Nmap Network Scanning For Beginners guide






What is Nmap?


Network mapper, also known as Nmap, is a tool for network discovery and security auditing. It is renowned for having straightforward, simple-to-remember flags that offer effective scanning options. how to use nmap to scan a network, Network administrators typically use Nmap to look for:


    Open services and ports


    • Find out about services and their variations.

    • Identify the operating system of a target computer

    • Obtain precise packet routes to the destination machine

    • observing hosts



    How to use nmap to scan a network


    Nmap is a tool for network discovery and security auditing that is free and open source. It is helpful for tasks like managing service upgrade schedules, network inventory, and host or service uptime, according to many systems and network administrators. To identify which hosts are present on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what Nmap uses cutting-edge methods that make use of raw IP packets, regardless of the types of packet filters/firewalls in use or any of the numerous other characteristics. It works well against single hosts but was made to quickly scan large networks. 


    Let's continue with this nmap tutorial by talking about the various scan types.


    Nmap Scan Types


    Nmap can be used to perform a variety of scans. These are the various scans:


    TCP SCAN


    Typically, a three-way handshake between you and a chosen target system is checked and finished with a TCP scan. Typically very noisy, a TCP scan can be identified with little to no effort. This is "noisy" because the services have the ability to record the sender's IP address and could set off intrusion detection systems.


    UDP SCAN


    UDP scans are used to check for any open UDP ports on the target machine that are expecting incoming requests. There is always a chance for a false positive in the scan results because, unlike TCP, UDP lacks a mechanism to respond with a positive acknowledgment. To find Trojan horses that might be using UDP ports, or even to find unnoticed RPC services, UDP scans are used. Because machines, in general, tend to slow down their responses to this kind of traffic as a precaution, this type of scan is typically quite slow.

     

    SYN SCAN


    This is an additional type of TCP scan. The difference is that nmap generates a syn packet, which is the first packet sent to establish a TCP connection, as opposed to a typical TCP scan. It's crucial to keep in mind that no connection is ever made in this scenario; instead, Nmap analyses the responses to these specially crafted packets to produce scan results.


    ACK SCAN


    To determine whether a specific port is filtered or not, ACK scans are used. When attempting to probe for firewalls and their current set of rules, this proves to be incredibly useful. Established connections (packets with the ACK bit set) will be permitted by straightforward packet filtering, but they might not be by a sophisticated stateful firewall.


    How to scan the network with nmap


    FIN SCAN


    A stealthy scan similar to the SYN scan that instead sends a TCP FIN packet. The majority of computers, but not all, will respond to this input by sending a RST packet (reset packet), allowing the FIN scan to show false positives and negatives while slipping past some IDS programmes and other countermeasures.


    NULL SCAN


    Null scans are very covert scans that do exactly what their name implies: they set all of the header fields to null. This is typically not a valid packet, and some targets won't know how to handle it. Such targets typically use a Windows operating system, and scanning them with NULL packets may lead to unreliable results. On the other hand, this can be used as an efficient workaround when a system is not running Windows.

     

    XMAS SCAN


    These are also stealthy, just like null scans. 
    Windows-based computers' TCP stack configuration prevents them from responding to Xmas scans. The set of flags that are enabled in the packet that is sent out for scanning is where the scan gets its name. The PSH, URG, and FIN flags that can be found in the TCP header are manipulated using XMAS scans.


    RPC SCAN


    Machines that respond to Remote Procedure Call services (RPC) are found using RPC scans. RPC enables commands to be remotely executed on a specific machine while using a specific set of connections. RPC services can operate on a variety of different ports, so it can be challenging to determine from a simple scan whether or not RPC services are active. In general, it's a good idea to perform an RPC scan occasionally to determine where these services are currently active.


    IDLE SCAN


    Given that the packets are bounced off an external host, the IDLE scan is the stealthiest of all the scans covered in this nmap tutorial. Although the host must adhere to a set of requirements, control over the host is typically not required. Given that it is only useful for malicious attacks, it is one of the more contentious Nmap options. nmap how to scan local network