Please enable JavaScript.

Coggle requires JavaScript to display documents.

nmap - Coggle Diagram

- - - - These ports fall within the range 1,024 to 49,151 and have been registered with the IANA in the same way the well known ports have. Most of these are not as commonly used as the well-known ports. The key difference is that unprivileged users can bind to these ports and thus run the services on their registered port. Users cannot do so on most platforms for well-known ports, since they reside in the reserved port range
    - - The IANA reserves the port numbers from 49152 through 65535 for dynamic uses such as those discussed in the ephemeral ports section. Proprietary services that are only used within a company may also use these ports.
- - - - CIDR notation is short but not always flexible enough. For example, you might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will scan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 0-255.0-255.13.37 will perform an Internet-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.
        
        Input From List (-iL)
        
        Passing a huge list of hosts is often awkward on the command line, yet it is a common need. For example, your DHCP server might export a list of 10,000 current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those ones to locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the filename if you want Nmap to read hosts from standard input rather than an actual file.
        ex nmap -iL -/filename
        
        Choose Targets at Random (-iR <numtargets>)
        
        For Internet-wide surveys and other research, you may want to choose targets at random. This is done with the -iR option, which takes as an argument the number of IPs to generate. Nmap automatically skips certain undesirable IPs, such as those in private, multicast, or unallocated address ranges. The argument 0 can be specified for a never-ending scan. Keep in mind that some network administrators bristle at unauthorized scans of their networks. Carefully read the section called “Legal Issues” before using -iR.
        If you find yourself really bored one rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to locate random web servers for browsing.
        
        Excluding Targets (--exclude, --excludefile <filename>)
        
        It is common to have machines which you don't want to scan under any circumstances. Machines can be so critical that you won't take any risk of an adverse reaction. You might be blamed for a coincidental outage even if the Nmap scan had nothing to do with it. Or perhaps you have legacy hardware that is known to crash when scanned, but you haven't been able to fix or replace it yet. Or maybe certain IP ranges represent subsidiary companies, customers, or partners that you aren't authorized to scan. Consultants often don't want their own machine included in a scan of their client's networks. Whatever the reason, you can exclude hosts or entire networks with the --exclude option. Simply pass the option a comma-separated list of excluded targets and netblocks using the normal Nmap syntax. Alternatively, you can create a file of excluded hosts/networks and pass that to Nmap with the --excludefile option. The --exclude option doesn't mix with IP ranges that use commas (192.168.0.10,20,30) because --exclude itself uses commas. Use --excludefile in these cases.
        
        example : nmap -sp --exculde dns.xyz.com,snmp.xyz.com,dmz.xyz.com 192.6.7.0/24 (ip that will be scanned)
        
        Practical Examples
        
        These three commands all do the same thing, assuming that scanme.nmap.org resolves to 64.13.134.52. They scan that one IP and then exit.
        
        nmap scanme.nmap.org, nmap scanme.nmap.org/32 , nmap 64.13.134.52
        
        These four commands all ask Nmap to scan the 256 IP addresses from 64.13.134.0 through 64.13.134.255. In other words, they ask to scan the class C sized address space surrounding scanme.nmap.org.
        
        nmap 64.13.134.52/24 , nmap 64.13.134.0-255 ,
        nmap 64.13.134.- ,nmap scanme.nmap.org/24
        
        Tells Nmap to scan the class C around 64.13.134.52, but to skip scanme.nmap.org and insecure.org if they are found within that address range.
        
        nmap -sp 64.13.134.52/24 --exclude scanme.nmap.org, insecure.org
        
        Tells Nmap to scan the whole private 10 range except that it must skip anything starting with 10.6 as well as ultra-sensitive-host.company.com.
        
