Activity 2.1 & 2.2 Host Discovery - Paiet/SEC-335 GitHub Wiki
9/12/2021 - 9/22/2021
Network Mapper, we call it Nmap, is a network and host discovery tool. It is one of the most widely used tools for various activities, such as:
- Discovering hosts, services, and ports
- Fingerprinting operating system
- Enumeration
- Discovering vulnerabilities on the local and remote host
- Find the IP address of a remote system
Using Nmap, you can scan for targets in the following way:
-
Scan for a single IP: nmap 192.168.0.1
-
Scan for a host by using its name: nmap host1.sec335.com
-
Scan an entire subnet: nmap sec335.com/24, nmap 192.168.0.0/24, nmap 192.168.0.*
-
Scan for a range of IP addresses: nmap 192.168.0.1-10
-
Scan for a range and a system outside the range: nmap 192.168.0.1, 1.10
-
SYN scan (
-sS) vs. full connect scan (-sT) -
Look at the man page for nmap
-
Wireshark capture both
-sSand-sTscans to see the differences -
Port selection (
-p) -
Simple port selections
- Single Port
- Port range (
1-1024, -1024, 50000-)- All ports (
-p-)
- All ports (
- Specific ports (eg
21,23,80,443,etc)
-
TCP and/or UDP port scanning
-sUscans UDP ports- Then you specify the port number like normal
- You can scan for both TCP and UDP ports at the same time
nmap -sU -sS -p U:53,64,T:21,23,80 10.0.0.165
-
Service identification (-sV)
-
--version-intensity- Scale of 0 - 9
--version-light==--version-intensity 2
- Scale of 0 - 9
-
OS fingerprinting (-O)
-
Disabling ping (-Pn)
-
Skip host discovery
- Will attempt to scan host without pinging to determine if up first
-
--send-ipand--disable-arp-ping- Used in local network environments
-
Target input file (-iL)
-
Timing (-T)
-
6 timing options
- 0 : Paranoid
- 1 : Sneaky
- 2 : Polite
- 3 : Normal
- 4 : Aggressive
- 5 : Insane
-
Output parameters
-
-oA (Dump ALL formats)
-
-oN (Dump to .nmap file)
-
-oG (Dump to grepable file)
-
-oX (Dump to XML file)
- Use
xsltprocto render XML in HTML documentxsltproc nmap_output.xml -o nmap_output.html
- Use