Nmap is a popular port scanning tool.It can also be used discover hosts, identify the Operating System, Services running on the ports and lots of other thing.
A simple scan is as follows:
nmap (target address)
This will show us the Ports, their state (open/closed) and the Services running.
- Open Ports: It means that an application on the target host is accepting TCP connection.
- Closed Ports: It means that an application on the target host isn’t listening.
- Filtered Ports: It means that nmap cannot determine whether the the port is open or closed.This may be because of a firewall rule in the target host to block any request packets.
–sS : This is a SYN scan.The attacker sends a SYN.The remote host responds with a SYN+ACK. A half open connection is made and that is then broken because of the timeout.
–sT : This is a Connect scan.In this scan, the attacker sends a SYN.The remote host responds with a SYN+ACK and then the attacker sends the ACK.A Three-Way-Handshake is made.Finally the connection is broken.
–sA : This is a ACK scan.This type of scan is cannot determine whether a port is open or closed.Although, this is useful to determine if there is a firewall at the other end.It will show us if the port is filtered or unfiltered.
–sV : This is a service scan.It lists the services running on the target.
These scans can be used as the following:
nmap (-sS/-sT/-sA/-sV) (target address)
These are some main techniques.
In this method of scanning, we won’t be leaving any fingerprints on the target machine.We will use a zombie host to send packets.A zombie host is usually a machine that has already been compromised and is being used to impersonate as the attacker.
The command is as follows in nmap:
nmap -Pn -sI (zombie address) (target address)
-Pn is used here so that we won’t ping the target.
-sI is used for an idle scan.An idle scan is sending spoofed packets to the target (Same as stealth scanning).
Here, the zombie will communicate with the target and not the actual attacker.When the zombie sends packets, the target replies to the zombie.The attacker will only observe.In this way the attacker will leave no traces.
Operating System detection:
nmap -O (target address)
We can exploit the OS according to the vulnerabilities that exist in it.