Hello everyone, I'm going to show you some nmap commands here. I'm not even going to go into the issue of installing the concepts too much, okay. I'm going to talk more about the commands, I'm going to explain a little bit of the syntax.
It's more like that summary of commands to break a branch in everyday life, right. but nmap in short is an open source tool used for network exploration, in general, it is a network scanner, right, among many others. It is very useful for security audit purposes, for us to carry out validations.
Well, it's a really essential tool for anyone who works with networks, right? Let's go, first tip, right, the first command I wanted to show you. How do we discover hosts connected within a network, right?
So, let's go, nmap -sn, and then the host or the IP or the network that we want to discover. In this case, I'm going to give an example of localhost here, just so we can run it. Look, he responded quickly because he was just a host, right, which sometimes takes a little longer.
It took less than a second here. A host up, Beauty. What does it do here, this "sn" I'm just signaling to nmap that I don't want it to scan ports, only active hosts, it does this as a kind of ping, right, it sends ICMP Echo packets request and stores it in ICMP Echo reply, so it does this analysis and indicates which host is responding on the network, right.
Now the second tip would be the issue of sweeping doors. First, I'll show you how we sweep doors in a general, simpler way. nmap -p, indicates the port, 80, it can also be 443 here, I can put a series of ports and the host or network where I want to check, right.
I'm going to put localhost here again. See that it scans doors here where I determined. .
. you already answered me, look. Both closed.
But the tip I want to pass on, in this case, is for us to scan all the ports, as I do to check all the ports that are active or not. It's a little different, the syntax changes a little, see. The Pulo do Gato is here, remove the doors and add another dash after the "p".
I can put a network instead of putting a host here or any domain. Come on, here the tendency is to take a little longer, but as I only entered one host, it ended up being a quick query, 3 seconds. But he has already carried out a series of checks and has given me back all of their status, everything he managed to get.
This one is really cool because it will check all 65,536 doors, right? So knowing this information, what's the next tip that we could check? How to discover doors, but in the most discreet way, which would be the famous stealth scanning, right, what is this method for, discreet scanning?
It serves exactly to avoid detection by systems, or suddenly to avoid flooding the network with packets. I'll show the syntax here, nmap -sS (capital letter) and the domain of the host I want to check. Let me put a test domain.
To execute. Maybe he'll take a little longer, what is he actually going to do here? He will send a series of packages and will analyze them.
It will send a bunch of packets with the TCP SYN Flag enabled and will wait for that SYN ACK returned by the other side, so it doesn't do the complete three-way handshake. In this sense, it avoids flooding the network and is less likely to be detected than a complete TCP scan, right. And it also gave me back the information I wanted, wonderful, right?
Let's move on to another tip, the fourth tip, which would be how we do to detect the operating system that is running there. Simple too. nmap -O (capital) scanme.
nmap. org This is a test domain, let's see if it returns us and if it ends up executing quickly. It took about 16 seconds here but he gave me a lot more information about it, look, he brought a lot of information about the operating system that is running there.
I'm not even going to go into details here, doing an analysis with you, but as it's a test domain you can use it at home, right. Let's go, knowing the operating system, what we can see in the fifth tip now, would be how to check the version of the services. To check the version of the services, it's very simple too, we can put nmap -sV scanme.
nmap. org Remembering that this domain I'm using is a test one and here we change it, it could be your IP, or a network, a /24, a /16, all of this will make the time take longer, right, if you want to do a very comprehensive query. Let's send it here then.
Check that it also tried to execute some OpenSSL functions, so it can bring more information too, right, in this case I don't have it, so it won't work anyway but that's okay. There are other functions it performs as well, other checks. What it does in this command here is similar to the other one.
It will send a series of packets and analyze the responses, right? Based on these responses, it can determine versions of the services, just as it did to detect the operating system, right. I can unify these commands, this depends a lot on the time I have to do this check and the information I want, so for learning now I like to separate the commands, I do them one at a time, right.
