A Quick Introduction to the Nmap tool
Ever been curious about the Nmap tool on Kali? Ever wanted to scan for ports and check if you’re vulnerable? Want to know which ports you’ve got open or closed? A quick and purely educational tutorial!
Glossary section:
Nmap: Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan.
Requirements:
Since this is a a quick and superficial tutorial to Nmap on some of the basic features, all you’ll need here is just Nmap.
Kali Linux comes with Nmap pre-installed, but you can use whatever OS you require. If you use anything other than Kali, you’ll need to download it.
Download Link: https://nmap.org/download.html
The Intro:
First, we really need to grab our IP address, so that we can use all the network commands and nmap commands.
To do so, write ip addr in the terminal.
So, 192.168.1.112 is our IP address, and 192.168.1.0/24 is our network.
Note: Everything here is for educational purposes, use at your own risk.
First feature: Discovering IP addresses in a network.
For our first feature, let’s discover every IP address in a network.
To do so, write sudo nmap -sP 192.168.1.0/24. Let me break this down for you, 192.168.1. is my network, and there are /24 mask bits. So our network address for this command ends up as 192.168.1.0/24. So, change it according to your IP and port. It’ll be 192.168.XX.XX/XX.
This means that my network has 256 available IP addresses, but there are only 4 hosts on this network. This checks out, as my Kali has a different MAC Address than my Physical PC. Therefore, the four hosts are my phone, my physical Windows PC, my Kali VM and the hotspot local IP.
Second feature: Discovering open ports in a specific machine.
To find out what open ports are open in a specific machine, all you need to do is write sudo nmap -sT IPMachine.
So for example, in my case, if I want to find out what open ports are open in my Kali virtual machine, all I need to do is write sudo nmap -sT 192.168.1.112.
As Kali is a pentesting forensics linux distribution, it’s pretty normal for all the ports to be secured by default.
The following image is an example of a machine with some open ports, namely domain and http/https ports.
Third feature— Looking for a specific port and finding if it’s open or closed.
So this feature is really just a specific lookup compared to the previous feature.
For this one, just write sudo nmap -p PORTNUMBER TARGETIP, so for example, if I want to look for the http port of my .112 machine, i’d write sudo nmap -p 80 192.168.1.112.
So, as you can see, the tcp port 80 (http) is closed on my 192.168.1.112 machine, which is my Kali.
Fourth feature— Finding out the OS of a specific machine.
In a hacking or defensive angle, it might be really useful to find out the OS of a specific machine and find out it’s version and whether it’s vulnerable (that’s homework for after).
For this, let’s find out the OS of my Windows machine (.107) by writing sudo nmap -O 192.168.1.107
As you can see, there are too many fingerprints to find out accurately it’s OS. The same happens to my Kali virtual machine.
Fifth feature —Making an inventory of every machine in a network.
Now, let’s say we want to make a quick inventory of every machine in a network followed by the ports and OS.
To do so, let’s just do sudo nmap -sS -O -T3 -oA invent NETWORK/BIT, so, in my case, sudo nmap -sS -O -T3 -oA invent 192.168.1.0/24.
Of course, you can omit specific information by just removing the parameters, like for example if you don’t need to see the OS again, just remove -O, for example.
Sixth feature — Spoofing the MAC address of a machine in the network.
So let’s say you want to hide the real physical address of a machine, known as MAC Address, by spoofing it.
Well, NMAP offers a command for that too. It has several usages. We can randomise the spoofed mac by putting a 0 after, or you can choose a specific MAC Address.
Anyways, write sudo nmap -sn -PR — spoof-mac 0 TARGET, so in my case, sudo nmap -sn -PR — spoof-mac 0 192.168.1.112
Now, when we scan the network, it won’t say our real MAC Address.
Seventh feature — Scanning all the interfaces, routes and packets in a network.
If you need to find out all the interfaces in a network, as well as the routes and packets used, there’s a simple command
To do so, just run sudo nma --iflist
Ninth feature — Using IPV6 in commands.
You can also just use IPV6 in any nmap command, but you need to specify with -6 followed by the referenced IPV6 address.
So for example, if I want to scan my localhost address through IPV6, I’d do sudo nmap -6 ::1/128, however you can just insert any IPV6 on your network or the target network.
Of course though, NMAP has so many features that it’s impossible to list in short and quick guides. Either way, there are many reference and documentation papers online, as well as the internal nmap -h command.
