Wiki

Nmap:Penggunaan: Difference between revisions

← Older editNewer edit →
Kangtain (talk | contribs)
Bureaucrats, Interface administrators, Suppressors, Administrators
9,176 edits
VisualWikitext
Line 4: Line 4:


===1. Basic Nmap Scan against IP or host===
===1. Basic Nmap Scan against IP or host===
nmap 1.1.1.1
<syntaxhighlight lang="shell">
 
nmap 1.1.1.1
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
</syntaxhighlight>Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:<syntaxhighlight lang="shell">
nmap cloudflare.com
nmap cloudflare.com
 
</syntaxhighlight>This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap.
This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap.


===2. Nmap Ping Scan===
===2. Nmap Ping Scan===
nmap -sp 192.168.5.0/24
<syntaxhighlight lang="shell">
 
nmap -sp 192.168.5.0/24
The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network.
</syntaxhighlight>The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network.


The drawback of this ICMP-only type of scan is that remote hosts often block IP-based ping packets, so if you’re unable to get solid results, we recommend switching to ARP-based requests for your scan.
The drawback of this ICMP-only type of scan is that remote hosts often block IP-based ping packets, so if you’re unable to get solid results, we recommend switching to ARP-based requests for your scan.


===3. Scan specific ports or scan entire port ranges on a local or remote server===
===3. Scan specific ports or scan entire port ranges on a local or remote server===
nmap -p 1-65535 localhost
<syntaxhighlight lang="shell">
nmap -p 1-65535 localhost
</syntaxhighlight>In this example, we scanned all 65535 ports for our localhost computer.


In this example, we scanned all 65535 ports for our localhost computer.
Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below:<syntaxhighlight lang="shell">
 
nmap -p 80,443 8.8.8.8
Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below:
</syntaxhighlight>
nmap -p 80,443 8.8.8.8


===4. Scan multiple IP addresses===
===4. Scan multiple IP addresses===
Let’s try to scan multiple IP addresses. For this you need to use this syntax:
Let’s try to scan multiple IP addresses. For this you need to use this syntax:<syntaxhighlight lang="shell">
nmap 1.1.1.1 8.8.8.8
nmap 1.1.1.1 8.8.8.8
 
</syntaxhighlight>You can also scan consecutive IP addresses:<syntaxhighlight lang="shell">
You can also scan consecutive IP addresses:
nmap 1.1.1.1,2,3,4
nmap 1.1.1.1,2,3,4
</syntaxhighlight>This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4.
 
This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4.


===5. Scan IP ranges===
===5. Scan IP ranges===
You can also use Nmap to scan entire CIDR IP ranges, for example:
You can also use Nmap to scan entire CIDR IP ranges, for example:<syntaxhighlight lang="shell">
nmap 8.8.8.0/28
nmap 8.8.8.0/28
</syntaxhighlight>This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.


This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.
An alternative is to simply use this kind of range:<syntaxhighlight lang="shell">
nmap 8.8.8.1-14
</syntaxhighlight>You can even use wildcards to scan the entire C class IP range, for example:<syntaxhighlight lang="shell">
nmap 8.8.8.*
</syntaxhighlight>This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.


An alternative is to simply use this kind of range:
If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:<syntaxhighlight lang="shell">
nmap 8.8.8.1-14
nmap -p 8.8.8.* --exclude 8.8.8.1
 
</syntaxhighlight>
You can even use wildcards to scan the entire C class IP range, for example:
nmap 8.8.8.*
 
This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.
 
If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:
nmap -p 8.8.8.* --exclude 8.8.8.1


===6. Scan the most popular ports===
===6. Scan the most popular ports===
Using “<code>–top-ports</code>” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:
Using “<code>–top-ports</code>” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:<syntaxhighlight lang="shell">
nmap --top-ports 20 192.168.1.106
nmap --top-ports 20 192.168.1.106
</syntaxhighlight>Replace “20” with the desired number. Output example:<syntaxhighlight lang="shell">
kangtain@kangtain-comp:~$ nmap --top-ports 20 192.168.100.91
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-19 21:51 WIB
Nmap scan report for srv20.domain.com (192.168.100.91)
Host is up (0.089s latency).


Replace “20” with the desired number. Output example:
PORT S  TATE      SERVICE
21/tcp  filtered  ftp
22/tcp  filtered  ssh
23/tcp  filtered  telnet
25/tcp  filtered  smtp
53/tcp  filtered  domain
80/tcp  open      http
110/tcp  filtered  pop3
111/tcp  filtered  rpcbind
135/tcp  filtered  msrpc
139/tcp  filtered  netbios-ssn
143/tcp  filtered  imap
443/tcp  open      https
445/tcp  filtered  microsoft-ds
993/tcp  filtered  imaps
995/tcp  filtered  pop3s
1723/tcp filtered  pptp
3306/tcp filtered  mysql
3389/tcp filtered  ms-wbt-server
5900/tcp filtered  vnc
8080/tcp filtered  http-proxy