Let's wait and see if he makes this appointment, it tends to take a while. Note that he completed the Scan, he checked more information about that domain and brought more detailed information about the version of the systems that are running on that side. This is very useful for different types of analysis, right, I'm not going to go into the analysis too much here, okay, I'm going to focus more on the syntax.
These are the main commands that I would like to share with you, right? There is a series, we can unify them, but now to finish I will show some others that are used in rarer, less specific situations, such as, for example, a random scan of hosts, IPv6, it works a little Unlike IPv4, sometimes this type of scan that I'm going to show you now can be a little more useful in this type of network, but what happens? I can show here with an example, nmap.
. . let me clear the screen.
. . nmap -v -iR .
I'm going to put a random number here, 100, I can put a much bigger number but I'm going to put 100. What is he going to do? It will check 100 hosts at random.
The Pn. That here with "Pn" I'm signaling to him that I don't want to ping. So this way it won't try to check if the host is active, it will take these 100 and execute the host scan command, okay, and what will I get?
So I'm going to look for port 80, for example, if you have port 80 open, it's already vulnerable, right? Let's go. Here I'm not going to put host or network because what is it going to do?
It will randomly check 100 hosts, 100 IPs. In IPv6 networks, for example, we have the concept of neighborhood islands, so sometimes it can end up being useful to see the random range of where you are. Now, in an IPv4 network it will randomly pick 100 hosts and perform a check on them.
I'm going to give it a minute here to see if it completes the execution. completes the execution here, notice that it took a very acceptable amount of time and it did a random IP scan that it searched randomly, right. And here, some he searched only for the host to be up and the port is filtered, but for some searching a little further up he found some with the port open.
It does a random check. You see that he goes quite far sometimes, right, researching so this here is very specific, okay, a little more advanced. And from there, if we want to go a little further, to finish, I will show here a comprehensive scan, for example, a very comprehensive one, which performs a much more complete detection.
It will check system detection, service detection, even script detection, route tracking. Let me say that it would be nmap -A here. I can put the host I want, I'll put the test domain and I'll send it.
Here he has also tried to execute this function and initialize Openssl but he was unable to do so because I really don't have it. So, but that's not important here for this test. This check is much more comprehensive, it tends to take more than a minute, maybe two, depending a lot on your system, right.
It finished running until it didn't take very long, but possibly because I only put a host in, just over a minute here and it brought me a series of information, including a route trace, look, it brought operating system information. In fact, it did a set of all other checks and a little more, some SSH information, right. So it's much more detailed information, much more comprehensive, right, but in short, that's it.
These are the main commands that I wanted to share with you. And here too, if you want, for example, you can do one more here. Let me show you that you can unify this syntax and from there you can develop the best query or best scan for you, right.
nmap -f, and the domain for example, what is this "-f" for? It can be used to fragment. What, what for, what is it for?
for us to cross a firewall, an IPS system for example, IPS/IDS, right, in this case it will use TCP fragmentation to try to pass through the firewall filters, but this here is a slightly more advanced tip that could possibly work or no. It will run here. Let's go.
Notice that he himself tells me here, that I'm running packet fragmentation and that it may or may not work, so let's go, this one should take a little longer. Here we won't be able to see what he's doing because we would need to go a little further, put a filter here, a network sniffer, a TCPdump, so we can evaluate what's happening, right? And in this case we are doing it, just showing the syntax.
I'm even going to interrupt this execution, which was more to leave a final tip, but in principle this is what I wanted to show you, there's a lot of stuff to advance in the study, right, and I hope I helped. Note that you need to have permission to do this type of scanning on a network, right. So always be aware that when you do this you can be detected, that nowadays it is very easy to detect a type of scan like this on the network, unless you do it in a slightly more advanced way and this can be considered a malicious activity.
So always keep this in mind, use it for your work. I hope I helped guys, a big hug.