Introduction
- Nmap is a free and open source utility for network exploration and security auditing.
- Zenmap is a multi-platform graphical frontend and results viewer for Nmap.
- Ncat is a general-purpose network sending and receiving utility, a reimplementation of Netcat.
- Ndiff is a an Nmap scan comparison utility.
- Nping is a tool for packet generation and sending.
This package contains Nmap, Zenmap, Ncat, Ndiff, and Nping. It is intended to work on Intel and PowerPC Macs running Mac OS X 10.4.11 or later Installation of all packages is optional. Unselect Zenmap to get just the command-line tool. Unselect Nmap if you prefer to use a copy of Nmap that is already installed. Zenmap will not work without Nmap. The manufacturer then assigns a unique value for the last 3 bytes, which ensures that every MAC address is globaly unique. In the following picture we can see the structure of a MAC address: MAC addresses are usually written in the form of 12 hexadecimal digits. For example, this is a valid MAC address: D8-D3-85-EA-1B-EE. Nmap is a very useful tool. It is used by penetration testers mainly but from an operation perspective, it is used by system administrators too. Nmap has a lot of different features. The mac-related feature can be used to get mac addresses of the hosts in the same network segment.
This package contains Nmap, Zenmap, Ncat, Ndiff, and Nping. It is intended to work on Intel Macs running Mac OS X 10.8 or later.
Installation of all packages is optional. Unselect Zenmap to get just the command-line tool. Unselect Nmap if you prefer to use a copy of Nmap that is already installed. Zenmap will not work without Nmap.
The nmap, ncat, ndiff, and nping command-line binaries will be installed in
/usr/local/bin
, and additional support files will be installed in /usr/local/share
. The Zenmap application bundle will be installed in /Applications/Zenmap.app
.For a full description of Nmap's installation on Mac OS, visit the page:https://nmap.org/book/inst-macosx.html
Requirements
In order to compile, build and run Nmap on Mac OS, you will requiere the followings:
- Jhbuild for bundling and dependencies (see the BUNDLING file)
- Xcode for Mac OS 10.8 or later (https://developer.apple.com/xcode)
- Xcode Command-line Tools for Mac OS 10.8 or later (https://developer.apple.com/downloads β then download the latest version compatible with your OS version)
Installation
Ideally, you should be able to just type:
from
nmap/
directory (the root folder).For far more in-depth compilation, installation, and removal notes, read the Nmap Install Guide at https://nmap.org/book/install.html.
Files in this directory
- openssl.modules: This is a Jhbuild moduleset that can be used to build dependencies (openssl, libsvn and libapr) as required for building Nmap, Ncat, Nping and nmap-update. Use it like this:
- Makefile: The Mac OS X Makefile used to build everything specific to this OS.
- BUNDLING.md: A manual on how to setup and use Jhbuild on Mac OS X.
Zenmap
Files into zenmap/install_scripts/macosx/
:
All of the files have to do with packaging on Mac OS X. They are useful only for those wanting to build binary distributions of Zenmap for Mac OS X.
- Info.plist: A properties list file template that is filled out by make-bundle.sh.
- make-bundle.sh: This script builds a .app bundle. It must be run from the root of the Zenmap source tree. The finished bundle is put in
dist/Zenmap.app
. - zenmap.icns: The icon file for the bundle. It was created using the Icon Composer utility (
$ open -a 'Icon Composer'
). - zenmap_auth.c: This is a simple wrapper program that attempts to run launcher.sh with privileges.
- launcher.sh: A launcher script that configures the environment for Zenmap, Python, and GTK before launching the main Zenmap script file.
- zenmap.bundle: An XML configuration file for gtk-mac-bundler which specifies files and metadata for the application bundle (https://wiki.gnome.org/Projects/GTK%2B/OSX/Building).
Authorization Wrapper:
The bundling process is as follows:
- First, the bundler (make-bundle.sh) look at the bundle XML (
zenmap.bundle
) and copy everything over. - The launcher script (launcher.sh) gets renamed into the app name (
Zenmap
). - The authorization wrapper is compiled to
Zenmap
so that it is the entry point of the app. - The last part is filling in the Info.plist template file based on the current information in
zenmap.ZenmapCore.Version
.
After the bundling process is done and the app is installed, the execution path is as follows:
Zenmap (zenmap_auth) β> zenmap.bin (launcher.sh) β> python zenmap.py
Repositories and Troubleshooting
Nmap uses a read-only repository on Github for issues tracking and pull requests. You can contribute at the following address: https://github.com/nmap/nmap.
The read-write repository is managed with Subversion. Although, all actual commits are made to our Subversion repository on https://svn.nmap.org.
In order to be always up to date, you can consult the Changelog here: https://nmap.org/changelog.html.
