Every now and then, we need to scan ports as system administrators, even if the target machine is owned by us or not. To achieve this, nmap is the well known and reliable tool which is available for almost every platform. But to use nmap, we need to understand the background of it a little.
There are several methods to scan ports. One of them is the “TCP” scanning method. With this method, nmap will try to establish a TCP connection with each of the port to be scanned on the target. If we don’t specify any ports, nmap will scan these. This speeds up the process a lot! Below, you’ll find an example of TCP scan on every port on the target machine.
$ nmap -sT -p- -PN 10.20.30.40
When we break down the arguments, things will get clearer.
-sT : The -s there indicates what method to use to scan, so the following T says its a TCP scan.
-p- : With this we tell nmap to scan every port on the target. Normally, nmap has a predefined list of 1000 ports that are widely used. To scan only the default 1000 ports, just don’t use this flag. Alternately you can tell which specific range of ports to scan. For example to scan the ports 21,23 and 25, we specify it as -p21,23,25 or to scan every port between 21 and 25, -p21-25. If we want to scan everything between 21 and 25 plus the 80’th port, it goes like this : -p21-25,80
-PN : This options tells nmap to skip the host discovery, which means it’ll assume that every target we specify are online. Use this if you’re only sure that the host is online, when we specify a lot of targets, and a lot of ports on these targets, host discovery will come in as a handy time saver.
Target specification in a clever way is very important if you’re willing to scan multiple targets. Below, we’ll talk about how detailed we can specify targets on nmap.
The simplest way for telling nmap to scan 2 targets,
$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4 192.168.16.5
The above will do the same thing with the notation below,
$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4,5
Nmap can also understand various notations at the same time when specifying target addresses. For example we can specify a network with it’s CIDR notation, and use partial definitions on different subnet blocks. Take a look at this example :
$ nmap -sT -p- -PN 192.168.1.0/16 10.20.30,31.40
Note that you cannot use the comma notation and the CIDR notation at the same time. So target specification such as 192.168.1,2.0/16 is NOT allowed.
You can also specify IPv6 using the -6 options. Below we’re scanning for the website my-ip6.com
$ nmap -sT -p21-25,80 -6 2a00:7300:1::4
Also note that with the IPv6 scanning, nmap does NOT support CIDR notation.
Needless to, we can also specify the target with its domain name.
$ nmap -sT -p- -PN plugged.in
Nmap can also get the targets from a text file if you can’t specify them in a sequential order. Just type your targets’ IP addresses line by line on a file and run it like this:
$ nmap -sT -p- -PN -iL my_targets_text_file
When you specify a range of addresses, it sometimes is crutial to NOT SCAN some members of that network. For this, nmap allows you to exclude addresses. This time we specify multiple “excluded targets” as comma separated, and as usual, it supports all the syntax supported for target specification. (hostnames, CIDR, netblocks, octet ranges, etc.)
$ nmap -sT -p- -PN 192.168.1.0/16 –exclude 192.168.16.30,192.168.1.10-15
Here’s a problem with this syntax of nmap, since the excluded targets are specified with commas, we can’t use commas to define subnets within the exclusion. For example we can specify targets such as 192.168.1,2.1 but this is not allowed within the exclusion since nmap will use the comma as a target exclusion delimiter.
The good thing is, just like specifying your targets in a text file, you can also specify you exclusion list too!
$ nmap -sT -p- -PN 192.168.1.0/16 –excludefile my_exclusion_text_file
And the last but not least, nmap has an option to scan random addresses. This is built specifically for research (and fun!) yet you should always use this option at your own risk, since some networks might detect you as a possible break-in attempt for scanning their system. It is also a good idea to you exclusion lists with this option.
$ nmap -sT -p80 -PN -iR 5
The number 5 above means that nmap will be scanning 5 addresses. So it will generate 5 random IP addresses. To generate infinate numbers of addresses, use the -iR option with the value 0.
Let’s end this post with a quoat from the man page of nmap,
“If you find yourself really bored one rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to locate random web servers for browsing.”