How to perform a scan with nmap and some useful nmap tips for probing a computer.

Posted: October 27, 2014. At: 11:42 PM. This was 3 years ago. Post ID: 7868

To send a SYN packet to a computer on a network, use this command.

nmap -sS -v 192.168.1.10

If you want to send SYN packets to a range of IP addresses, this is the command to use.

nmap -sS -v 192.168.1.10-100

This will send SYN packets to the IP addresses in the range between 192.168.1.0 and 192.168.1.100. This is a useful trick when you are scanning an IP range looking for a particular machine. Use the command below if you are getting output that scrolls off your terminal screen.

nmap -sS -v 192.168.1.10-100 | less

Here is an example scan against hell.com. This shows that port 80 is open on this server.

ec2-user@ip-172-31-30-35 ~ $ sudo nmap -sS -v hell.com
 
Starting Nmap 6.25 ( http://nmap.org ) at 2014-10-27 11:44 UTC
Initiating Ping Scan at 11:44
Scanning hell.com (23.23.140.162) [4 ports]
Completed Ping Scan at 11:44, 1.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:44
Completed Parallel DNS resolution of 1 host. at 11:44, 0.00s elapsed
Initiating SYN Stealth Scan at 11:44
Scanning hell.com (23.23.140.162) [1000 ports]
Discovered open port 80/tcp on 23.23.140.162
Increasing send delay for 23.23.140.162 from 0 to 5 due to 136 out of 451 dropped probes since last increase.
Increasing send delay for 23.23.140.162 from 5 to 10 due to 11 out of 35 dropped probes since last increase.
SYN Stealth Scan Timing: About 51.50% done; ETC: 11:45 (0:00:30 remaining)
Increasing send delay for 23.23.140.162 from 10 to 20 due to max_successful_tryno increase to 4
Increasing send delay for 23.23.140.162 from 20 to 40 due to max_successful_tryno increase to 5
SYN Stealth Scan Timing: About 61.34% done; ETC: 11:46 (0:00:39 remaining)
Increasing send delay for 23.23.140.162 from 40 to 80 due to 15 out of 49 dropped probes since last increase.
Increasing send delay for 23.23.140.162 from 80 to 160 due to max_successful_tryno increase to 6
SYN Stealth Scan Timing: About 66.15% done; ETC: 11:47 (0:00:52 remaining)
SYN Stealth Scan Timing: About 79.17% done; ETC: 11:47 (0:00:41 remaining)
Completed SYN Stealth Scan at 11:48, 250.81s elapsed (1000 total ports)
Nmap scan report for hell.com (23.23.140.162)
Host is up (0.27s latency).
Other addresses for hell.com (not scanned): 23.21.106.33
rDNS record for 23.23.140.162: ec2-23-23-140-162.compute-1.amazonaws.com
Not shown: 849 closed ports, 150 filtered ports
PORT   STATE SERVICE
80/tcp open  http
 
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 252.38 seconds
           Raw packets sent: 2378 (104.608KB) | Rcvd: 1173 (46.924KB)

Below is an example of a range scan performed against a range of IP addresses.

ec2-user@ip-172-31-30-35 ~ $ sudo nmap -P0 -T4 23.23.140.94-96
 
Starting Nmap 6.25 ( http://nmap.org ) at 2014-10-27 12:14 UTC
Nmap scan report for ec2-23-23-140-94.compute-1.amazonaws.com (23.23.140.94)
Host is up (0.26s latency).
Not shown: 847 closed ports, 151 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
 
Nmap scan report for ec2-23-23-140-95.compute-1.amazonaws.com (23.23.140.95)
Host is up.
All 1000 scanned ports on ec2-23-23-140-95.compute-1.amazonaws.com (23.23.140.95) are filtered
 
Nmap scan report for ec2-23-23-140-96.compute-1.amazonaws.com (23.23.140.96)
Host is up (0.26s latency).
Not shown: 848 closed ports, 151 filtered ports
PORT   STATE SERVICE
80/tcp open  http
 
Nmap done: 3 IP addresses (3 hosts up) scanned in 145.02 seconds

I scanned three possible IP addresses and found servers running on two of them. That is a pretty good effort.

Sending ICMP ping requests to a server using the hping command on Gentoo.

ip-172-31-30-35 ec2-user # hping -1 hackthissite.com
HPING hackthissite.com (eth0 184.168.221.104): icmp mode set, 28 headers + 0 data bytes
len=28 ip=184.168.221.104 ttl=50 id=3987 icmp_seq=0 rtt=155.0 ms
len=28 ip=184.168.221.104 ttl=50 id=3988 icmp_seq=1 rtt=160.0 ms
len=28 ip=184.168.221.104 ttl=50 id=3989 icmp_seq=2 rtt=160.0 ms
len=28 ip=184.168.221.104 ttl=50 id=3990 icmp_seq=3 rtt=160.0 ms
len=28 ip=184.168.221.104 ttl=50 id=3991 icmp_seq=4 rtt=160.0 ms
^C
--- hackthissite.com hping statistic ---
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 155.0/159.0/160.0 ms

There is more information about the hping command here: http://0daysecurity.com/articles/hping3_examples.html.

No comments have been made. Use this form to start the conversation :)

Leave a Reply