Perintah-perintah Di Nmap

A. PENGERTIAN PENGERTIAN DARI DARI NMAP NMAP nMap nMap (Netwo (Networki rking ng Map) Map) adalah adalah softwa software/ re/too tools ls yang yang masih masih popule populerr diguna digunakan kan dikalangan hacker. nMap digunakan untuk menscan port dan memetakan jaringan komp komput uter er.. nMap nMap akan akan meng menget etah ahui ui cela celah h yang ang ada ada dala dalam m sebu sebuah ah jari jaring ngan an administrato administratorr yang memiliki tingkat keamanan keamanan rendah sehingga berpotensi berpotensi untuk  dilakukan penyusupan.

Secara teori, celah dalam port jaringan memiliki kondisi berikut ini Open – Closed Filtered – Unfiltered Open/Filtered Open/Filtered - Closed/Unfiltered Closed/Unfiltered

!acking menggunakan nMap akan menampilkan port"port yang dianggap #pen dan $iltered. $iltered. %ort"port %ort"port dalam komputer komputer jaringan yang berjumlah berjumlah kurang lebih &'. kadang tidak semuanya dalam kondisi losed, maka dengan menggunakan nMap kita akan mengetahui port mana yang terkondisi *nclosed. Sedangkan port yang terfilter  ($iltered) dikarenakan firewall dalam jaringan masih aktif. +ika tidak maka paket yang keluar masuk dapat juga kita lihat,

erdapat erdapat tiga macam tipe serangan yang digunakan dalam hacking nMap, yaitu -. SN ini adal adalah ah tipe tipe seran seranga gan n yang yang pali paling ng muda mudah h dan dan bany banyak  ak  SN SCAN SCAN, ini digunakan. Syn Scan akan menampilkan hasil serangan lebih cepat, namun kelemahanya hasil yang ditampilkan tidak spesifik (umum). . FIN SCAN, Metode serangan ini lebih akaurat dibanding SN S0N. $in Scan Scan akan akan menamp menampilk ilkan an jenis" jenis" jenis jenis paket paket yang yang terfil terfilter ter dan kelema kelemahan han firew firewall all.. 1eng 1engan an megg meggun unak akan an meto metode de seran seranga gan n ini, ini, peny penyera erang ng dapa dapatt mengetahui kelemahan sistem yang akan diserang sebelum melakukan serang lebih lanjut. SCAN, %ort 2. AC! SCAN %ort yang yang terfil terfilter ter atau tidak akan akan ditamp ditampilk ilkan an disini disini.. ipe ipe

serangan ini adalah yang paling spesifik dan menampilkan hasil yang sangat akurat akurat.. 3agi 3agi anda anda yang yang terbiasa terbiasa menggu menggunak nakan an nMap, nMap, maka maka tipe tipe seranga serangan n ketiga ini yang sering digunakan meskipun sedikit rumit.

Sudah memahami tipe"tipe serangan dalam nMap4 okey serakang prakteknya. Saya menggunakan 5inu6 (*buntu) untuk penyerangan target. Misalnya target adalah """.t#r$et.%o& , berikut contoh penyerangan menggunakan ketiga jenis serangan yang telah saya jelaskan di atas tadi.

SN SCAN'

7nmap 7nmap "sS"8 "sS"8 www.t www.targ arget. et.com com (www. (www.tar target get.co .com m dapat dapat juga juga digant digantii dengan dengan 9% :omputer target)

FIN SCAN'

7nmap "s$"8 www.target.com www.target.com

AC! SCAN'

7nmap "s0 "8 www.target.com 3iasa 3iasany nyaa deng dengan an meng menggu guna naka kan n meto metode de 0: S0N S0N,, port" port" port port yang yang tert tertut utup up (losed) akan tereliminasi/tidak ditampilkan. 9ni akan memudahkan kita mengetahui celah mana yang terbuka dan serangan.

(. De)i#n / U)*nt* U)*nt* +in*,' Inst#ll n&#p Soft"#re For S%#nnin$ Net"or  . Inst#l st#ll# l#ti tion on

o install nmap for 1ebian and *buntu 5inu6 based ser;er systems s ystems type the following apt"get command $ sudo apt-get install nmap 

Sample outputs: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed:   nmap  upgraded! " newly installed!  to remo#e and $ not upgraded. Need to get "!%&' kB of archi#es. (fter this operation! %!)"' kB of additional disk space will be used. *et:" http:++mirrors.ser#ice.networklayer.com+ubuntu+ precise+main precise+main nmap amd%& ,.$"-"."ubuntu" "!%&' kB/ 0etched "!%&' kB in s 1"%.& 2B+s3 4electing pre#iously unselected package nmap.

1Reading database ... ,%5'& files and directories currently installed.3 6npacking nmap 1from ...+nmap7,.$"-"."ubuntu"7amd%&.deb3 ... 8rocessing triggers for man-db ... 4etting up nmap 1,.$"-"."ubuntu"3 ...

