Nmap:Penggunaan: Difference between revisions

Revision as of 16:51, 8 November 2021

Let’s get to know a few useful command-line based best Nmap scans that can be performed.

1. Basic Nmap Scan against IP or host

Template:Terminal

Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:

Template:Terminal

This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap.

2. Nmap Ping Scan

Template:Terminal

The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network.

The drawback of this ICMP-only type of scan is that remote hosts often block IP-based ping packets, so if you’re unable to get solid results, we recommend switching to ARP-based requests for your scan.

3. Scan specific ports or scan entire port ranges on a local or remote server

Template:Terminal

In this example, we scanned all 65535 ports for our localhost computer.

Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below:

Template:Terminal

4. Scan multiple IP addresses

Let’s try to scan multiple IP addresses. For this you need to use this syntax:

Template:Terminal

You can also scan consecutive IP addresses:

Template:Terminal

This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4.

5. Scan IP ranges

You can also use Nmap to scan entire CIDR IP ranges, for example:

Template:Terminal

This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.

An alternative is to simply use this kind of range:

Template:Terminal

You can even use wildcards to scan the entire C class IP range, for example:

Template:Terminal

This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.

If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:

Template:Terminal

6. Scan the most popular ports

Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:

Template:Terminal

Replace “20” with the desired number. Output example:

Template:Example
[root@securitytrails:~]nmap --top-ports 20 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-01 10:02 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE    SERVICE
21/tcp   closed   ftp
22/tcp   closed   ssh
23/tcp   closed   telnet
25/tcp   closed   smtp
53/tcp   closed   domain
80/tcp   filtered http
110/tcp  closed   pop3
111/tcp  closed   rpcbind
135/tcp  closed   msrpc
139/tcp  closed   netbios-ssn
143/tcp  closed   imap
443/tcp  filtered https
445/tcp  closed   microsoft-ds
993/tcp  closed   imaps
995/tcp  closed   pop3s
1723/tcp closed   pptp
3306/tcp closed   mysql
3389/tcp closed   ms-wbt-server
5900/tcp closed   vnc
8080/tcp closed   http-proxy

7. Scan hosts and IP addresses reading from a text file

In this case, Nmap is also useful to read files that contain hosts and IPs inside.

Let’s suppose you create a list.txt file that contains these lines inside:

Template:Example
192.168.1.106
cloudflare.com
microsoft.com
securitytrails.com

The “-iL” parameter lets you read from that file, and scan all those hosts for you:

Template:Terminal

8. Save your Nmap scan results to a file

On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:

Template:Terminal

Nmap has the ability to export files into XML format as well, see the next example:

Template:Terminal

9. Disabling DNS name resolution

If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter.

Template:Example
[root@securitytrails:~]nmap -p 80 -n 8.8.8.8
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
Nmap scan report for 8.8.8.8
Host is up (0.014s latency).
PORT   STATE    SERVICE
80/tcp filtered http

See the difference with a normal DNS-resolution enabled scan:

Template:Example
[root@securitytrails:~]nmap -p 80 8.8.8.8
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Host is up (0.014s latency).
PORT   STATE    SERVICE
80/tcp filtered http

10. Scan + OS and service detection with fast execution

Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. See the example below:

Template:Terminal

11. Detect service/daemon versions

This can be done by using -sV parameters

Template:Terminal

As you can see here:

Template:Example
[root@securitytrails:~]nmap -sV localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000020s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
631/tcp open ipp CUPS 2.2
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds

12. Scan using TCP or UDP protocols

One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples.

Standard TCP scanning output:

Template:Example
[root@securitytrails:~]nmap -sT 192.168.1.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
20005/tcp open btx
49152/tcp open unknown
49153/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

UDP scanning results using “-sU” parameter:

Template:Example
[root@securitytrails:~]nmap -sU localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000021s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
5353/udp open|filtered zeroconf

13. CVE detection using Nmap

One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language.

Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:

Template:Terminal

Output example:

Template:Example
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.105
Host is up (0.00032s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
1900/tcp open upnp
20005/tcp open btx
49152/tcp open unknown
49153/tcp open unknown

As you can see, in this vulnerability test we were able to detect one CVE (Slowloris DOS attack).

14. Launching DOS with Nmap

Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings.

In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop:

Template:Terminal

15. Launching brute force attacks

NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server:

WordPress brute force attack:

Template:Terminal

Brute force attack against MS-SQL:

Template:Terminal

FTP brute force attack:

Template:Terminal

16. Detecting malware infections on remote hosts

Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.

A common malware scan can be performed by using:

Template:Terminal

Or using Google’s Malware check:

Template:Terminal

Template:Example
80/tcp open  http
|_http-google-malware.nse: Host is known for distributing malware.

Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers.

Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy.

Note:

The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking.

