Scanning For Hosts
First and foremost, nmap is used as a scanner for hosts on a network.
1: Network Addresses
The first step to scanning the network is getting an idea of what type of IPs you're going to be looking for. Open up a terminal, and use ifconfig to find your address on the network (IPv4 address)
ifconfig
Upon running ifconfig, you'll get back a lot of information about your network device. You're going to need to look for the device you use to connect to the network, and then look for its "inet addr" The "inet addr" value is the IPv4 version of your IP, while the "inet6 addr" is the IPv6 version of your IP. As an example, this is my output:
wlan0 Link encap:Ethernet HWaddr 00:19:d2:87:60:ac
inet addr:10.0.1.15 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::219:d2ff:fe87:60ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10623 errors:0 dropped:0 overruns:0 frame:0
TX packets:10143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11126583 (11.1 MB) TX bytes:1873950 (1.8 MB)
You can see the device name (wlan0) and the inet addr, which I highlighted.
2: Using Nmap
Now that you have your network address, you can begin scanning for other hosts.
1. Take the IP address you found in step 1, and set the last octet of the IP to 1. So, for my example IP, I would change "10.0.1.15" to "10.0.1.1"
2. Open up another shell. Now we're actually going to use nmap to get an idea of what out network is like. In this example, I'm scanning the entire subnet for host, so I will use "10.0.1.1/24" as my target. By placing the "/24", I'm telling nmap to scan for hosts on the subnet by allocated 24 bits (the /24) for host IPs. The more significant bits (10.0.1) is telling nmap where to look for these hosts. For this command, I'm going to include the -O option for OS fingerprinting.
nmap -sS -O 10.0.1.1/24
If you did everything right (and ran this using root privileges) then you should be given results for all the hosts detected on the network. These results include open ports, MAC addresses, device type, and OS.
3. But what if you want to search the network for computers with a certain port open? Well, that can be done easily with nmap. Just use the same target as the previous command, and replace -O and -sS with the -p option. The syntax is -p [port], where [port] is the port that you are searching for. In this example, we'll search for port 22, which is used for SSH (Secure SHell).
nmap -p 22 10.0.1.1/24
And then you get back a nice list of the hosts and whether or not they have port 22 open. There's a lot more nmap can do. Just check the man pages (man nmap) to see more options.
QDF9FEHX76R2
shit... makes me wanna install linux
ReplyDeleteA Windows version was released in 2000. It's here if interested: http://nmap.org/dist/nmap-5.51-setup.exe
ReplyDeleteThat's pretty sick. I could see this coming in handy.
ReplyDeleteVery nice! I believe it will be useful =)
ReplyDeleteim planing on getting into networking as a job later in life.
ReplyDeleteDamn, informative and cool. Im going to try this out right now!
ReplyDeleteThanks for the positive feedback! I plan on doing more of these type tutorials on other powerful command line programs, so check back often!
ReplyDeleteDo more of these yea.
ReplyDeletenmap is one hell of a tool!
ReplyDelete