C. Perint#-perint# di N&#p 0net"or &#pper1 1i bawah ini adalah beberapa contoh dari perintah"perintah tersebut. . S%#n # sin$le 2osts or #n IP #ddress nmap -<.-&=.-.nmap www.facebook.com nmap "; www.facebook.com 3. S%#n &*ltiple IP #ddress or s*)net nmap -<.-&=.-.- -<.-&=.-. -<.-&=.-.2 nmap -<.-&=.-,,2 nmap -<.-&=.-./8 nmap -<.-&=.-.> 4. E,%l*din$ osts/net"ors nmap -<.-&=.-./8 ""e6clude -<.-&=.-.< 5. T*rn on OS #nd 6ersion dete%tion s%#nnin$ nmap "0 -<.-&=.-.'8 nmap "; "0 -<.-&=.-.'8 7. Find o*t if # osts/net"ors is prote%ted )8 fire"#ll nmap "s0 -<.-&=.-.'8 9. S%#n # ost "en prote%ted )8 fire"#ll nmap "%N -<.-&=.-.'8 :. S%#n # net"or #nd nmap "s% -<.-&=.-./8

find

;. Displ#8 te re#son nmap ""reason -<.-&=.-.-

#

<. S%#n # spe%ifi% ports map "p ?port@ hostName #. == S%#n port ;> nmap "p = -<.-&=.-.). == S%#n TCP port ;> nmap "p = -<.-&=.-.%. == S%#n UDP port 74 nmap "p *'2 -<.-&=.-.d. == S%#n t"o ports ==

o*t

"i%

port

is

ser6er

in

or

de6i%es

p#rti%*l#r

is

*p

st#te

nmap "p =,882 -<.-&=.-.e. == S%#n port r#n$es == nmap "p =" -<.-&=.-.f. == Co&)ine #ll options == nmap "p *'2,---,-2A,-"',=,-2<,== -<.-&=.-.nmap "p *'2,---,-2A,-"',=,-2<,== www.facebook.com nmap "; "s* "s "p *'2,---,-2A,-"',=,-2<,== -<.-&=.-.'8 $. == S%#n #ll ports "it ? "ild%#rd == nmap "p B>B -<.-&=.-.. == S%#n top ports i.e. s%#n @n*&)er &ost %o&&on ports == nmap ""top"ports ' -<.-&=.-.nmap ""top"ports - -<.-&=.-.>. Te f#stest "#8 to s%#n #ll 8o*r de6i%es/%o&p*ters for open ports e6er nmap "' -<.-&=.-./8 . 2o" do I dete%t re&ote oper#tin$ s8ste& ou can identify a remote host apps and #S using the "# option nmap "# -<.-&=.-.nmap "# ""osscan"guess -<.-&=.-.nmap "; "# ""osscan"guess -<.-&=.-.3. 2o" do I dete%t re&ote ser6i%es 0ser6er / d#e&on1 6ersion n*&)ers nmap "sC -<.-&=.-.4. S%#n # ost *sin$ TCP AC! 0PA1 #nd TCP S8n 0PS1 pin$ 9f firewall is blocking standard 9M% pings, try the following host disco;ery methods nmap "%S -<.-&=.-.nmap "%S =,-,882 -<.-&=.-.nmap "%0 -<.-&=.-.nmap "%0 =,-,"'- -<.-&=.-.5. S%#n # ost *sin$ IP proto%ol pin$ nmap "%# -<.-&=.-.7. S%#n # ost *sin$ UDP pin$ his scan bypasses firewalls and filters that only screen % nmap "%* -<.-&=.-.nmap "%* .- -<.-&=.-.9. Find o*t te &ost %o&&onl8 *sed TCP ports *sin$ TCP SN S%#n #. === Ste#lt8 s%#n === nmap "sS -<.-&=.-.). === Find o*t te &ost %o&&onl8 *sed TCP ports *sin$ TCP %onne%t s%#n 0"#rnin$' no ste#lt s%#n1

=== OS Fin$erprintin$ === nmap "s -<.-&=.-.%. === Find o*t te &ost %o&&onl8 *sed TCP ports *sin$ TCP AC! s%#n nmap "s0 -<.-&=.-.d. === Find o*t te &ost %o&&onl8 *sed TCP ports *sin$ TCP Bindo" s%#n nmap "sD -<.-&=.-.e. === Find o*t te &ost %o&&onl8 *sed TCP ports *sin$ TCP M#i&on s%#n nmap "sM -<.-&=.-.:. S%#n # ost for UDP ser6i%es 0UDP s%#n1 Most popular ser;ices on the 9nternet run o;er the % protocol. 1NS, SNM%, and 1!% are three of the most common *1% ser;ices. *se the following synta6 to find out *1% ser;ices nmap "s* nas2 nmap "s* -<.-&=.-.;. S%#n for IP proto%ol his type of scan allows you to determine which 9% protocols (%, 9M%, 9EM%, etc.) are supported by target machines nmap "s# -<.-&=.-.<. S%#n # fire"#ll for se%*rit8 "e#ness he following scan types e6ploit a subtle loophole in the % and good for testing security of common attacks

a. 77 % Null Scan to fool a firewall to generate a response 77 77 1oes not set any bits (% flag header is ) 77 nmap "sN -<.-&=.-.'8  b. 77 % $in scan to check firewall 77 77 Sets just the % $9N bit 77 nmap "s$ -<.-&=.-.'8 c. 77 % Fmas scan to check firewall 77 77 Sets the $9N, %S!, and *GE flags, lighting the packet up like a hristmas tree 77 nmap "sF -<.-&=.-.'8

See how to block Fmas packkets, syn"floods and other conman attacks with iptables. 3>. S%#n # fire"#ll for p#%ets fr#$&ents he "f option causes the reHuested scan (including ping scans) to use tiny fragmented 9% packets. he idea is to split up the % header o;er 

se;eral packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. nmap "f -<.-&=.-.nmap "f fw.ni6craft.net.in nmap "f -' fw.ni6craft.net.in 77 Set your own offset siIe with the ""mtu option 77 nmap ""mtu 2 -<.-&=.-.3. Clo# # s%#n "it de%o8s he "1 option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. hus their 91S might report '"- port scans from uniHue 9% addresses, but they wonJt know which 9% was scanning them and which were innocent decoys

nmap "n "1decoy"ip-,decoy"ip,your"own"ip,decoy"ip2,decoy"ip8 remote"host"ip nmap "n "1-<.-&=.-.',-.'.-.,-A.-..8,2.8..- -<.-&=.-.' 33. S%#n # fire"#ll for MAC #ddress spoofin$ 777 Spoof your M0 address 77 nmap ""spoof"mac M0"011GKSS"!KGK -<.-&=.-.-