Terkait

Nmap

Source

securitytrails.com

@@ Line 4: / Line 4: @@
 ===1. Basic Nmap Scan against IP or host===
-  nmap 1.1.1.1
+  {{Terminal|nmap 1.1.1.1}}
 Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
-  nmap cloudflare.com
+  {{Terminal|nmap cloudflare.com}}
 This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap.
 ===2. Nmap Ping Scan===
-  nmap -sp 192.168.5.0/24
+  {{Terminal|nmap -sp 192.168.5.0/24}}
 The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network.
@@ Line 19: / Line 19: @@
 ===3. Scan specific ports or scan entire port ranges on a local or remote server===
-  nmap -p 1-65535 localhost
+  {{Terminal|nmap -p 1-65535 localhost}}
 In this example, we scanned all 65535 ports for our localhost computer.
 Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below:
-  nmap -p 80,443 8.8.8.8
+  {{Terminal|nmap -p 80,443 8.8.8.8}}
 ===4. Scan multiple IP addresses===
 Let’s try to scan multiple IP addresses. For this you need to use this syntax:
-  nmap 1.1.1.1 8.8.8.8
+  {{Terminal|nmap 1.1.1.1 8.8.8.8}}
 You can also scan consecutive IP addresses:
-  nmap 1.1.1.1,2,3,4
+  {{Terminal|nmap 1.1.1.1,2,3,4}}
 This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4.
@@ Line 37: / Line 37: @@
 ===5. Scan IP ranges===
 You can also use Nmap to scan entire CIDR IP ranges, for example:
-  nmap 8.8.8.0/28
+  {{Terminal|nmap 8.8.8.0/28}}
 This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.
 An alternative is to simply use this kind of range:
-  nmap 8.8.8.1-14
+  {{Terminal|nmap 8.8.8.1-14}}
 You can even use wildcards to scan the entire C class IP range, for example:
-  nmap 8.8.8.*
+  {{Terminal|nmap 8.8.8.*}}
 This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.
 If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:
-  nmap -p 8.8.8.* --exclude 8.8.8.1
+  {{Terminal|nmap -p 8.8.8.* --exclude 8.8.8.1}}
 ===6. Scan the most popular ports===
 Using “<code>–top-ports</code>” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:
-  nmap --top-ports 20 192.168.1.106
+  {{Terminal|nmap --top-ports 20 192.168.1.106}}
 Replace “20” with the desired number. Output example:
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap --top-ports 20 localhost
   Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-01 10:02 EDT
@@ Line 89: / Line 90: @@
 Let’s suppose you create a list.txt file that contains these lines inside:
+ {{Example|File .txt}}
 .168.1.106
   cloudflare.com
@@ Line 95: / Line 98: @@
 The “-<code>iL</code>” parameter lets you read from that file, and scan all those hosts for you:
-  nmap -iL list.txt
+  {{Terminal|nmap -iL list.txt}}
 ===8. Save your Nmap scan results to a file===
 On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:
-  nmap -oN output.txt securitytrails.com
+  {{Terminal|nmap -oN output.txt securitytrails.com}}
 Nmap has the ability to export files into XML format as well, see the next example:
-  nmap -oX output.xml securitytrails.com
+  {{Terminal|nmap -oX output.xml securitytrails.com}}
 ===9. Disabling DNS name resolution===
 If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter.
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap -p 80 -n 8.8.8.8
   Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
@@ Line 116: / Line 120: @@
 See the difference with a normal DNS-resolution enabled scan:
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap -p 80 8.8.8.8
   Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03
@@ Line 125: / Line 130: @@
 ===10. Scan + OS and service detection with fast execution===
 Using the “<code>-A</code>” parameter enables you to perform OS and service detection, and at the same time we are combining this with “<code>-T4</code>” for faster execution. See the example below:
-  nmap -A -T4 cloudflare.com
+  {{Terminal|nmap -A -T4 cloudflare.com}}
 ===11. Detect service/daemon versions===
 This can be done by using <code>-sV</code> parameters
-  nmap -sV localhost
+  {{Terminal|nmap -sV localhost}}
 As you can see here:
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap -sV localhost
   Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03
@@ Line 150: / Line 157: @@
 Standard TCP scanning output:
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap -sT 192.168.1.1
   Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03
@@ Line 164: / Line 173: @@
 UDP scanning results using “<code>-sU</code>” parameter:
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap -sU localhost
   Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03
@@ Line 179: / Line 190: @@
 Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:
-  nmap -Pn --script vuln 192.168.1.105
+  {{Terminal|nmap -Pn --script vuln 192.168.1.105}}
 Output example:
+ {{Example|Output Terminal}}
   [root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105
   Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03
@@ Line 224: / Line 237: @@
 In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop:
-  nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
+  {{Terminal|<nowiki>nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true</nowiki>}}
 ===15. Launching brute force attacks===
@@ Line 230: / Line 243: @@
 WordPress brute force attack:
-  nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105
+  {{Terminal|<nowiki>nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105</nowiki>}}
 Brute force attack against MS-SQL:
-  nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105
+  {{Terminal|<nowiki>nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105</nowiki>}}
 FTP brute force attack:
-  nmap --script ftp-brute -p 21 192.168.1.105
+  {{Terminal|nmap --script ftp-brute -p 21 192.168.1.105}}
 ===16. Detecting malware infections on remote hosts===
@@ Line 242: / Line 255: @@
 A common malware scan can be performed by using:
-  nmap -sV --script=http-malware-host 192.168.1.105
+  {{Terminal|<nowiki>nmap -sV --script=http-malware-host 192.168.1.105</nowiki>}}
 Or using Google’s Malware check:
-  nmap -p80 --script http-google-malware infectedsite.com
+  {{Terminal|nmap -p80 --script http-google-malware infectedsite.com}}
-Output example:
+ {{Example|Output Terminal}}
 /tcp open  http
   |_http-google-malware.nse: Host is known for distributing malware.
@@ Line 255: / Line 268: @@
 Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy.
-<blockquote>
+{{Note|The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking.}}
-The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking.
-</blockquote>
 ==Terkait==