scan types, begin with -s, such as nmap -s* target_host
ping options, begin with -P, such as nmap -P* target_host
I have used wireshark and nmap to see underlying actions options -P*.
When I run both command
nmap -p9527 target_host
and
nmap -sP target_host
I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.
I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.
By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.
There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.
The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.
The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.
Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.
You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.
nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.
A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.
Related
I'm trying to understand the basics of nmap and its functionality. I am using wireshark to check the network flow. I have a question regarding the following option.
What is the difference between the following commands. Is it recommended to use the -P0 option or not?
nmap -p113 scanme.nmap.org
nmap -p113 -P0 scanme.nmap.org
I have been trying to find what the -P0 option does but i can't find it in any nmap options cheat sheet.
From the nmap manual we learn:
In previous versions of Nmap, -Pn was -P0. and -PN..
Therefore, -P0 is now -Pn.
Now what is -Pn?
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. [...]
I used nmap to look up my Raspis on my local lan and I made a mistake defining the IP-Range. Instead of
nmap -sn 192.168.2.0/24
I typed
nmap -sn 192.168.2./24
Nmap returned external IP-addresses:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-14 10:09 CEST
Nmap scan report for dns1.hadcs.de (62.138.238.1)
Host is up (0.023s latency).
Nmap scan report for cmdb.hadcs.de (62.138.238.10)
Host is up (0.032s latency).
Nmap scan report for monitoring.hadcs.de (62.138.238.15)
Host is up (0.026s latency).
Nmap scan report for confluence.hadcs.de (62.138.238.16)
...
I want to understand what's happening here. In combination with nse-options this behavior may result in serious legal problems (at least in Germany).
Probably neither of those is what you wanted, which is 192.168.2.0/24.
When you enter 192.168.2./24, the final . makes the address be interpreted as a hostname to be looked up via DNS. Your ISP (or someone) is intercepting NXDOMAIN (name not found) responses and injecting its own answers. So instead of Failed to resolve "192.168.2." which is expected, you get an answer that is something like 62.138.238.16. Nmap then applies the CIDR bitmask to expand that into the network of 256 adjacent addresses.
Using 192.168.2/24, the base address is expanded via inet_aton according to some unusual rules detailed in the man page for that function. Specifically, it is expanded to 192.168.0.2, so you end up scanning the equivalent of 192.168.0.0/24, which is also not what you wanted to scan.
The solution is to always use all 4 octets of an IPv4 address to avoid odd interpretations.
I'm trying to follow along in the nmap book and the author uses a couple of switches -sSU and -sSV, but never explains them. They are in these two search strings:
nmap -F -A -sSU ultra
nmap -PN -sSV -T4 -F www.amazon.com
Does -sSU and -sSV stand for another scan type? I couldn't find these switches in their documentation. I'm guess -sSV has something to do with version detection, but on the -sSU scan, it returned both TCP and UDP ports so I know that one's not just UDP. Any help would be appreciated, thanks.
Nmap's -s* options are all "scan types," which basically means features that can be turned on. Any that are not mutually exclusive can be combined. So when you specify -sSV you are combining -sS (TCP SYN scan) with -sV (service and application version detection). You can even combine more than two: -sSUV will do TCP and UDP port scans and follow them up with version probing.
EDITED TO ADD: "Mutually exclusive" scan types are those that scan the same transport protocol. So all TCP scan types (-sS, -sT, and the odd -sAMWFXNI types) have to be scanned separately. Also, IP Protocol scan (-sO) isn't allowed with any other scan types. Some of the odder features like FTP bounce (-b) are also probably not able to combine with the others.
I am building a web app that uses some nmap flags, such as -O, which require a root user to run. Since I'm running this through a Java application, I don't want to run everything as root to accomplish this. Is it possible to change the nmap privs to all be non-root? Alternatively, what other options are there?
Nmap requires root privileges for some operations because the underlying OS requires them for the kinds of behavior Nmap uses: raw sockets and network sniffing, primarily. It's not something you can just change.
One option would be to only use the features of Nmap that do not require root. These features include:
Reverse name resolution
TCP host discovery (e.g. not ICMP ping or ARP)
TCP Connect scan (-sT)
Service version scan (-sV)
Most NSE scripts (e.g. not the broadcast or sniffer scripts)
The features that require root are:
ICMP and UDP host discovery
TCP SYN, FIN, NULL, XMAS, and other scan modes
UDP scan
OS fingerprinting
Traceroute
A few NSE scripts
It's important to note that Nmap doesn't have protections to prevent a root user from executing arbitrary code. This means that it is very unsafe to use it as a setuid program or to allow a non-admin user to run it with sudo.
A little research has been done into running Nmap with Linux file capabilities. You can see how to do this on the Running nmap as an unprivileged user page on SecWiki.org.
I need to scan the open ports of my server.
I tried nmap by: nmap ***.dyndns.info from within my local network.
It gave me:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-09 16:05 JST
Nmap scan report for ***.dyndns.info (***.***.***.39)
Host is up (0.00097s latency).
rDNS record for ***.***.***.39: ************.ne.jp
Not shown: 994 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
Then I tried the open ports tool provided by dyndns.com by specifying a specific port like:
global ip address 23
global ip address 53
global ip address 80
For each of those tests, it gave me "timed out" as a result, which is contradictory with the nmap results.
I know that depending on the way that nmap performs the tests, it may turn out that the result is "open".
So, I think the best way to test the ports of a given server is from outside, like the dyndns open ports tool.
But I'd like to test all ports at once, as opposed to one by one.
Is there any reliable tool for that, especially that I can use in command line?
I am on ubuntu 10.10.
Try Gibson Research Corporation ShieldsUP. It will test your firewall.
Note that whether or not a port is 'open' is also a function of the requesting source host and port; it is pretty easy to configure a firewall system to open a port for a specific set of source IP and port ranges. So there's no sure-fire way to tell if a port is open or not from the outside; netstat -an or similar tools will more reliably tell you which ports are open. (Except in the case of a rootkit, but any respectable rootkit would probably limit access to the open ports to a handful of netblocks as well, just to keep their property theirs.)
It'd be a piece of cake to buy a VPS slice from your favorite hosting provider for $10 for a month and portscan your own machine; nmap's default -T3 scanning option already parallelizes the scan, which is useful, but if your network connection is decent, -T4 may go more quickly.