Menu

Live hosts detection using Nmap

Live hosts detection is very important for every Penetration tester and ethical hacker in Kali linux using Nmap.

Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Scan a Single Target:

root#nmap 192.168.43.221

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-14 00:32 IST

Nmap scan report for portal177.standmirror.me (192.168.43.221)

Host is up (0.54s latency).

Not shown: 988 closed ports

PORT     STATE    SERVICE

17/tcp   filtered qotd

19/tcp   filtered chargen

22/tcp   open     ssh

25/tcp   filtered smtp

80/tcp   open     http

135/tcp  filtered msrpc

139/tcp  filtered netbios-ssn

2525/tcp open     ms-v-worlds

6666/tcp filtered irc

6667/tcp filtered irc

6668/tcp filtered irc

6669/tcp filtered irc

Nmap done: 1 IP address (1 host up) scanned in 16.81 seconds

 

Scan Multiple Targets

Nmap can be used to scan multiple hosts at the same time. The easiest way to do

this is to string together the target IP addresses or host names on the command line

(separated by a space).

root#nmap 192.168.1.10 192.168.10.100 192.168.43.221

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-14 00:37 IST

Nmap scan report for portal177.standmirror.me (192.168.1.10 )

Host is up (0.38s latency).

Not shown: 988 closed ports

PORT     STATE    SERVICE

17/tcp   filtered qotd

19/tcp   filtered chargen

22/tcp   open     ssh

25/tcp   filtered smtp

80/tcp   open     http

135/tcp  filtered msrpc

139/tcp  filtered netbios-ssn

2525/tcp open     ms-v-worlds

6666/tcp filtered irc

6667/tcp filtered irc

6668/tcp filtered irc

6669/tcp filtered irc

 

Nmap scan report for lyles.prismpbx.com (192.168.10.100)

Host is up (0.39s latency).

Not shown: 990 closed ports

PORT     STATE    SERVICE

22/tcp   filtered ssh

23/tcp   filtered telnet

25/tcp   filtered smtp

80/tcp   open     http

111/tcp  filtered rpcbind

443/tcp  open     https

3306/tcp filtered mysql

3389/tcp filtered ms-wbt-server

4445/tcp open     upnotifyp

9099/tcp open     unknown

 

Nmap scan report for 192-227-239-172-host.colocrossing.com (192.168.43.221)

Host is up (0.30s latency).

Not shown: 981 filtered ports

PORT      STATE  SERVICE

20/tcp    closed ftp-data

21/tcp    closed ftp

22/tcp    closed ssh

53/tcp    closed domain

80/tcp    open   http

110/tcp   open   pop3

143/tcp   open   imap

443/tcp   open   https

587/tcp   open   submission

993/tcp   open   imaps

995/tcp   open   pop3s

2222/tcp  closed EtherNetIP-1

3306/tcp  open   mysql

10000/tcp open   snet-sensor-mgmt

10001/tcp closed scp-config

10002/tcp closed documentum

10003/tcp closed documentum_s

10004/tcp closed emcrmirccd

20000/tcp open   dnp

Nmap done: 3 IP addresses (3 hosts up) scanned in 73.51 seconds

 

Scan a Range of IP Addresses

A range of IP addresses can be used for target specification

root#nmap 192.168.10.1-100

 

Scan an Entire Subnet

Nmap can be used to scan an entire subnet using CIDR

root#nmap 192.168.10.1/24

Perform an Aggressive Scan

The -A parameter instructs Nmap to perform an aggressive scan.

root#nmap -A 192.168.43.221

Don’t Ping

This is useful when scanning hosts

that are protected by a firewall that blocks ping probes.

root#nmap -PN 192.168.43.221

Traceroute

The –traceroute parameter can be use to trace the network path to the specified host.

root#nmap –traceroute www.demotest.com

 

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-14 00:42 IST

Nmap scan report for 192-168-43-221-host.colocrossing.com (192.168.43.221)

Host is up (0.23s latency).

Not shown: 981 filtered ports

PORT      STATE  SERVICE

20/tcp    closed ftp-data

21/tcp    closed ftp

22/tcp    closed ssh

53/tcp    closed domain

80/tcp    open   http

110/tcp   open   pop3

143/tcp   open   imap

443/tcp   open   https

587/tcp   open   submission

993/tcp   open   imaps

995/tcp   open   pop3s

2222/tcp  closed EtherNetIP-1

3306/tcp  open   mysql

10000/tcp open   snet-sensor-mgmt

10001/tcp closed scp-config

10002/tcp closed documentum

10003/tcp closed documentum_s

10004/tcp closed emcrmirccd

20000/tcp open   dnp

 

TRACEROUTE (using port 80/tcp)

HOP RTT      ADDRESS

1   2.45 ms  192.168.43.1

2   …

3   58.28 ms 10.72.46.2

4   81.14 ms 172.26.55.138

5   58.60 ms 172.26.55.94

6   58.15 ms 192-168-43-221-host.demotest.com (192.168.43.221)

Nmap done: 1 IP address (1 host up) scanned in 21.17 seconds

 

root@troubleshootbox:~#

Perform a Fast Scan

The -F option instructs Nmap to perform a scan of only the 100 most commonly used ports.

root#namp -F 192.168.43.221

 

Scan All Ports

The -p “*” option is a wildcard used to scan all 65,535 TCP/IP ports on the specified target.

root#nmap -p “*” 192.168.43.221

 

Scan Top Ports

The –top-ports option is used to scan the specified number of top ranked ports.

root#nmap –top-ports 10 192.168.43.221

Operating System Detection

The -O parameter enables Nmap’s operating system detection feature.

root#nmap -O 192.168.43.221

Service Version Detection

The -sV parameter enables Nmap’s service version detection feature.

root#nmap -sV 192.168.43.221

Troubleshooting Version Scans

The –version-trace option can be enabled to display verbose version scan activity.

root#nmap -sV –version-trace 192.168.43.221

Idle Zombie Scan

The -sI option is used to perform an idle zombie scan.

Usage syntax: nmap -sI [zombie host] [target]

root#nmap -sI 192.168.43.10 192.168.43.221

Display Host Networking Configuration

The –iflist option displays the network interfaces and routes configured on the local system.

root#nmap –iflist

Categories:   Security

Comments