777 0dd other options 777 nmap "; "s "%N ""spoof"mac M0"011GKSS"!KGK -<.-&=.-.777 *se a random M0 address 777 777 he number , means nmap chooses a completely random M0 address 777 nmap "; "s "%N ""spoof"mac  -<.-&=.-.34. 2o" do I s#6e o*tp*t to # te,t file he synta6 is nmap -<.-&=.-.- L output.t6t nmap "oN /path/to/filename -<.-&=.-.nmap "oN output.t6t -<.-&=.-.35. To find te n&#p 6ersion enter' 7 nmap C At#* 7 nmap ;ersion S#&ple o*tp*ts'  Nmap ;ersion '.- ( http//nmap.org ) 37. To s%#n #n IP #ddress enter' 7 nmap -<.-&=.-. S#&ple o*tp*ts' 4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-"5 "&:&" 94T 9nteresting ports on ")$."%5.".$: Not shown: )) closed ports 8;RT

4T(TE 4ER<9=E

$'+tcp open

telnet

,'+tcp open

domain

5+tcp open

http

2(= (ddress: &:&&:":&:,:0B 16nknown3

Nmap done: " 98 address 1" host up3 scanned in ".$5 seconds

39. To s%#n # r#n$e of IP #ddresses enter' > nmap ")$."%5.".$-"

3:. To s%#n #n entire s*)net' > nmap ")$."%5.".+$&

 More examples:

#. == Pin$ onl8 s%#n == nmap -s8 ")$."%5.".$

). == S%#n #nd do tr#%ero*te == nmap --traceroute 98-(DDRE44 nmap --traceroute D;2(9N-N(2E-?ERE

%. == TCP SN S%#n == nmap -s4 ")$."%5.".$

d. == UDP S%#n == nmap -s6 ")$."%5.".$

e. == IP proto%ol s%#n == nmap -s; ")$."%5.".$

f. == S%#n port ;> 37 554 == nmap -p 5 ")$."%5.".$ nmap -p http ")$."%5.".$ nmap -p $, ")$."%5.".$ nmap -p smtp ")$."%5.".$ nmap -p &&' ")$."%5.".$ nmap -p 5!$&!&&' ")$."%5.".$

$. == S%#n port r#n$es == nmap -p ,"$-"$& ")$."%5.".$

. == S%#n for OS i.e. Oper#tin$ S8ste& Dete%tion == nmap -; ")$."%5.".$ nmap -; --osscan-guess ")$."%5.".$

i.

== S%#n for #ppli%#tion ser6er 6ersion == nmap -s< ")$."%5.".$

3;. S%#n # sin$le ost or #n IP #ddress 0IP651 #. === S%#n # sin$le ip #ddress === nmap ")$."%5."."

). == S%#n # ost n#&e === nmap  ser#er".cyberciti.bi@

%. == S%#n # ost n#&e "it &ore info=== nmap -# ser#er".cyberciti.bi@

Sample outputs

3<. S%#n &*ltiple IP #ddress or s*)net 0IP651

nmap ")$."%5."." ")$."%5.".$ ")$."%5.".' ## works with same subnet i.e. 192.168.1.0/24

nmap ")$."%5."."!$!' o* %#n s%#n # r#n$e of IP #ddress too'

nmap ")$."%5."."-$ o* %#n s%#n # r#n$e of IP #ddress *sin$ # "ild%#rd'

nmap ")$."%5.".A $inally, you scan an entire subnet

nmap ")$."%5.".+$&

4>. Re#d list of osts/net"ors fro& # file 0IP651

he "i5 option allows you to read the list of target systems using a te6t file. his is useful to scan a large number of hosts/networks. reate a te6t file as follows

cat  +tmp+test.tCt Sample outputs

ser#er".cyberciti.bi@ ")$."%5.".+$& ")$."%5."."+$& ".".$.' localhost he synta6 is

nmap -i +tmp+test.tCt 4. E,%l*din$ osts/net"ors 0IP651

Dhen scanning a large number of hosts/networks you can e6clude hosts from a scan

nmap ")$."%5.".+$& --eCclude ")$."%5."., nmap ")$."%5.".+$& --eCclude ")$."%5.".,!")$."%5.".$,& #G e6clude list from a file called /tmp/e6clude.t6t

nmap -i +tmp+scanlist.tCt --eCcludefile +tmp+eCclude.tCt 43. T*rn on OS #nd 6ersion dete%tion s%#nnin$ s%ript 0IP651

nmap -( ")$."%5.".$,& nmap -# -( ")$."%5."." nmap -( -i +tmp+scanlist.tCt 44. Find o*t if # ost/net"or is prote%ted )8 # fire"#ll

nmap -s( ")$."%5.".$,& nmap -s( ser#er".cyberciti.bi@ 45. S%#n # ost "en prote%ted )8 te fire"#ll

nmap -8N ")$."%5."." nmap -8N ser#er".cyberciti.bi@ 47. S%#n #n IP69 ost/#ddress

he -6  option enable 9%;& scanning. he synta6 is

nmap nmap nmap nmap

-% -% -% -#

98#%-(ddress-?ere ser#er".cyberciti.bi@ $%:fd:"$:,"::& ( -% $%:fd:"$:,"::&

49. S%#n # net"or #nd find o*t "i% ser6ers #nd de6i%es #re *p #nd r*nnin$

his is known as host disco;ery or ping scan

nmap -s8 ")$."%5.".+$& Sample outputs ?ost ")$."%5."." is up 1.',s latency3. 2(= (ddress: B=:(E:=,:=':"%:)' 16nknown3 ?ost ")$."%5.".$ is up 1.'5s latency3. 2(= (ddress: &:&&:":&:,:0B 16nknown3 ?ost ")$."%5."., is up. ?ost nas' 1")$."%5."."$3 is up 1.)"s latency3. 2(= (ddress: :"":'$:"":",:0= 14ynology 9ncorporated3 Nmap done: $,% 98 addresses 1& hosts up3 scanned in $.5 second