The CONTRIBUTING file
General information about contributing to Nmap can be found in the CONTRIBUTING file. It contains information specifically about Nmap's use of Github and how contributors can use Github services to participate in Nmap development.
- Nmap Examples
- Nmap Cheatsheet
- Nmap Enumeration Examples
Nmap (network mapper), the god of port scanners used for network discovery and the basis for most security enumeration during the initial stages of a penetration test. The tool was written and maintained by Fyodor AKA Gordon Lyon.
Nmap displays exposed services on a target machine along with other useful information such as the verion and OS detection.
Nmap has made twelve movie appearances, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.
Nmap in a nutshell
- Host discovery
- Port discovery / enumeration
- Service discovery
- Operating system version detection
- Hardware (MAC) address detection
- Service version detection
- Vulnerability / exploit detection, using Nmap scripts (NSE)
Nmap Examples
Basic Nmap scanning examples, often used at the first stage of enumeration.
Command | Description |
---|---|
nmap -sP 10.0.0.0/24 | Ping scans the network, listing machines that respond to ping. |
nmap -p 1-65535 -sV -sS -T4 target | Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still 'pretty quick'. |
nmap -v -sS -A -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services. |
nmap -v -sS -A -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services. |
nmap -v -sV -O -sS -T5 target | Setting sublime text for git in mac. Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection. |
nmap -v -p 1-65535 -sV -O -sS -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan. |
nmap -v -p 1-65535 -sV -O -sS -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan. |
Agressive scan timings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
Nmap scan from file
Command | Description |
---|---|
nmap -iL ip-addresses.txt | Scans a list of IP addresses, you can add options before / after. |
Nmap output formats
Command | Description |
---|---|
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24 | Outputs 'grepable' output to a file, in this example Netbios servers. E.g, The output file could be grepped for 'Open'. |
nmap -sS -sV -T5 10.0.1.99 --webxml -oX - | Export nmap output to HTML report. |
Nmap Netbios Examples
Command | Description |
---|---|
nmap -sV -v -p 139,445 10.0.0.1/24 | Find all Netbios servers on subnet |
nmap -sU --script nbstat.nse -p 137 target | Nmap display Netbios name |
nmap --script-args=unsafe=1 --script | Nmap check if Netbios servers are vulnerable to MS08-067 |
--script-args=unsafe=1 has the potential to crash servers / services
Becareful when running this command.
Nmap Nikto Scan
Command | Description |
---|---|
nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h - | Scans for http servers on port 80 and pipes into Nikto for scanning. |
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h - | Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning. |
Nmap Cheatsheet
Target Specification
Nmap allows hostnames, IP addresses, subnets.
Example blah.highon.coffee, nmap.org/24, 192.168.0.1; 10.0.0-255.1-254
Command | Description |
---|---|
-iL | inputfilename: Input from list of hosts/networks |
-iR | num hosts: Choose random targets |
--exclude | host1[,host2][,host3],. : Exclude hosts/networks |
--excludefile | exclude_file: Exclude list from file |
Host Discovery
Command | Description |
---|---|
-sL | List Scan - simply list targets to scan |
-sn | Ping Scan - disable port scan |
-Pn | Treat all hosts as online -- skip host discovery https://fitnessever606.weebly.com/yahoo-messenger-apple-mac-download.html. |
-PS/PA/PU/PY[portlist] | TCP SYN/ACK, UDP or SCTP discovery to given ports |
-PE/PP/PM | ICMP echo, timestamp, and netmask request discovery probes |
-PO[protocol list] | IP Protocol Ping |
-n/-R | Never do DNS resolution/Always resolve [default: sometimes] |
Scan Techniques
Command | Description |
---|---|
-sS | TCP SYN scan Connect scan ACK scan Window scan Maimon scan |
-sU | UDP Scan |
-sN | TCP Null scan FIN scan Xmas scan |
--scanflags | Customize TCP scan flags |
-sI zombie host[:probeport] | Idle scan |
-sY | SCTP INIT scan COOKIE-ECHO scan |
-sO | IP protocol scan |
-b 'FTP relay host' | FTP bounce scan |
Port Specification and Scan Order
Command | Description |
---|---|
-p | Specify ports, e.g. -p80,443 or -p1-65535 |
-p U:PORT | Scan UDP ports with Nmap, e.g. -p U:53 |
-F | Fast mode, scans fewer ports than the default scan |
-r | Scan ports consecutively - don't randomize |
--top-ports 'number' | Scan 'number' most common ports |
--port-ratio 'ratio' | Scan ports more common than 'ratio' |
Service Version Detection
Command | Description |
---|---|
-sV | Probe open ports to determine service/version info |
--version-intensity 'level' | Set from 0 (light) to 9 (try all probes) |
--version-light | Limit to most likely probes (intensity 2) |
--version-all | Try every single probe (intensity 9) |
--version-trace | Show detailed version scan activity (for debugging) |
Script Scan
Command | Description |
---|---|
-sC | equivalent to --script=default |
--script='Lua scripts' | 'Lua scripts' is a comma separated list ofdirectories, script-files or script-categories |
--script-args=n1=v1,[n2=v2,.] | provide arguments to scripts |
-script-args-file=filename | provide NSE script args in a file |
--script-trace | Show all data sent and received |
--script-updatedb | Update script database |
--script-help='Lua scripts' | Show help about scripts |
OS Detection
Command | Description |
---|---|
-O | Enable OS Detection |
--osscan-limit | Imagej for mac. Limit OS detection to promising targets |
--osscan-guess | Guess OS more aggressively |
Timing and Performance
Options which take TIME are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
Command | Description |
---|---|
-T 0-5 | Set timing template - higher is faster (less accurate) |
--min-hostgroup SIZE | Parallel host scan group sizes |
--min-parallelism NUMPROBES | Probe parallelization |
--min-rtt-timeout TIME | Specifies probe round trip time |
--max-retries TRIES | Caps number of port scan probe retransmissions |
--host-timeout TIME | https://heavyjobs.weebly.com/dw-focus-wp-theme.html. Give up on target after this long |
--scan-delay TIME | Adjust delay between probes |
--min-rate NUMBER | Send packets no slower than NUMBER per second |
--max-rate NUMBER | Send packets no faster than NUMBER per second |
Nmap For Mac Os
Firewalls IDS Evasion and Spoofing
Command | Description |
---|---|
-f; --mtu VALUE | Fragment packets (optionally w/given MTU) |
Cloak a scan with decoys | |
-S IP-ADDRESS | Spoof source address |
-e IFACE | Use specified interface |
-g PORTNUM | Use given port number |
--proxies url1,[url2],. | Relay connections through HTTP / SOCKS4 proxies |
--data-length NUM | Append random data to sent packets |
--ip-options OPTIONS | Send packets with specified ip options |
--ttl VALUE | Set IP time to live field |
--spoof-mac ADDR/PREFIX/VENDOR | Spoof NMAP MAC address |
--badsum | Send packets with a bogus TCP/UDP/SCTP checksum |
Nmap Output Options
Command | Description |
---|---|
-oN | Output Normal |
-oX | Output to XML |
-oS | Script Kiddie / 1337 speak. sigh |
-oG | Output greppable - easy to grep nmap output |
-oA BASENAME | Output in the three major formats at once |
-v | Increase verbosity level use -vv or more for greater effect |
-d | Increase debugging level use -dd or more for greater effect |
--reason | Display the reason a port is in a particular state |
--open | Only show open or possibly open ports |
--packet-trace | Show all packets sent / received |
--iflist | Print host interfaces and routes for debugging |
--log-errors | Log errors/warnings to the normal-format output file |
--append-output | Append to rather than clobber specified output files |
--resume FILENAME | Resume an aborted scan |
--stylesheet PATH/URL | XSL stylesheet to transform XML output to HTML |
--webxml | Reference stylesheet from Nmap.Org for more portable XML |
--no-stylesheet | Prevent associating of XSL stylesheet w/XML output |
Misc Nmap Options
Command | Description |
---|---|
-6 | Enable IPv6 scanning |
-A | Enable OS detection, version detection, script scanning, and traceroute |
--datedir DIRNAME | Specify custom Nmap data file location |
--send-eth | Send using raw ethernet frames or IP packets |
--privileged | Assume that the user is fully privileged |
--unprivileged | Assume the user lacks raw socket privileges |
-V | Show nmap version number |
-h | Show nmap help screen |
Nmap Enumeration Examples
The following are real world examples of Nmap enumeration.
Enumerating Netbios
The following example enumerates Netbios on the target networks, the same process can be applied to other services by modifying ports / NSE scripts.
Detect all exposed Netbios servers on the subnet.
Nmap find exposed Netbios servers
root:~#nmap -sV -v -p 139,445 10.0.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
![For For](/uploads/1/3/4/3/134332527/581888140.png)
</p>
Nmap find Netbios name.
Nmap find exposed Netbios servers
root:~#nmap -sU --script nbstat.nse -p 137 10.0.1.12
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Map For Mac Computers
Host is up (0.014s latency).PORT STATE SERVICE VERSION
137/udp open netbios-ns
Host script results:
|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
</p>
Check if Netbios servers are vulnerable to MS08-067
Nmap check MS08-067
root:~#nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 44510.0.0.1
Nmap scan report for ie6winxp.decepticons (10.0.1.1)
![Pro Pro](/uploads/1/3/4/3/134332527/177627165.jpg)
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds
</p>
The information gathered during the enumeration indicates the target is vulnerable to MS08-067, exploitation will confirm if itβs vulnerable to MS08-067.