Zenmap is the official Nmap Security Scanner GUI that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
Nmap is a very powerful utility that can be used to:
- Detect the live host on the network (host discovery)
- Detect the open ports on the host (port discovery or enumeration)
- Detect the software and the version to the respective port (service discovery)
- Detect the operating system, hardware address, and the software version
- Detect the vulnerability and security holes (Nmap scripts)
It is available for both the command line interface and the graphical user interface. Once the exe or ZIP file is downloaded from http://nmap.org/download.html during installation there is an option to either install NMAP as a GUI or the command line interface.
Simply deselect GUI if you wish for the command line interface, which is recommended as you are actually writing the commands yourself.
If you are a beginner then the GUI is a great place to start as it helps a lot with writing the desired commands for you as you can simply select what you wish it to do.
Once the command line version is download and installed open up the Cmd navigate to the folder like below. This is were all the command will then be carried out.
- nmap –help
Lists all the possible commands to help with the following;
- TARGET SPECIFICATION
- HOST DISCOVERY
- SCAN TECHNIQUES
- PORT SPECIFICATION AND SCAN ORDER
- SERVICE/VERSION DETECTION
- SCRIPT SCAN
- OS DETECTION
- TIMING AND PERFORMANCE
- FIREWALL/IDS EVASION AND SPOOFING
Export to File
-help is just an example this can be used for any scan.
- nmap –help > C:\namp.txt
Target address URL or IP Address.
- nmap Target
Results will outline the following:
Scan a number of specific ports
- nmap -p80,21,23 Target
- nmap -O Target1 Target2
Enable OS and version detection
Script scanning, and traceroute; -T4 for faster execution
- nmap -A -T4 Target
Find if host/network is protected by a firewall
- nmap -sA Target
Scan a host when protected by the firewall
- nmap -PN Target
Scan a range of IP address using a wildcard
- nmap 192.168.1.*
- nmap 192.168.1.0/24
Exclude hosts from a scan
- nmap 192.168.1.0/24 –exclude 192.168.1.5
- nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254
Some Examples of Scans
-sS TCP SYN scan
Half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions, As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.
- onmap -sS Target
-sT (TCP connect scan)
Is the default TCP scan type when SYN scan is not an option?
Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
- nmap -sT Target
-sU (UDP scans)
Sends a UDP packet to every targeted port and a service will respond with a UDP packet, proving that it is open. Common ports such as 53 and 161. Possibilities to speed up UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using –host-timeout to skip slow hosts.
- nmap -sU Target
Alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.
- nmap -sY Target
-sA (TCP ACK scan)
Used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
- nmap -sA Target
-sO (IP protocol scan)
Allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
- -sO (IP protocol scan)
Zenmap GUI Interface
Zenmap allows interactive creation of Nmap command lines by select the different point and click approach.
Running a scan is as simple as typing the target in the “Target” field, selecting the “Intense scan” profile, and clicking the “Scan” button.
Once the Target and the Profile is selected the Command text-area will outline the Nmap command that is about to be run. This command could also be copied out and used in the Nmap command line interface.
nmap -T4 -A -v testSite.com
Slow comprehensive scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” testSite.com
The Profile Editor
Possible to use the profile editor as an Nmap command editor. Select “New Profile or Command” from under the “Profile” menu or use the ctrl+P keyboard shortcut. The profile editor will appear, displaying whatever command was shown in the main window.
Within the Scripting Tab its possible to Scroll the list on the left to see all the scripts that are installed in the script.db, Scripts can be selected or deselected individually by clicking the check-box next to the script name.
To save the Profile 1st go to the “Profile” tab and give a name to the profile. Then click “Save Changes” to save the new profile.
The newly created Profile will then be saved and can then be selected as a scan option in future.
Nmap is a must have tool for Network Security Experts. It supports many of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Ability to scan huge networks containing hundreds of thousands of machines and most importantly it allows for both the traditional command line and graphical (GUI) versions.