Nmap | What is scanning? Do Network, Port & Service Scanning!
Scanning is an active technique of information gathering, unlike footprinting which is all passive. Scanning is performed just after footprinting; it’s a post reconnaissance and pre-attack step.
Table of Contents [Quick Links]
Scanning can be broadly divided into following categories:
- Network Scanning
- Port Scanning
- Vulnerability Scanning
The main objectives of these scanning are:
- Detecting live machines and devices on the network (Network Scanning)
- Detecting open ports and services on live machines and devices (Port Scanning)
- Finding security flaws which can be exploited later (Vulnerability Scanning)
In this process, we scan the network or certain range of IP’s of the network to find live machines.
To scan any network, we have different tools and techniques available. Some tools facilitate to send ping requests only while others are highly customizable and allow us to send different types of packets/request as needed.
In this process, we already know the IP addresses of live machines. Now, we further scan these machines to find open ports and running services.
There are many tools available for port scanning and at the same time they perform service scanning as well.
When we are done with network and port scanning, it’s time for vulnerability scanning.
In vulnerability scanning, we use some sort of automated or semi-automated tools to scan online systems / web applications for locating security flaws. We then begin targeting critical security flaw that can be exploited.
We’ll learn vulnerability scanning in later tutorials. We have dedicated few tutorials only for vulnerability scanning and exploitation.
Setting-Up a Local Area Network (LAN)
Before you plan to scan any network, let me tell you – it’s illegal. Scanning any network without prior permission from network administrator and owner is a crime. Never scan any network that you don’t own or have no prior permission.
Most probably, you’ll be having a LAN at your house. If not, then you can easily create it using any router or you smart phone. To create a LAN at your home:
- Switch on the router and connect few devices like mobile, tablet, pc or laptop etc.
- Or switch on hotspot on your mobile phone and connect few devices to it.
Just for your information, I have these two inexpensive routers and using the same throughout this hacking course.
- Assus (3 in 1 – Router, Repeater and Bridge).
- Dlink 2750U (An adsl Router)
Nmap Commands for Network Scanning
So, you are already running Kali, open the terminal, and fire up the following nmap (network-mapper) command:
nmap -sP 192.168.1.1/24
The above nmap command sends ICMP ping packets to all the IP’s on the network. These ping request/packets are received by all the live machines in the IP address range of 192.168.1.1 to 192.168.1.255.
To identify live machines on the network, ping request command relies on reply that it receives from these live machines.
Please note that, Ping Scan is by nature very loud and less effective now. Secure machines don’t reply to ping request. Moreover, it raises security flags by IDS/IPS (Intrusion detection/prevention system) that runs on network server. They catches you and bans your IP address and network access.
Therefore, we need do it another way.
nmap -sS 192.168.1.1/24
The above commands do a SYN scan. It provides better and accurate results.
This command tries to initiate a connection with all the machines on the network using synchronization/SYN request. Then, all the live machines send acknowledgement/AKN packets in return to the SYN request. These AKN packets include basic information about the respective machine and also proves that it’s live and running.
Nmap Commands to Elevate Scanning!
- You can use -v option that will show detailed information. Example: nmap -v -sS 192.168.1.1/24
- You can use -f option that will fragment data packets and sometimes help in bypassing firewall.
- When not in a hurry, use -T3 or -T2 for detailed and accurate scanning. E.g. Nmap -T3 192.168.1.1/24
- You can also define the IP ranges in nmap commands as 192.168.1.* or 192.168.1.1-255 or 192.168.1.1/24. All are same!
- Use –exclude option to exclude some IP’s from your scanning. Example: nmap 192.168.1.1/24 –exclude 192.168.1.15.
- For more commands just type nmap in terminal or read the network-mapper manual page, type the command: man nmap.
Nmap | How To Do Port Scanning and Service Scanning?
Now we are at the point where we have the IP addresses of live machines. Now, we can target each IP individually to further scan them for open ports and services they are running.
We’ll obviously use Nmap (Network Mapper) for port scanning and as well as service scanning.
NMAP Commands for Port Scanning
As usual, open the terminal, and try the following nmap command (don’t forget to replace the following IP’s with live IP’s of your network, get them via network scanning):
- Scan a Single Host: nmap 192.168.1.101
- Scan multiple IP address or subnet: nmap 192.168.1.1 192.168.1.2 192.168.1.3 (be careful, there’s a space between each IP)
- Scan by Excluding a Host (This will Exclude the Host while Scanning): nmap 192.168.1.1/24 –exclude 192.168.1.100 (be careful, it’s hyphen-hyphen-exclude)
- Fast Scanning for a Network range: nmap -F 192.168.1.1/24 (be careful, it’s a capital F)
- To See Packets send and receving using Network mapper: nmap –packet-trace 192.168.1.10
- Scan for a Particular Port: nmap -p 22 192.168.1.10
- Scan multiple ports: nmap -p 80, 22, 21 192.168.1.1
- Sacn all Ports of an IP address: nmap -p “*” 192.168.1.100
NMAP Commands for Service Scanning
Here are few network-mappers’ switches and commands that can be used to perform service scanning. These commands and switches can be combined with nmap port scanning:
- nmap –sV 192.168.1.1
- Nmap –sU –sV 192.168.1.1
- nmap –T4 –F –sV 192.168.1.1
- nmap –O 192.168.1.1
- nmap –O –osscan-guess 192.168.1.1