        10.0.0.0/8 --exclude 10.6.0.0/16,ultra-sensitive-host.company.com
        
        Scans the IPv6 host at address 2001:800:40:2a03::3.
        
        nmap -6 2001:800:40:2a03::3
        
        egrep '^lease' /var/lib/dhcp/dhcpd.leases | awk '{print $2}' | nmap -iL -
        Obtain the list of assigned DHCP IP addresses and feed them directly to Nmap for scanning. Note that a hyphen is passed to -iL to read from standard input.
  - - - usable network id bits : 16-2 = 14
    - - usable network id : 24-3 =21
    - - usable network id bits : 8-1 =7
        
        number od possible network id = 2 power 7 minus 2 = 126
        
        number of possible hosts number 2 poer 24 minus 2
- - - - DNS Tricks
        
        The primary purpose of DNS is to resolve domain names into IP addresses, so it is a logical place to start. In Example 3.1, I use the Linux host command to query some common DNS record types.
        
        host -t ns target.com
        
        target.com name server ns4.target.com.
        
        target.com name server ns3.target.com.
        
        target.com name server ns1-auth.sprintlink.net.
        
        target.com name server ns2-auth.sprintlink.net.
        
        target.com name server ns3-auth.sprintlink.net.
        
        host -t a target.com
        
        target.com has address 161.225.130.163
        
        target.com has address 161.225.136.0
        
        Next I resolve the IP addresses for the hostnames above (using host again) and I try a few common subdomain names such as www.target.com and ftp.target.com. Starting with names like ns3.target.com and smtp01.target.com, I try changing the digits to find new machines. All of this leaves me with the following target.com names and addresses:
        
        ns3.target.com 161.225.130.130
        
        ns4.target.com 161.225.136.136
        
        ns5.target.com 161.225.130.150
        
        target.com 161.225.136.0, 161.225.130.163
        
        smtp01.target.com 161.225.140.120
        
        smtp02.target.com 198.70.53.234, 198.70.53.235
        
        extdns02.target.com 172.17.14.69
        
        www.target.com 207.171.166.49
        
        While a substantial hostname list can be generated in this manner, the mother lode of hostnames comes from a zone transfer. Most DNS servers now reject zone transfer requests, but it is worth a try because many still allow it. Be sure to try every DNS server you have found through domain NS records and port scanning corporate IP ranges. So far we have found seven Target nameservers: ns3.target.com, ns4.target.com, ns5.target.com, ns1-auth.sprintlink.net, ns2-auth.sprintlink.net, ns3-auth.sprintlink.net, and extdns02.target.com. Unfortunately, all of those servers either refused the transfer or did not support the TCP DNS connections required for a zone transfer. Example 3.2 shows a failed target.com zone transfer attempt using the common dig (domain information groper) tool[9], followed by a successful one against an unrelated organization (cpsr.org).
        
        dig ns2.eppi.com -t AXFR cpsr.org
        
        ; <<>> DiG 9.5.0b1 <<>> ns2.eppi.com -t AXFR cpsr.org
        
        cpsr.org 10800 IN SOA ns1.findpage.com. root.cpsr.org.
        
        cpsr.org. 10800 IN NS ns.stimpy.net.
        
        cpsr.org. 10800 IN NS ns1.findpage.com.
        
        cpsr.org. 10800 IN NS ns2.eppi.com.
        
        cpsr.org. 10800 IN A 208.96.55.202
        
        cpsr.org. 10800 IN MX 0 smtp.electricembers.n
        
        A common mistake when gathering forward DNS results like these is assuming that all systems found under a domain name must be part of that organization's network and safe to scan. In fact, nothing prevents an organization from adding records pointing anywhere on the Internet. This is commonly done to outsource services to third parties while keeping the source domain name for branding. For example, www.target.com resolves to 207.171.166.49. Is this part of Target's network, or is it managed by a third party we might not want to scan? Three quick and easy tests are DNS reverse-resolution, traceroute, and whois against the relevant IP address registry. The first two steps can be done by Nmap, while the Linux whois command works well for the third. These tests against target.com are shown in Example 3.3 and Example 3.4.
        
        nmap -Pn -T4 --traceroute www.target.com
        
        -pn to scan ports and no host dicovery
        
        Example 3.4. Using whois to find owner of www.target.com IP address
        
        Web databases can also be used to find hostnames under a given domain. For example, Netcraft has a web site DNS search feature at http://searchdns.netcraft.com/?host. Typing .target.com in to the form brings 36 results, as shown in Figure 3.2. Their handy table shows the netblock owner too, which catches cases such as Amazon running www.target.com. We already knew about some of the discovered hosts, but we would have been unlikely to guess names such as sendasmoochie.target.com.
        
