nmap utilization - Ptsoares/SEC_335_Techjournal GitHub Wiki
Overview
nmap is a scanning tool that's especially helpful for ethical hackers and pen testers during their active scanning phase. The tool works well with bash scripts, has many switches that can be used to adjust the type of scans and output, and there's a good amount of documentation available on the internet. As a quick reference guide, this page will have relevant examples from this course's labs and assignments, as well as a few links to external sources.
Helpful command examples
This first command is an example of using nmap to scan a specific host and port:
sudo nmap 10.0.17.X -p 3389
This command will run an ARP ping scan and provide information about if the host is up, and if so, what the service information is. This example is using the Windows 10 VM and the port that RDP runs on. Of course this can be augmented and run on multiple ports or a specific range of ports by using either comma separation or a dash, respectively. Later examples will demonstrate this utility.
Adding the -sV flag to the command will add more information to the output, as it focuses on version detection. Adding this flag would look like the command below:
sudo nmap -sV 10.0.17.X -p 3389
The -sV flag can be replaced with a -a flag to gather even more information from the host, such as OS detection, script scanning, and traceroute in addition to version detection.
As mentioned earlier ports can be set uniquely in nmap:
-p 1-1600
The section of the nmap command above will focus on the specific port range.
-p 135,139,445,3389
The section of the nmap command above will use those specific ports for scanning.