Nmap is a port scanning and host identification tool I use all the time.

It is multi platform and open source, supporting Windows, Mac, Linux, FreeBS , and more. !ou can download Nmap here. Wh" would we need Nmap# Nmap is a great tool to use when needing to find what hosts are on a gi$en networ% or I&, and what ports and ser$ices are running on those hosts. Nmap has man" 'uilt in features and scripts to aid in the detection and identification of ser$ices running with in a host, and with proper twea%ing, "ou can disco$er a lot of information not intended to 'e pu'lic. Let me go o$er some 'asic features pro$ided in Nmap. For this (uic% guide, I will 'e going o$er the )ommand Line $ersion of Nmap. *here is a +,I $ersion for windows which also allows "ou to specif" command line options so it should 'e the same-

*he .utput When scanning for open ports, "ou ma" 'e confused '" the output. /efer to the screenshot a'o$e. When specif"ing Nmap to do the default port scan, "ou will get the following items in the report0

1 *he I& 2ddress of the target scanned3 4 Whether or not the host is up and what is the latenc" of the host. 5 *he amount of closed ports. 6&orts not shown3 7 2 list of ports, their state, and their ser$ice 8 *he Mac 2ddress of the host. With the list of ports shown in the report, "ou will see the the port num'er, the protocol, the state, and the ser$ice. *he &./* column specifies num'er and protocol 6*)& or , &3 of the port scanned. *he S*2*9 column specifies the status of the port 6open, closed, filtered,unfiltered, open:filtered, or closed:filtered3 ;read here for more information on S*2*9<, the S9/=I)9 column specifies what ser$ice t"picall" runs on that port. 6!ou can do a $ersion scan for more details on this> see 'elow.3 We will 'e using 1?4.1@A.187.B as our *2/+9* N9*W./C and 1?4.1@A.1.14? as our *2/+9* B.D. Scanning for li$e hosts on a networ% 6&ing scan3 .ccasionall" "ou ma" want to scan an entire networ% to see what hosts are up. !ou can use NmapEs ping scan feature for host disco$er". o this '" specif"ing the Fs& option and then "our target networ%. With Nmap, "ou can specif" a range of I& addresses using the h"phen. In this case, we will scan all the I& addresses from 1?4.1@A.187.1 F 1?4.1@A.187.487 '" using01?4.1@A.187.1G487 nmap Fs& 1?4.1@A.187.1G487

Scanning 'asic ports 6&ort Scan3 .nce "ou find all the li$e hosts on a networ%, "ou can port scan specific de$ices. *he 'asic scan will scan the top 1BBB *)& ports on the target. *o do a 'asic port scan, "ou can Hust use NmapEs default options. Specif" Hust the target or targets.

nmap 1?4.1@A.187.14?

Scanning =ersions for specific hosts 6=ersion Scan3 2fter finding all the open ports on a s"stem, "ou can run a $ersion scan for those ports. !ou ma" want to run a $ersion scan to figure out exactl" what ser$ices running 'ehind those ports and what are the $ersions of those ser$ices. o this '" specif"ing the Fs= option. nmap Fs= 1?4.1@A.187.14?

.perating S"stem Scanning !ou can use Nmap to scan and attempt to identif" the .perating S"stem of the target host. !ou can use the F. command to do so. nmap F. 1?4.1@A.187.14?

 Scanning open , & &orts 6, & Scan3 Some ser$ices ma" also 'e listening for , & connections. !ou can specif" Nmap to do a , & scan '" using the Fs, command. Note that "ou do need ele$ated pri$ileges for this and it can potentiall" ta%e a long time. nmap Fs, 1?4.1@A.187.14?

Some notes0 !ou can use the F*IBG8J option to specif" the timing of nmap. 6Kigher is faster3 *he default speed is F*5. If we specif" F*B, nmap will 'e much more patient and scan slower than specif"ing F*8. With F*8, nmap will 'e a lot more aggressi$e in timing and will sacrifice accurac" for speed. Slower speeds can 'e used for I S e$asion while faster speeds can possi'l" crash a networ% and are much louderLmore detecta'le.

/emem'er "ou can specif" more than one command at a time. In this case, we will specif" the $ersion scanning 6Gs=3 command, the .perating S"stem Scan command 6G.3 and a speed of 8 6G*83. 6I do not recommend F*83 nmap Fs= F. F*8 1?4.1@A.187.14?