Gathering Information with NMAP
Nmap (Network Mapper) is a free software utility that lets you explore, manage and audit the security of computer networks.
It can detect online hosts, their open ports, services and applications running on them, their operating system, what firewalls / filters run on a network and what type they are.
Usage
Scan a single host
~# nmap -hostname or ip-
This will ping the host checking if it’s alive, it’ll also check the 1000 most common ports sorting them by open, close or filtered state
Scan a range of hosts in CIDR format
Ex: ~# nmap 192.168.1.1/24
This will ping a range of host checking if they are alive, it’ll also check the 1000 most common ports sorting them by open, close or filtered state. This particular example will scan the 254 hosts that could be alive inside this network.
Scan ports
~# nmap -p 20, 80 -hostname or ip-
This will ping the host checking if it’s alive, it’ll also check the current state of both port 20 and 80
~# nmap -p 20-80 -hostname or ip-
Here we check the state of every port between 20 and 80
Please be verbose
~# nmap -vv -hostname or ip-
passing one or two v’s as parameters will output more information on realtime to the scan file. This comes handy when you are pure anxiety.
I can't afford to be agressive
~# nmap -sS -hostname or ip-
This scan wil start the syn-ack tpc connection sequence but it wont finish them, giving you information about the ports but leaving the destination host in the shadows
I can afford to be agressive
~# nmap -A -hostname or ip-
This option will get as much information as it can from the host, but it wont be a stealthy scan.
Service detection
~# nmap -sV -hostname or ip-
Nmap contains a database of about 2,200 well-known services and associated ports. Examples of these services are HTTP (port 80), SMTP (port 25), DNS (port 53), and SSH (port 22):
OS detection
~# nmap -O -hostname or ip-
The -O option activates OS fingerprinting, the information you get from this scan is likely a guess and not a fact.
Output scan to file
~# nmap -oA -filename- -hostname or ip-
This will ping the host checking if it’s alive, it will also output the contents of the scan to a file with the chosen name in three formats. You can choose one of the three by using its defined parameter, oX XML, oN human readable and oG a grepable log.