        1 more item...
        
        http://searchdns.netcraft.com/?host
        
        Web databases can also be used to find hostnames under a given domain. For example, Netcraft has a web site DNS search feature at
        
        Whois Queries Against IP Registries
        
        After a set of initial “seed” IPs are discovered, they must be researched to ensure they belong to the company you expect and to determine what netblocks they are part of. A small company might have a tiny allocation of 1–16 IP addresses, while larger corporations often have thousands. This information is kept in regional databases, such as ARIN (American Registry for Internet Numbers) for North America and RIPE for Europe and the Middle East. Modern whois tools take an IP address and automatically query the appropriate registry.
        
        Small and mid-sized companies normally don't have IP space allocated by the likes of ARIN. Instead, they are delegated netblocks from their ISPs. Sometimes you get this ISP information from IP queries. This generally leaves you with a big netblock and you don't know which portion of it is allocated to your target. Fortunately, many ISPs now subdelegate customer ranges using Shared Whois (SWIP) or Referral Whois (RWhois). If the ISP has done this, you learn the customer's exact netblock size.
        
        whois -h whois.arin.net target.com shows all the ARIN contacts with email addresses at target.com. The query whois -h whois.arin.net "n target" shows all the netblock handles starting with target. It is not case sensitive. Similarly, whois -h whois.arin.net "o target" shows all of the organizational names starting with target. You can look up the address, phone number, and contact email associated with each entry to determine whether they are part of the company you wish to scan. Often they are 3rd parties who happen to have a similar name.
        
        Internet Routing Information
        
        The core routing protocol of the Internet is the Border Gateway Protocol (BGP). When scanning mid-sized and large organizations, BGP routing tables can help you find their IP subnets all over the world. For example, suppose you want to scan IP addresses belonging to Microsoft Corporation. A DNS lookup for microsoft.com provides the IP address 207.46.196.115. A whois query as discussed in the previous section shows that the whole 207.46.0.0/16 block belongs to Microsoft at their appropriate “One Microsoft Way” address in Redmond. That provides 65,536 IP addresses to scan, but BGP tables expose many more.
        
        Entities such as Microsoft are assigned autonomous system (AS) numbers for routing purposes. A handy tool for determining the AS number advertised for a given IP address is available at http://asn.cymru.com/. Typing 207.46.0.0 into this form provides Microsoft's AS number 8075. Next, I want to find all of the IP prefixes which route to this AS. A handy tool for doing so is available at http://www.robtex.com/as/. Typing in AS8075 and hitting Go on that page leads to a summary screen showing 42 prefixes found. Those prefixes represent 339,456 IP addresses and can be enumerated by clicking the BGP tab.
        
        internet routing info an how to get bvenefiuets from bgp routing table
        
        if you're into a big org or mid size org you can collevct all ip subnet of it around the world
        
        you already got it's ip so you will enter this ip in this site to get as number http://asn.cymru.com/
        
        after getting as number you will write As0878 for example the number you get annd it will retreive all subnets that you can scan http://www.robtex.com/as/
- - - - While the defaults generally work well, Nmap offers four options for controlling DNS resolution. They can substantially affect scanning speed and the amount of information gathered.
        
        -n Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option reduces scanning times.
        
        -R (DNS resolution for all targets)
        Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts.
        
        -Pn scan ports and skip reverse dns resolution
        
        --dns-servers <server1>[,<server2>[,...]] (Servers to use for reverse DNS queries)
        
        By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (Unix) or the Registry (Win32). Alternatively, you may use this option to specify alternate servers. This option is not honored if you are using --system-dns or an IPv6 scan. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space. This option can also improve stealth, as your requests can be bounced off just about any recursive DNS server on the Internet.
        
        This option also comes in handy when scanning private networks. Sometimes only a few name servers provide proper rDNS information, and you may not even know where they are. You can scan the network for port 53 (perhaps with version detection), then try Nmap list scans (-sL) specifying each name server one at a time with --dns-servers until you find one which works.
- - - - his is even simpler than the open case. The first step is always the same—Nmap sends the SYN probe to Scanme. But instead of receiving a SYN/ACK back, a RST is returned. That settles it—the port is closed. No more communication regarding this port is necessary.
        
        Nmap will also consider a port filtered if it receives certain ICMP error messages back. Table 5.2 shows how Nmap assigns port states based on responses to a SYN probe.
        Table 5.2. How Nmap interprets responses to a SYN probe
        
        TCP SYN/ACK response open
        
        TCP RST response closed
        
        No response received (even after retransmissions) filtered
        
        ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered