|11 Different Types of Nmap Scanning|
1. The basic type of Nmap scanning against host or IP:
a. nmap 184.108.40.206
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
b. nmap cloudflare.com
These kinds of basic scans are perfect for your first steps when starting with Nmap.
2. Scan multiple IP addresses:
Let’s try to scan multiple IP addresses. For this you need to use this syntax:
a. nmap 220.127.116.11 18.104.22.168
You can also scan consecutive IP addresses:
b. nmap -p 22.214.171.124,2,3,4
This will scan 126.96.36.199, 188.8.131.52, 184.108.40.206 and 220.127.116.11.
3. Scan multiple IP addresses:
Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see:
nmap –top-ports 20 192.168.1.106
4. Scan hosts and IP addresses reading from a text file:
In this case, Nmap is also useful to read files that contain hosts and IPs inside.
Let’s suppose you create a list.txt file that contains these lines inside:
The “-iL” parameter lets you read from that file, and scan all those hosts for you:
e. nmap -iL list.txt
5. Save your Nmap scan results to a file:
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file:
a. nmap -oN output.txt securitytrails.com
Nmap has the ability to export files into XML format as well, see the next example:
b. nmap -oX output.xml securitytrails.com
6. Scan + OS and service detection with fast execution:
Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution. See the example below:
a. nmap -A -T4 cloudflare.com
7. Scan using TCP and UDP Protocols:
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples.
Standard TCP scanning output:
a. [[email protected]:~]nmap -sT 192.168.1.1
UDP scanning results using “-sU” parameter:
b. [[email protected]:~]nmap -sU localhost
8. Vulnerability detection using different types of Nmap scan:
One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language.
Using NSE is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:
a. nmap -Pn –script vuln 192.168.1.105
9. Launching DOS with Nmap:
Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings.
In our the previous example, we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS an attack in a forever loop:
10. Launching brute force attacks:
NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server:
a. WordPress brute force attack:
i. nmap -sV –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true’ 192.168.1.105
b. Brute force attack against MS-SQL:
c. FTP brute force attack:
i. nmap –script ftp-brute -p 21 192.168.1.105
11. Detecting malware infection in remote hosts:
Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.
a. A common malware scan can be performed by using:
i. nmap -sV –script=http-malware-host 192.168.1.105
b. Or using Google’s Malware check:
i. nmap -p80 –script http-google-malware infectedsite.com
c. Output example:
i. 80/tcp open http |_http-google-malware.nse: The host is known for distributing malware.
Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers.