc:c2:f5:ea:b7:5b:ea:5d:93:3e:45 (DSA)
|_1024 56:73:4a:1f:4b:ac:d1:53:2d:a2:65:0e:a5:10:b9:38 (RSA)
53/tcp open domain dnsmasq 2.23
443/tcp open ssl/http lighttpd 1.4.11
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/html).
5060/tcp closed sip
8000/tcp closed http-alt
Service Info: OS: Linux


The -A switch tells Nmap to perform a comprehensive scan with OS detection, version detection, and traceroute. The result of the command as run here shows an old server running a lot of old software, possibly dangerously old. The OpenSSL server even supports SSLv2, which is a big no-no, as SSLv2 has been obsolete and recognized as insecure since its release in 1995, and was replaced by SSLv3 in 1996. Nmap fetches SSH public key fingerprints, which are handy for verifying the authenticity of a public key. It even shows that an HTTP server is running, but the home page has no title and may even be the default page that displays on a new installation. You can quickly check this by pointing your web browser to the IP address or hostname.


19a98812-f823-48dc-841e-bf029c63c6d7

You can capture Nmap's output to files in three formats at once with the -oA option:



$ nmap -A -oA filename 192.168.1.0/24


Replace filename with whatever you want the filename to be. This gives you three output files: filename.gnmap, filename.nmap, and filename.xml. gnmap is designed to be easily grep-able, nmap is the same as your screen output, and of course xml is XML, to look nice on web pages. There is even a tongue-in-cheek script kiddie format option:



$ nmap -sn -oS skriptkiddee 192.168.1.0/24


This results in something like this in skriptkiddee.nmap:



Start1Ng Nmap 5.21 ( http://nmap.0rg ) aT 2011-12-12 11:48 PsT
NmaP scan r3pOrT fOR sErvEr1.gr33n.n3t (192.168.1.3)
h0st !z uP (0.0041s LatencY)


You might want to limit a scan to check whether specific ports are open. This example probes HTTP ports 80, 443, and 8080:



$ nmap -p T:80,443,8080 192.168.1.0/24


-T: specifies TCP ports. Use -U: for UDP ports.



You can also probe only for services and version information:



$ nmap -sV 192.168.1.0/24


Add -v or -vv to any nmap command to increase the verbosity of the output. If you are filtering the output through a command like awk or sed, you'll probably have to adjust it to allow for the different verbosity levels.



Target Specifications



The Nmap documentation calls the IP addresses or hostnames you are probing the target specification. You can slice and dice your targets in a lot of useful ways. In our examples the target specification has been a single private subnet in CIDR notation. You can query a single IP address or hostname, or multiple hostnames, with a space-, tab-, or newline-delimited list. I like space-delimited lists on the command line:



$ nmap -A server1 server2 server3


Or create a plain-text list of hostnames or IP addresses separated by newlines, and then call this list with the -iL option:



$ nmap -A -iL hostname-list


Use the --excludefile option instead of -iL for listing hostnames or addresses you don't want to scan.



You can specify a list of non-consecutive IP addresses in this form: 192.168.1.41,77,103. An address range looks like 192.168.1.15-101.



All of the above only gives you a hint at all Nmap can do. You can learn more about this powerful network scanner at Nmap.org.




This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.


This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.

Comments

Thank you, nice tutorial!! 
but when I try some commands to get only output ip address 1 per line it doesn't work 
 
I use this command 
nmap -sS -p 80 -v -oG - -oN IP.txt -PS80 192.168.1.0/24 | grep down | awk "{print $5}" 
 
 
#--- Output start----# 
# Nmap 6.25 scan initiated Wed Dec 12 15:05:13 2012 as: nmap -sS -p 80 -v -oG - -oN sample.txt -oX c:\docume~1\owner\locals~1\temp\zenmap-snbigl.xml -PS80 --open nmap 192.168.1.0/24 | grep down | awk {print $5} 
Failed to resolve given hostname/IP: nmap. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. 
Invalid character in host specification: |. Note in particular that square brackets [] are no longer allowed. They were redundant and can simply be removed. 
Failed to resolve given hostname/IP: grep. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. 
Failed to resolve given hostname/IP: down. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. 
Invalid character in host specification: |. Note in particular that square brackets [] are no longer allowed. They were redundant and can simply be removed. 
Failed to resolve given hostname/IP: awk. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. 
Failed to resolve given hostname/IP: {print $5}. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. 
Nmap scan report for 82 (192.168.1.1) 
Host is up (2.2s latency). 
PORT STATE SERVICE 
80/tcp open http 
 
Nmap scan report for 82 (192.168.1.2) 
Host is up (0.26s latency). 
PORT STATE SERVICE 
80/tcp open http 
 
[...] 
 
#--- Output End----# 
 
 
I only want an output like this : 
192.168.1.0 
192.168.1.1 
192.168.1.3 
 
Iam using (Zenmap) Nmap 6.25, thanks in advance 
Posted @ Wednesday, December 12, 2012 9:19 AM by eth
exceleeeeeeeeeeeeenlt
Posted @ Monday, October 13, 2014 6:05 AM by ali
Regardless of what affectionate of yoga mat you are traveling to buy, you allegation to ascertain a dior wallets mat with a lot of support. You do not ambition too abounding cushioning so that you cesspool down into gucci shoes your mat, but you allegation to be able to put bodyweight on your legs, your returning, your arms, and added alarming places for a best timeframe of your time. You ambition to ascertain a mat that is big. Yoga challenge awning a lot of activity, and it will awning extending your adjustment into new roles. If you acquire a little mat, you are traveling to acquire to change its address throughout the day. If you buy a huge louis vuitton replica mat, however, you will be able to acquire targeted on your exercise. 
 
Posted @ Monday, October 20, 2014 10:16 PM by vv
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics