Ceci est une ancienne révision du document !
Website: https://nmap.org/book/man-host-discovery.html
You may have noticed the website link above change, look this one up. *wink*
Welcome back to another educating experience, demystifying nmap. In this issue, we will be looking at using files with nmap. Last issue, I mentioned, in passing, that one can output your scan results to a file using the redirection operator. However, the ‘correct’ way to do it is using the -o switch. Like many other programs in Linux, -o is usually “output”. This should be as easy to remember as -p is for port. Example:
nmap -oN classC.txt 192.168.1.0/24
Now you can open the written .txt-file with your favourite GUI editor and run regular expression searches on it. Speaking of regex, nmap actually has a grep-able output version. Instead of using the “N” switch in our example, you use the “G” switch. This will drop the file in your current directory, so do a pwd first. Let’s examine the differences (see the images below).
Try grep “open“ router.txt on your machine. (Provided you saved your file as router.txt). Though if I am honest, I prefer the non-grep layout, regardless of the situation; for you it may be different. Try both to see how you like it.
You may not want a .txt-file, so XML format is offered as a choice too. Here we follow the -o with a capital “X”. Example:
nmap -oX myscan.xml 192.168.1.0/24
Other than output files, nmap can also take input files. It may be more of a convenience than actually taking major input, but it is there and I can teach you about it. An example use case is when you have a bunch of subnets to scan and you want to check certain ranges, say 1-10 and 249-254 in each subnet (usually where people put servers and routers). This one is also easy to remember, a good mnemonic is “importing a list”. Example:
nmap -iL myscan.txt
It will do the scan as if you typed it all in by hand.
Okay, back to the start, I may be old fashioned, or lazy, or both, but I just find it quicker and easier to use the redirection operator. Example:
nmap -p 22 192.168.1.1 > scan1.txt
In the Windows environment, there is Angry IP scanner, and they have a Linux version too, but it is horrible in comparison to the Windows version. Nmap can be used for this too. Basically Angry IP scanner scans for live hosts on the network. We achieve the same functionality in nmap with -sP. This is called a ping sweep, and should also be easy to remember. This action will fire off ICMP packets onto the network. I asked you to read up on the three-way handshake, to make you familiar with the syn-ack-syn flags. You see, nmap also fires off TCP packets, with that ack flag set. So now we have two ways of confirming there is a live host at a certain IP address. If the host is set to not reply to ICMP requests, it will still respond to the packet with the ack flag set. The results here can then be saved to a text file again. The output of a ping sweep is different than that of the previous scans I have told you about. You simply get a “host is up” message for each IP address that is alive.
This is rather easy, no? The catch comes when we talk about scanning from outside of the network, like pentesters do, and you have a firewall in your way. Now you need to start getting creative and shape your queries. In the next issue, we will cover customising your requests. We will ramp up the difficulty a little bit more, but not so that you cannot follow along.
Let us build up a cheat sheet (below right) over the next few issues; that way, you can keep it until you don’t need it anymore. Hope you enjoyed this second demystifying nmap article and see you next issue.
As always, comments, compliments, complaints, all to: misc@fullcirclemagazine.org