4:. 2o" do I perfor& # f#st s%#n

nmap -0 ")$."%5."." 4;. Displ#8 te re#son # port is in # p#rti%*l#r st#te

nmap --reason ")$."%5."." nmap --reason ser#er".cyberciti.bi@ 4<. Onl8 so" open 0or possi)l8 open1 ports

nmap --open ")$."%5."." nmap --open ser#er".cyberciti.bi@ 5>. So" #ll p#%ets sent #nd re%ei6ed

nmap --packet-trace ")$."%5."." nmap --packet-trace ser#er".cyberciti.bi@ 5. So" ost interf#%es #nd ro*tes

his is useful for debugging (ip command or route command or netstat command like output using nmap) nmap --iflist

Sample outputs 4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$ $:" 94T AAAAAAAAAAAAAAAAAAAAAAAA9NTER0(=E4AAAAAAAAAAAAAAAAAAAAAAAA DE< 14?;RT3 98+2(4 TF8E 68 2(= lo 1lo3 "$..."+5 loopback up eth 1eth3 ")$."%5.".,+$& ethernet up B5:(=:%0:%,:'":E, #mnet" 1#mnet"3 ")$."%5."$"."+$& ethernet up :,:,%:=::" #mnet5 1#mnet53 ")$."%5.")."+$& ethernet up :,:,%:=::5 ppp 1ppp3 ".".").%)+'$ point$point up

AAAAAAAAAAAAAAAAAAAAAAAAAAR;6TE4AAAAAAAAAAAAAAAAAAAAAAAAAA D4T+2(4 DE< *(TEW(F "..'"."5+'$ ppp $)."''.%.',+'$ eth ")$."%5.".$ ")$."%5.".+ eth ")$."%5."$".+ #mnet" ")$."%5.").+ #mnet5 "%).$,&..+ eth "...+ ppp ...+ eth ")$."%5.".$

53. 2o" do I s%#n spe%ifi% ports map -p [port] hostName ## Scan port 80 nmap  -p 5 ")$."%5."." ## Scan TCP port 80 nmap  -p T:5 ")$."%5."." ## Scan UDP port 53 nmap  -p 6:,' ")$."%5."." ## Scan two ports ## nmap  -p 5!&&' ")$."%5."." ## Scan port ranges ## nmap  -p 5-$ ")$."%5."." ## Combine all options ## nmap -p 6:,'!"""!"'!T:$"-$,!5!"')!55 ")$."%5."." nmap -p 6:,'!"""!"'!T:$"-$,!5!"')!55 ser#er".cyberciti.bi@ nmap -# -s6 -sT -p 6:,'!"""!"'!T:$"-$,!5!"')!55 ")$."%5.".$,& ## Scan all ports with * wildcard ## nmap  -p GAG ")$."%5."." ## Scan top ports i.e. scan n!mber   most common ports ## nmap  --top-ports , ")$."%5."." nmap  --top-ports " ")$."%5."."

Sample outputs 4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$ ":$' 94T 9nteresting ports on ")$."%5.".": 8;RT 4T(TE 4ER<9=E $"+tcp closed ftp $$+tcp open ssh $'+tcp closed telnet $,+tcp closed smtp 5+tcp open http ""+tcp closed pop' "')+tcp closed netbios-ssn &&'+tcp closed https &&,+tcp closed microsoft-ds ''5)+tcp closed ms-term-ser# 2(= (ddress: B=:(E:=,:=':"%:)' 16nknown3 Nmap done: " 98 address 1" host up3 scanned in .," seconds

54. Te f#stest "#8 to s%#n #ll 8o*r de6i%es/%o&p*ters for open ports e6er

nmap -T, ")$."%5.".+$& 55. 2o" do I dete%t re&ote oper#tin$ s8ste&

ou can identify a remote host apps and #S using the "# option nmap -; ")$."%5."." nmap -; --osscan-guess ")$."%5."." nmap -# -; --osscan-guess ")$."%5."."

Sample outputs 4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$ ":$) 94T N4E: oaded  scripts for scanning. 9nitiating (R8 8ing 4can at ":$) 4canning ")$."%5."." " port/ =ompleted (R8 8ing 4can at ":$)! ."s elapsed 1" total hosts3 9nitiating 8arallel DN4 resolution of " host. at ":$) =ompleted 8arallel DN4 resolution of " host. at ":$)! .$$s elapsed 9nitiating 4FN 4tealth 4can at ":$) 4canning ")$."%5."." " ports/ Disco#ered open port 5+tcp on ")$."%5."." Disco#ered open port $$+tcp on ")$."%5."." =ompleted 4FN 4tealth 4can at ":$)! ."%s elapsed 1" total ports3 9nitiating ;4 detection 1try >"3 against ")$."%5."." Retrying ;4 detection 1try >$3 against ")$."%5."." Retrying ;4 detection 1try >'3 against ")$."%5."." Retrying ;4 detection 1try >&3 against ")$."%5."." Retrying ;4 detection 1try >,3 against ")$."%5."." ?ost ")$."%5."." is up 1.&)s latency3. 9nteresting ports on ")$."%5.".": Not shown: ))5 closed ports 8;RT 4T(TE 4ER<9=E $$+tcp open ssh 5+tcp open http 2(= (ddress: B=:(E:=,:=':"%:)' 16nknown3 De#ice type: W(8Hgeneral purposeHrouterHprinterHbroadband router Running 1I64T *6E449N*3 : inksys inuC $.&.J 1),K3! inuC $.&.JH $.%.J 1)&K3! 2ikroTik Router;4 '.J 1)$K3! eCmark embedded 1)K3! Enterasys embedded 15)K3! D-ink inuC $.&.J 15)K3! Netgear inuC $.&.J 15)K3 (ggressi#e ;4 guesses: ;penWrt White Russian .) 1inuC $.&.'3 1),K3! ;penWrt .) - .) 1inuC $.&.' - $.&.'&3 1)&K3! ;penWrt amika@e .) 1inuC $.%.$$3 1)&K3! inuC $.&.$" - $.&.'" 1likely embedded3 1)$K3! inuC $.%.", - $.%.$' 1embedded3 1)$K3! inuC $.%.", - $.%.$& 1)$K3! 2ikroTik Router;4 '.beta, 1)$K3! 2ikroTik Router;4 '." 1)$K3! inuC $.%.$& 1)"K3! inuC $.%.$$ 1)K3 No eCact ;4 matches for host 19f you know what ;4 is running on it! see http:++nmap.org+submit+ 3. T=8+98 fingerprint: ;4:4=(N1
;4:3;841;"L2$'4T""NW$K;$L2$'4T""NW$K;'L2$'NNT""NW$K;&L2$'4 T""NW$K;, ;4:L2$'4T""NW$K;%L2$'4T""3W9N1W"L&,E5KW$L&,E5KW'L&,E5KW&L&,E5K W,L&,E5KW ;4:%L&,E53E=N1RLFKD0LFKTL&KWL&%K;L2$'NN4NW$K==LNKML3T"1RLF KD0LFKTL&K4 ;4:L;K(L4OK0L(4KRDLKML3T$1RLN3T'1RLN3T&1RLFKD0LFKTL&KWLK4L(K(L K0LRK;LKR ;4:DLKML3T,1RLFKD0LFKTL&KWLK4LK(L4OK0L(RK;LKRDLKML3T%1RLF KD0LFKTL&KWL ;4:K4L(K(LK0LRK;LKRDLKML3T1RLN36"1RLFKD0LN KTL&K98L"%&K6NLKR98L*KR9D ;4:L*KR98=L*KR6=L*KR6DL*39E1RLFKD09LNKTL&K=DL43 6ptime guess: "$.)) days 1since Wed No# "& ":&&:& $"$3 Network Distance: " hop T=8 4ePuence 8rediction: DifficultyL$ 1*ood luckQ3 98 9D 4ePuence *eneration: (ll @eros Read data files from: +usr+share+nmap ;4 detection performed. 8lease report any incorrect results at http:++nmap.org+submit+ . Nmap done: " 98 address 1" host up3 scanned in "$.'5 seconds Raw packets sent: ""$% 1,'.5'$B3 H Rc#d: "%% 1&%."B3

See also $ingerprinting a web"ser;er and a dns ser;er command line tools for more information. 57. 2o" do I dete%t re&ote ser6i%es 0ser6er / d#e&on1 6ersion n*&)ers

nmap -s< ")$."%5."." Sample outputs

4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$ ":'& 94T 9nteresting ports on ")$."%5.".": Not shown: ))5 closed ports 8;RT 4T(TE 4ER<9=E
9f firewall is blocking standard 9M% pings, try the following host disco;ery methods

nmap nmap nmap nmap

-84 -84 -8( -8(

")$."%5."." 5!$"!&&' ")$."%5."." ")$."%5."." 5!$"!$-,"$ ")$."%5."."

5:. S%#n # ost *sin$ IP proto%ol pin$

nmap -8; ")$."%5."."

5;. S%#n # ost *sin$ UDP pin$

his scan bypasses firewalls and filters that only screen %

nmap -86 ")$."%5."." nmap -86 $.$" ")$."%5."." 5<. Find o*t te &ost %o&&onl8 *sed TCP ports *sin$ TCP SN S%#n ### Stealth" scan ### nmap  -s4 ")$."%5."." ### ind o!t the most commonl" !sed TCP ports !sing scan (  warning$ no stealth scan ) ### %S ingerprinting ### nmap  -sT ")$."%5."."

TCP connect

### ind o!t the most commonl" !sed TCP ports !sing TCP &C' scan nmap  -s( ")$."%5."." ### ind o!t the most commonl" !sed TCP ports !sing TCP (indow scan nmap  -sW ")$."%5."." ### ind o!t the most commonl" !sed TCP ports !sing TCP )aimon scan nmap  -s2 ")$."%5."."

