I need to specify specific IP range for Nmap scan, for example:
192.168.1.140 - 192.168.3.255
If I do it like:
192.168.1-3.140-255
IP addresses like 192.168.2.7,192.168.3.7 won't be scanned (only 140-255 in 4th actet).
You will probably need to specify this as two different ranges. Nmap will accept as many target specifications as you like on the command line. Here's one way to do it:
nmap 192.168.1.140-255 192.168.2-3.0-255
Can't we just do this instead
nmap 192.168.1.0/24 192.168.2.0/24
Try this command:
nmap 192.168.1.140-192.168.3.255
Related
I'm trying to understand the basics of nmap and its functionality. I am using wireshark to check the network flow. I have a question regarding the following option.
What is the difference between the following commands. Is it recommended to use the -P0 option or not?
nmap -p113 scanme.nmap.org
nmap -p113 -P0 scanme.nmap.org
I have been trying to find what the -P0 option does but i can't find it in any nmap options cheat sheet.
From the nmap manual we learn:
In previous versions of Nmap, -Pn was -P0. and -PN..
Therefore, -P0 is now -Pn.
Now what is -Pn?
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. [...]
I have just started learning about the use of nmap and while doing so, I am unable to find much information on a particular command.
This is the command I am using: nmap -sP 192.168.100.0/24 to scan for the list of connected devices on the network.
While the ip address used is the subnet ip, I am having trouble understanding what /24 does.
Can someone kindly share any insights to me?
/24 specifies the netmask to use -- 24 bits in this case, so a mask of 255.255.255.0. So it will scan all addresses from 192.168.100.0 to 192.168.100.255
/24 is the prefix length used to indicate the number of network bits of an IP address.
Refer this article from Cisco: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html
Also, before starting with nmap, you must have basic knowledge about computer networks to understand different types of scan.
I used nmap to look up my Raspis on my local lan and I made a mistake defining the IP-Range. Instead of
nmap -sn 192.168.2.0/24
I typed
nmap -sn 192.168.2./24
Nmap returned external IP-addresses:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-14 10:09 CEST
Nmap scan report for dns1.hadcs.de (62.138.238.1)
Host is up (0.023s latency).
Nmap scan report for cmdb.hadcs.de (62.138.238.10)
Host is up (0.032s latency).
Nmap scan report for monitoring.hadcs.de (62.138.238.15)
Host is up (0.026s latency).
Nmap scan report for confluence.hadcs.de (62.138.238.16)
...
I want to understand what's happening here. In combination with nse-options this behavior may result in serious legal problems (at least in Germany).
Probably neither of those is what you wanted, which is 192.168.2.0/24.
When you enter 192.168.2./24, the final . makes the address be interpreted as a hostname to be looked up via DNS. Your ISP (or someone) is intercepting NXDOMAIN (name not found) responses and injecting its own answers. So instead of Failed to resolve "192.168.2." which is expected, you get an answer that is something like 62.138.238.16. Nmap then applies the CIDR bitmask to expand that into the network of 256 adjacent addresses.
Using 192.168.2/24, the base address is expanded via inet_aton according to some unusual rules detailed in the man page for that function. Specifically, it is expanded to 192.168.0.2, so you end up scanning the equivalent of 192.168.0.0/24, which is also not what you wanted to scan.
The solution is to always use all 4 octets of an IPv4 address to avoid odd interpretations.
Executing following command "sudo nmap -sP 123.00.0.00" depending on the network might return:
Nmap scan report for 123.00.0.00
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
or (let's assume it's the same IP but different network)
Nmap scan report for Tomas-Mac-Book (123.00.0.00)
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
I'm guessing this depends on the network settings. Is there a way to get the device name in cases where only IP is returned with the above command?
With the -sP option, NMAP makes a DNS request to resolve the names of the IPS's:
. By default, Nmap still does reverse-DNS resolution on the hosts to
learn their names
From NMAP Host discovery options
So, if the network DNS is able to resolve the names of the hosts, NMAP returns the network names of each IP.
To avoid this DNS resolution, if you add a 'n', it is disabled so -snP, would never try to make a DNS resolution.
scan types, begin with -s, such as nmap -s* target_host
ping options, begin with -P, such as nmap -P* target_host
I have used wireshark and nmap to see underlying actions options -P*.
When I run both command
nmap -p9527 target_host
and
nmap -sP target_host
I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.
I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.
By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.
There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.
The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.
The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.
Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.
You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.
nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.
A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.