kangtain@kangtain-comp:~$ nmap --top-ports 20 192.168.100.91
Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-19 21:51 WIB
</syntaxhighlight>
Nmap scan report for srv20.domain.com (192.168.100.91)
Host is up (0.089s latency).
PORT    STATE    SERVICE
21/tcp  filtered ftp
22/tcp  filtered ssh
23/tcp  filtered telnet
25/tcp  filtered smtp
53/tcp  filtered domain
80/tcp  open    http
110/tcp  filtered pop3
111/tcp  filtered rpcbind
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  filtered imap
443/tcp  open    https
445/tcp  filtered microsoft-ds
993/tcp  filtered imaps
995/tcp  filtered pop3s
1723/tcp filtered pptp
3306/tcp filtered mysql
3389/tcp filtered ms-wbt-server
5900/tcp filtered vnc
8080/tcp filtered http-proxy
Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds


===7. Scan hosts and IP addresses reading from a text file===
===7. Scan hosts and IP addresses reading from a text file===
In this case, Nmap is also useful to read files that contain hosts and IPs inside.
In this case, Nmap is also useful to read files that contain hosts and IPs inside.


Let’s suppose you create a list.txt file that contains these lines inside:
Let’s suppose you create a list.txt file that contains these lines inside:<syntaxhighlight lang="shell">
 
192.168.1.106
192.168.1.106
cloudflare.com
cloudflare.com
microsoft.com
microsoft.com
securitytrails.com
securitytrails.com
</syntaxhighlight>The “-<code>iL</code>” parameter lets you read from that file, and scan all those hosts for you:<syntaxhighlight lang="shell">
 
nmap -iL list.txt
The “-<code>iL</code>” parameter lets you read from that file, and scan all those hosts for you:
</syntaxhighlight>
nmap -iL list.txt


===8. Save your Nmap scan results to a file===
===8. Save your Nmap scan results to a file===
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:<syntaxhighlight lang="shell">
nmap -oN output.txt securitytrails.com
nmap -oN output.txt securitytrails.com
 
</syntaxhighlight>Nmap has the ability to export files into XML format as well, see the next example:<syntaxhighlight lang="shell">
Nmap has the ability to export files into XML format as well, see the next example:
nmap -oX output.xml securitytrails.com
nmap -oX output.xml securitytrails.com
</syntaxhighlight>


===9. Disabling DNS name resolution===
===9. Disabling DNS name resolution===
If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter.
If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter.<syntaxhighlight lang="shell">
 
[root@securitytrails:~]nmap -p 80 -n 8.8.8.8
[root@securitytrails:~]nmap -p 80 -n 8.8.8.8
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
Nmap scan report for 8.8.8.8
Nmap scan report for 8.8.8.8
Host is up (0.014s latency).
Host is up (0.014s latency).
PORT  STATE    SERVICE
80/tcp filtered http


See the difference with a normal DNS-resolution enabled scan:
PORT    STATE    SERVICE
80/tcp  filtered  http
</syntaxhighlight>See the difference with a normal DNS-resolution enabled scan:<syntaxhighlight lang="shell">
[root@securitytrails:~]nmap -p 80 8.8.8.8
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
Nmap scan report for google-public-dns-a.google.com (8.8.8.8
Host is up (0.014s latency).


[root@securitytrails:~]nmap -p 80 8.8.8.8
PORT   STATE     SERVICE
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
80/tcp filtered http
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
</syntaxhighlight>
Host is up (0.014s latency).
PORT   STATE   SERVICE
80/tcp filtered http


===10. Scan + OS and service detection with fast execution===
===10. Scan + OS and service detection with fast execution===
Using the “<code>-A</code>” parameter enables you to perform OS and service detection, and at the same time we are combining this with “<code>-T4</code>” for faster execution. See the example below:
Using the “<code>-A</code>” parameter enables you to perform OS and service detection, and at the same time we are combining this with “<code>-T4</code>” for faster execution. See the example below:<syntaxhighlight lang="shell">
nmap -A -T4 cloudflare.com
nmap -A -T4 cloudflare.com
</syntaxhighlight>


===11. Detect service/daemon versions===
===11. Detect service/daemon versions===
This can be done by using <code>-sV</code> parameters
This can be done by using <code>-sV</code> parameters<syntaxhighlight lang="shell">
nmap -sV localhost
nmap -sV localhost
</syntaxhighlight>As you can see here:<syntaxhighlight lang="shell">
[root@securitytrails:~]nmap -sV localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000020s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports


As you can see here:
PORT    STATE  SERVICE VERSION
111/tcp  open  rpcbind 2-4 (RPC #100000)
631/tcp  open  ipp CUPS 2.2
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)


[root@securitytrails:~]nmap -sV localhost
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
Nmap scan report for localhost (127.0.0.1)
</syntaxhighlight>
Host is up (0.000020s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
631/tcp open ipp CUPS 2.2
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds


===12. Scan using TCP or UDP protocols===
===12. Scan using TCP or UDP protocols===
Retrieved from "https://kangtain.com/wiki/index.php/Nmap:Penggunaan"