7>. S%#n # ost for UDP ser6i%es 0UDP s%#n1

Most popular ser;ices on the 9nternet run o;er the % protocol. 1NS, SNM%, and 1!% are three of the most common *1% ser;ices. *se the following synta6 to find out *1% ser;ices

nmap -s6 nas' nmap -s6 ")$."%5."." Sample outputs 4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$ :,$ 94T 4tats: :,:$) elapsed 0 hosts completed +, !p- , !ndergoing UDP  Scan

6D8 4can Timing: (bout '$.&)K done  /TC$ 0,$0 +0$,,$12 remaining9nteresting ports on nas' 1")$."%5."."$3: Not shown: )), closed ports 8;RT 4T(TE 4ER<9=E """+udp openHfiltered rpcbind "$'+udp openHfiltered ntp "%"+udp openHfiltered snmp $&)+udp openHfiltered nfs ,','+udp openHfiltered @eroconf 2(= (ddress: :"":'$:"":",:0= 14ynology 9ncorporated3 Nmap done: " 98 address 1" host up3 scanned in ")).,, seconds

7. Scan

for IP protocol

his type of scan allows you to determine which 9% protocols (%, 9M%, 9EM%, etc.) are supported by target machines

nmap -s; ")$."%5."." 73. S%#n # fire"#ll for se%*rit8 "e#ness

he following scan types e6ploit a subtle loophole in the % and good for testing security of common attacks ## TCP !ll Scan to 4ool a 4irewall to generate a response ## ## Does not set an" bits (  TCP 4lag header is 0) ## nmap -sN ")$."%5.".$,& ## TCP in scan to chec 4irewall ## ## Sets 6!st the TCP 7 bit ## nmap -s0 ")$."%5.".$,& ## TCP mas scan to chec 4irewall ## ## Sets the 7 PS9 and U:; 4lags lighting the pacet !p lie a Christmas tree ## nmap -sJ ")$."%5.".$,&

See how to block Fmas packkets, syn"floods and other conman attacks with iptables. 74. S%#n # fire"#ll for p#%ets fr#$&ents

he "f option causes the reHuested scan (including ping scans) to use tiny fragmented 9% packets. he idea is to split up the % header o;er se;eral packets to make it harder for packet filters, intrusion detection systems, and other  annoyances to detect what you are doing.

nmap -f ")$."%5."." nmap -f fw$.niCcraft.net.in nmap -f ", fw$.niCcraft.net.in >> 4et your own offset si@e with the --mtu option >> nmap --mtu '$ ")$."%5."." 75. Clo# # s%#n "it de%o8s

he -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. hus their 91S might report '"- port scans from uniHue 9% addresses, but they wonJt know which 9% was scanning them and which were innocent decoys

nmap -n -Ddecoy-ip"!decoy-ip$!your-own-ip!decoyip'!decoy-ip& remote-host-ip

nmap -n ")$."%5.".,

-D")$."%5.".,!".,.".$!"$.".$.&!'.&.$."

77. S%#n # fire"#ll for MAC #ddress spoofin$ ### Spoo4 "o!r )&C address ## nmap  --spoof-mac 2(=-(DDRE44-?ERE ")$."%5."." ### &dd other options ### nmap  -# -sT -8N --spoof-mac 2(=-(DDRE44-?ERE ")$."%5."."

### Use ### The address nmap  -#

a random )&C address ### n!mber 0 means nmap    chooses a completel" random )&C ###

-sT -8N --spoof-mac  ")$."%5."."

79. 2o" do I s#6e o*tp*t to # te,t file

he synta6 is

nmap ")$."%5."."  output.tCt nmap -oN +path+to+filename ")$."%5."." nmap -oN output.tCt ")$."%5."." 7:. Not # f#n of %o&&#nd line tools

ry Ienmap the official network mapper front end enmap is the official Nmap Security Scanner E*9. 9t is a multi"platform (5inu6, Dindows, Mac #S F, 3S1, etc.) free and open source application which aims to make Nmap easy for beginners to use while pro;iding ad;anced features for  e6perienced Nmap users. $reHuently used scans can be sa;ed as profiles to make them easy to run repeatedly. 0 command creator allows interacti;e creation of   Nmap command lines. Scan results can be sa;ed and ;iewed later. Sa;ed scan results can be compared with one another to see how they differ. he results of  recent scans are stored in a searchable database. ou can install Ienmap using the following apt"get command

S sudo apt-get install @enmap Sample outputs sudo/ password for #i#ek: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed:   @enmap  upgraded! " newly installed!  to remo#e and "" not upgraded.

Need to get %"% kB of archi#es. (fter this operation! "!5$ kB of additional disk space will be used. *et:" http:++debian.osuosl.org+debian+ sPuee@e+main @enmap amd%& ,.-' %"% kB/ 0etched %"% kB in 's 1")) kB+s3 4electing pre#iously deselected package @enmap. 1Reading database ... $5"", files and directories currently installed.3 6npacking @enmap 1from ...+@enmap7,.-'7amd%&.deb3 ... 8rocessing triggers for desktop-file-utils ... 8rocessing triggers for gnome-menus ... 8rocessing triggers for man-db ... 4etting up @enmap 1,.-'3 ... 8rocessing triggers for python-central ...

