Nmap - DoDoFarm - Obsidian Publish

# Nmap Tool to scan an [[Network]] has a ton of option and many different ways to scan a Network. Innitially it was simply a [[Port]] scanner which was later extended to have an extensive amount of features, for example: different scanning techniques, service, [[OS]] and version detection, [[Firewall]] and [[IDS]] evasion and much more. All of this can also be automated with [[nmap scripts]]. The [[syntax]] of Nmap might seem weird at first but it's actually quite easy to understand. This is the basic structure that you will refer to all the time: ``` nmap [Scan Type...] [Options] {target specification} ``` ## Host Discovery This is one of the first steps done by nmap when provided with a range of [[IP Address|IP addresses]] it will try to discover which of these [[IP Hosts]] in the [[IP]] [[Network]] are actually up and and will continue scanning only the ones who respond to the [[Ping]] messages. Now this can be a problem if for example the [[Firewall]] is blocking all the pings sent by nmap. Here are a few options that might be useful: #### -Pn ``` This will basically just skip host discovery and immediately begin port scanning. All IPs are assumed to be 'up'. This way you can scan IPs even if the Firewall blocks all Pings (or ICMP messages in general). ``` #### -sL ``` The list scan will simply display all the IPs in the provided IP range without sending them any packets. However it will still perform reverse-DNS resolution to find out the names of the hosts. This is a very non-intrusive scan. ``` #### -sn ``` This will just do the host discovery without the port scanning. This is an easy way to see which hosts are up on the network. ``` ## Port Scanning States There are a few port scanning techniques that Nmap uses which are explained later. All of them work differently and some of them can find [[Port|ports]] others can't. It's therefore possible some scans will have different results than other. Here are the port states that nmap recognizes: | State | Description | | ---------------- | ------------------------------------------------------------- | | open | A port that accepts TCP, UDP or SCTP connections. | | closed | A port that responds but has no application listening on it. | | filtered | Packets to the port are being filtered by a firewall . | | unfiltered | Accessible but unsure if open or not. See ACK scan. | | open\|filtered | The port gave no response. See scans that classify like that. | | closed\|filtered | Unable to determine if close or not. See IP ID idle scan. | <button type="button">[[Nmap#Scanning Techniques|Scanning Techniques]]</button><button type="button">[[Nmap#IP ID Idle Scan|IP ID Idle Scan]]</button><button type="button">[[Nmap#ACK Scan|ACK Scan]]</button> ## Scanning Techniques