Nmap Tool

 Nmap (Network Mapper) is an open-source tool primarily used for network discovery and security auditing. It can help to discover hosts and services on a computer network, as well as identify open ports, services, and their versions. Below is a guide to Nmap's usage, its key features, and some common commands with examples:

Key Features of Nmap
Host discovery: Identifies active devices on a network.
Port scanning: Determines which ports are open on a target host.
Service version detection: Identifies services running on open ports and their versions.
Operating system detection: Attempts to determine the operating system of a target.
Scripting engine: Executes prewritten scripts to find vulnerabilities or gather information about services.
Basic Command Syntax:

css

nmap [options] [target]
[options]: Various flags and parameters to customize the scan.
[target]: The IP address, hostname, or IP range to scan.
Common Nmap Commands and Examples
Basic Host Discovery
To check which hosts are up in a network:

nmap -sn 192.168.1.0/24
-sn: This option disables port scanning and only checks whether the hosts are alive.
192.168.1.0/24: A subnet range to scan.
Port Scanning (Basic)
To scan the most common 1,000 TCP ports on a host:

nmap 192.168.1.10
By default, Nmap scans the most common ports.
Scanning Specific Ports
To scan specific ports, use the -p option:

css
nmap -p 80,443 192.168.1.10
-p: Specify port(s), in this case, 80 (HTTP) and 443 (HTTPS).
Service Version Detection
To detect versions of services running on open ports:

nmap -sV 192.168.1.10
-sV: Enables version detection for services running on open ports.
Operating System Detection
To attempt to determine the operating system of the target:

mathematica
nmap -O 192.168.1.10
-O: OS detection.
Aggressive Scan
To run an aggressive scan, which combines several options (host discovery, port scanning, service version detection, OS detection, etc.):

css
nmap -A 192.168.1.10
-A: Performs an "aggressive" scan, which includes OS detection, version detection, script scanning, and traceroute.
Scan a Range of IP Addresses
To scan a range of IP addresses:

nmap 192.168.1.1-100
Scans IPs from 192.168.1.1 to 192.168.1.100.
Scan a Subnet
To scan a whole subnet (e.g., all devices in 192.168.1.0/24):

nmap 192.168.1.0/24
Scans the entire subnet 192.168.1.0 with a netmask of /24.
Scan Multiple Targets
To scan multiple hosts or ranges of hosts:

nmap 192.168.1.1 192.168.1.10 192.168.2.0/24
You can specify multiple IP addresses or subnets.
Scan UDP Ports
By default, Nmap scans only TCP ports. To scan UDP ports, use -sU:

nmap -sU -p 53,67,123 192.168.1.10
-sU: Conducts a UDP scan.
-p: Specifies the ports to scan, in this case, ports 53 (DNS), 67 (DHCP), and 123 (NTP).
Timing and Performance Options
Nmap allows you to control the speed and stealthiness of your scans using timing options:

nmap -T4 192.168.1.10
-T4: A timing template for faster scans. It can range from -T0 (paranoid) to -T5 (insane).
Using Nmap Scripting Engine (NSE)
Nmap has an integrated scripting engine for advanced scans. For example, you can check for vulnerabilities or gather detailed information with prebuilt scripts:

nmap --script vuln 192.168.1.10

--script vuln: Uses vulnerability scanning scripts.

This command runs various vulnerability tests against the target host.
Stealth Scan (SYN Scan)
A SYN scan (-sS) is a stealth scan that sends SYN packets to ports to check if they are open:

nmap -sS 192.168.1.10
-sS: Conducts a SYN scan (half-open scan), which is less likely to be detected by firewalls or intrusion detection systems.
Scan for Firewalls and Filtered Ports
To detect filtered ports (i.e., ports blocked by firewalls or other network filters):

nmap -sA 192.168.1.10
-sA: Conducts an "ACK" scan, which can help determine whether ports are filtered.
Save Output to a File
You can save the results of a scan to a file:

graphql
nmap -oN scan_results.txt 192.168.1.10
-oN: Output to a normal (human-readable) text file.
Scan Specific IP Range
To scan a range of IPs:

nmap 192.168.1.1-50
Scans from IP 192.168.1.1 to 192.168.1.50.
Some Useful Nmap Options:
-p [ports]: Specifies which ports to scan.
-T0 to -T5: Adjusts timing templates for speed (0 is slow, 5 is fast).
-sS: SYN scan (stealth scan).
-sU: UDP scan.
-O: OS detection.
-A: Aggressive scan (includes OS, version, scripts, and traceroute).
-v: Verbose mode for more detailed output.
-oN [file]: Output results to a file in normal format.
-oX [file]: Output results to a file in XML format.
-oG [file]: Output results to a file in grepable format.
Example: Full Scan Example
A full scan using aggressive options, including service version detection, OS detection, and scripts, while saving output to a file:

css
nmap -A -T4 -oN full_scan.txt 192.168.1.10
This command will:
Run an aggressive scan (-A).
Use fast timing (-T4).
Save the output to a text file (-oN full_scan.txt).
Target the IP 192.168.1.10.
Conclusion

Nmap is a powerful tool for network administrators and security professionals. It's flexible and customizable, making it suitable for a wide variety of use cases, from simple host discovery to detailed vulnerability assessments. By combining various options and understanding the behavior of Nmap commands, you can tailor your scans to meet specific security needs.