ype the following command to start Ienmap S sudo @enmap

Sample outputs

D. Men$$*n##n NMAP IP d#n Port S%#nner Di U)*nt* ara untuk install nmap di *buntu sangatlah mudah, cuma melakukan download dari internet  yasseryasser-laptop:US sudo apt-get install nmap sudo/ password for yasser: Reading package listsV Done Building dependency tree Reading state informationV Done The following packages were automatically installed and are no longer rePuired: linuC-headers-$.%.'$-$" linuC-headers-$.%.'$-$"-generic 6se apt-get autoremo#eX to remo#e them. The following eCtra packages will be installed: liblua,."- The following NEW packages will be installed: liblua,."- nmap  upgraded! $ newly installed!  to remo#e and $) not upgraded. Need to get "!%"kB of archi#es. (fter this operation! %!,&"kB of additional disk space will be used. Do you want to continue F+n/ y *et:" http:++id.archi#e.ubuntu.com+ubuntu+ lucid+main liblua,."- ,.".&-, 5$.$kB/ *et:$ http:++id.archi#e.ubuntu.com+ubuntu+ lucid+main nmap ,.-' "!,5)kB/ 0etched "!%"kB in ,s 1''kB+s3 4electing pre#iously deselected package liblua,."-. 1Reading database V "&)'" files and directories currently installed.3 6npacking liblua,."- 1from V+liblua,."-7,.".&-,7i'5%.deb3 V 4electing pre#iously deselected package nmap. 6npacking nmap 1from V+archi#es+nmap7,.-'7i'5%.deb3 V 8rocessing triggers for man-db V 4etting up liblua,."- 1,.".&-,3 V 4etting up nmap 1,.-'3 V 8rocessing triggers for libc-bin V ldconfig deferred processing now taking place

to run nmap to scan ip address with range 10.10.28.0 – 10.10.28.254, ou !ust run command " yasseryasser-laptop:US nmap -s8 ".".$5.+$& and the result : 4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' ":$' W9T ?ost ".".$5." is up 1.$,s latency3. ?ost ".".$5.' is up 1.'$s latency3.

?ost ".".$5. is up 1.)5s latency3. ?ost ".".$5.) is up 1.$$s latency3. ?ost ".".$5.$" is up 1.'$s latency3. ?ost ".".$5.$$ is up 1.'s latency3. ?ost ".".$5.&" is up 1."$s latency3. ?ost ".".$5.&$ is up 1.""s latency3. ?ost ".".$5.&' is up 1."s latency3. ?ost ".".$5.&& is up 1."s latency3. ?ost ".".$5.&, is up 1."'s latency3. ?ost ".".$5.&% is up 1."$s latency3. ?ost ".".$5.& is up 1."%s latency3. ?ost ".".$5.&5 is up 1.",s latency3. ?ost ".".$5.&) is up 1.",s latency3. ?ost ".".$5., is up 1.",s latency3. ?ost ".".$5.," is up 1."$s latency3. ?ost ".".$5." is up 1."$s latency3. ?ost ".".$5.", is up 1.&"s latency3. ?ost ".".$5."'" is up 1.&"s latency3. Nmap done: $,% 98 addresses 1$ hosts up3 scanned in $.'% seconds

Port Scanning ith range !00"!50 yasseryasser-laptop:US nmap ".".$5.$$ -p"-", 4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' ":'' W9T 9nteresting ports on ".".$5.$$: Not shown: &) closed ports 8;RT 4T(TE 4ER<9=E "',+tcp open msrpc "')+tcp open netbios-ssn Nmap done: " 98 address 1" host up3 scanned in "."% seconds

#or Scan $perating S%stem : yasseryasser-laptop:US sudo nmap ".".$5.$$ -; 4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' ":', W9T 9nteresting ports on ".".$5.$$: Not shown: )55 closed ports 8;RT 4T(TE 4ER<9=E "',+tcp open msrpc "')+tcp open netbios-ssn &&,+tcp open microsoft-ds ''5)+tcp open ms-term-ser# ,""+tcp open admdog &)",$+tcp open unknown &)",'+tcp open unknown &)",&+tcp open unknown &)",,+tcp open unknown &)",%+tcp open unknown &)",+tcp open unknown &)"%+tcp open unknown 2(= (ddress: :&:&B:"%:,):5) 1N#idia3 De#ice type: general purpose Running: 2icrosoft Windows
nmap &aster 'xection

# %o ant to ma*e #aster scan+ se ",- option on nmap command. yasseryasser-laptop:US sudo nmap -( -T& ".".$5.' 4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' ":'5 W9T 9nteresting ports on ".".$5.': Not shown: ))5 closed ports 8;RT 4T(TE 4ER<9=E
Top 4> N&#p Co&&#nd E,#&ples For S8s/Net"or Ad&ins

 Nmap is short for Network Mapper. 9t is an open source security tool for network e6ploration, security scanning and auditing. !owe;er, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users. he purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible ;ulnerable points in the hosts. ou will also learn how to use Nmap for offensi;e and defensi;e purposes.

nmap in action

More about nmap $rom the man page  Nmap (BNetwork MapperB) is an open source tool for network e6ploration and security auditing. 9t was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw 9% packets in no;el ways to determine what hosts are a;ailable on the network, what ser;ices (application name and ;ersion) those hosts are offering, what operating systems (and #S ;ersions) they are running, what type of packet filters/firewalls are in use, and doIens of other characteristics. Dhile Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network in;entory, managing ser;ice upgrade schedules, and monitoring host or ser;ice uptime. 9t was originally written by Eordon 5yon and it can answer the following Huestions easily

1. What computers did you fnd running on the local network? 2. What IP addresses did you fnd running on the local network? 3. What is the operating system o your target machine? 4. ind out what ports are open on the machine that you !ust scanned? ". ind out i the system is inected with malware or #irus. $. %earch or unauthori&ed ser#ers or network ser#ice on your network. '. ind and remo#e computers which don(t meet the organi&ation(s minimum le#el o security.

Sample setup (LAB) %ort scanning may be illegal in some jurisdictions. So setup a lab as follows  

O---------O O---------O H Network H O--------O H ser#er" H-----------O swtich O---------Hser#er$ H O---------O H 1sw3 H O--------O O----O----O H H O---------O----------O H wks" inuC+;4J H O--------------------O

 

   

Dhere, •

•

•

•

wks)1 is your computer either running *inu+,-%  or /ni+ like operating system. It is used or scanning your local network. 0he nmap command must e installed on this computer. ser#er1 can e powered y *inu+ , /ni+ , %Windows operating systems.  0his is an unpatched ser#er. eel ree to install a ew ser#ices such as a weser#er fle ser#er and so on. ser#er2 can e powered y *inu+ , /ni+ , %Windows operating systems.  0his is a ully patched ser#er with frewall. 5gain eel ree to install ew ser#ices such as a weser#er fle ser#er and so on. 5ll three systems are connected #ia switch.

T*tori#l N&#p %ublished about a year ago by andra 0di %utra  Nmap adalah tool yang digunakan untuk mengecek port yang terbuka dari sebuah ser;er atau komputer. :etika sebuah port jaringan terbuka maka pasti ada layanan dibelakangnya, bisa  berupa webser;er, $% dan layanan lainnya. Nmap sendiri adalah tool hacking yang sangat canggih dan komplek. Nmap tersedia baik di 5inu6 maupun windows. +ika anda pengguna ubuntu anda bisa menginstallnya dengan cara sudo apt-get install nmap

Sedangkan jika anda pemakai windows silahkan download installernya di nmap.org 1i tutorial ini saya hanya akan mengajarkan cara praktis memakai nmap untuk melakukan 2 hal yaitu -. Mendeteksi komputer yang hidup dalam jaringan . Mendeteksi port yang terbuka 2. Mendeteksi #S komputer target Mendetesi o&p*ter 8#n$ id*p d#l#& #rin$#n %erintah nmap -48 rangeip/ =:YDocuments and 4ettingsYcandranmap

-s8 ")$."%5.,,.,-%

4tarting Nmap %." 1 http:++nmap.org 3 at $"$-"-$) ":$% 4E (sia Nmap scan report for ")$."%5.,,.,, ?ost is up 1.s latency3. 2(= (ddress: 0:DE:0":%%:"":$= 1Wistron 9nfo=omm 1unshan3=o3 Nmap scan report for ")$."%5.,,.,% ?ost is up 1.5s latency3. 2(= (ddress: )::&E:5:0:(5 1?on ?ai 8recision 9nd. =o.3 Nmap scan report for ")$."%5.,,., ?ost is up 1.%'s latency3. 2(= (ddress: B=:&:%:=:D(:,E 14amsung Electronics =o.3 Nmap done: & 98 addresses 1' hosts up3 scanned in ".$5 seconds

1ari hasil analisa tampak bahwa dari range ip -<.-&=.''.'  -<.-&=.''.& ada 2 komputer  yan hidup. Nilai plusnya anda juga bisa melihat mac 0ddres sekaligus merek kartu  jaringannya. Mendetesi Port 8#n$ ter)*# +ika yang kita scan adalah ser;er yang sedang kita bangun, kita bisa dengan cepat mengecek

apakah sebuah ser;ice berjalan atau tidak dengan nmap. ontoh realnya ketika anda menginstall SS! ser;er namun ketika di remote selalu gagal, bisa saja karena memang ser;ice SS! belum di jalankan. %erintah  nmap -s4 98target/ =:YDocuments and 4ettingsYcandranmap -s4 ")$."%5.,,.,, 4tarting Nmap %." 1 http:++nmap.org 3 at $"$-"-$) ":'$ 4E (s Nmap scan report for ")$."%5.,,.,, ?ost is up 1.'$s latency3. Not shown: )5) closed ports 8;RT 4T(TE 4ER<9=E "',+tcp open msrpc "')+tcp open netbios-ssn &&,+tcp open microsoft-ds ,5+tcp open #nc-http ,)+tcp open #nc 2(= (ddress: )::&E:5:0:(5 1?on ?ai 8recision 9nd. =o.3

1ari hasil scanning, tampak bahwa ada ' port yang terbuka. 1ari layananya port port ini ternyata menyediakan file sharing dan remote desktop CN. sepertinya :omputernya menggunakan windows4 api anda yakin itu windows4 Mari kita gunakan teknik ke 2. Mendetesi Siste& oper#si t#r$et  perintah nmap -; iptarget/ =:YDocuments and 4ettingsYcandranmap -; ")$."%5.,,.,, 4tarting Nmap %." 1 http:++nmap.org 3 at $"$-"-$) ":$5 4E (sia 4tandard T Nmap scan report for ")$."%5.,,.,, ?ost is up 1.,'s latency3. Not shown: )5) closed ports 8;RT 4T(TE 4ER<9=E "',+tcp open msrpc "')+tcp open netbios-ssn &&,+tcp open microsoft-ds ,5+tcp open #nc-http ,)+tcp open #nc 2(= (ddress: )::&E:5:0:(5 1?on ?ai 8recision 9nd. =o.3 De#ice type: general purpose Running: 2icrosoft Windows H$5 ;4 =8E: cpe:+o:microsoft:windows7 cpe:+o:microsoft:windows7ser#er7$5::sp" ;4 details: 2icrosoft Windows  or Windows 4er#er $5 48" Network Distance: " hop

 Nmap tidak bisa memberikan info pasti tentang #S, namun hanya terbatas menebak sistem operasi yang dipakai. %erhatikan hasil scan diatas, ip -<.-&=.''.'' kemungkinan besar menggunakan Dindows A atau Dindows ser;er =.

!al yang penting saat menggunakan nmap, gunakan pada jaringan anda sendiri, bukan  jaringan orang lain. Nmap sendiri mempunyai banyak parameter dan fitur lain yang sangat canggih, apa yang saya tulis disini tidak lebih dari -O kemampuan nmap yang sebenarnya. up, sekian dulu semoga tutorial ini bermanfaat.