Anda di halaman 1dari 25

A.

PENGERTIAN DARI NMAP


nMap (Networking Map) adalah software/tools yang masih populer digunakan
dikalangan hacker. nMap digunakan untuk menscan port dan memetakan jaringan
komputer. nMap akan mengetahui celah yang ada dalam sebuah jaringan
administrator yang memiliki tingkat keamanan rendah sehingga berpotensi untuk
dilakukan penyusupan.
Secara teori, celah dalam port jaringan memiliki kondisi berikut ini
Open Closed
Filtered Unfiltered
Open/Filtered - Closed/Unfiltered
!acking menggunakan nMap akan menampilkan port"port yang dianggap #pen dan
$iltered. %ort"port dalam komputer jaringan yang berjumlah kurang lebih &'.(((
kadang tidak semuanya dalam kondisi )losed, maka dengan menggunakan nMap kita
akan mengetahui port mana yang terkondisi *nclosed. Sedangkan port yang terfilter
($iltered) dikarenakan firewall dalam jaringan masih aktif. +ika tidak maka paket yang
keluar masuk dapat juga kita lihat,
,erdapat tiga macam tipe serangan yang digunakan dalam hacking nMap, yaitu
-. SN SCAN, ini adalah tipe serangan yang paling mudah dan banyak
digunakan. Syn Scan akan menampilkan hasil serangan lebih cepat, namun
kelemahanya hasil yang ditampilkan tidak spesifik (umum).
.. FIN SCAN, Metode serangan ini lebih akaurat dibanding S/N S)0N. $in
Scan akan menampilkan jenis" jenis paket yang terfilter dan kelemahan
firewall. 1engan meggunakan metode serangan ini, penyerang dapat
mengetahui kelemahan sistem yang akan diserang sebelum melakukan serang
lebih lanjut.
2. AC! SCAN, %ort yang terfilter atau tidak akan ditampilkan disini. ,ipe
serangan ini adalah yang paling spesifik dan menampilkan hasil yang sangat
akurat. 3agi anda yang terbiasa menggunakan nMap, maka tipe serangan
ketiga ini yang sering digunakan meskipun sedikit rumit.
Sudah memahami tipe"tipe serangan dalam nMap4 okey serakang prakteknya. Saya
menggunakan 5inu6 (*buntu) untuk penyerangan target.
Misalnya target adalah """.t#r$et.%o&, berikut contoh penyerangan menggunakan
ketiga jenis serangan yang telah saya jelaskan di atas tadi.
SN SCAN'
7nmap "sS",8 www.target.com (www.target.com dapat juga diganti dengan 9%
:omputer target)
FIN SCAN'
7nmap "s$",8 www.target.com
AC! SCAN'
7nmap "s0 ",8 www.target.com
3iasanya dengan menggunakan metode 0): S)0N, port" port yang tertutup
()losed) akan tereliminasi/tidak ditampilkan. 9ni akan memudahkan kita mengetahui
celah mana yang terbuka dan serangan.
(. De)i#n / U)*nt* +in*,' Inst#ll n&#p Soft"#re For
S%#nnin$ Net"or-
.. Inst#ll#tion
,o install nmap for 1ebian and *buntu 5inu6 based ser;er systems type the
following apt"get command
$ sudo apt-get install nmap
Sample outputs:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
nmap
upgraded! " newly installed! to remo#e and $ not upgraded.
Need to get "!%&' kB of archi#es.
(fter this operation! %!)"' kB of additional disk space will be
used.
*et:" http:++mirrors.ser#ice.networklayer.com+ubuntu+
precise+main nmap amd%& ,.$"-"."ubuntu" ."!%&' kB/
0etched "!%&' kB in s 1"%.& 2B+s3
4electing pre#iously unselected package nmap.
1Reading database ... ,%5'& files and directories currently
installed.3
6npacking nmap 1from ...+nmap7,.$"-"."ubuntu"7amd%&.deb3 ...
8rocessing triggers for man-db ...
4etting up nmap 1,.$"-"."ubuntu"3 ...
C. Perint#/-perint#/ di N&#p 0net"or- &#pper1
1i bawah ini adalah beberapa contoh dari perintah"perintah tersebut.
.. S%#n # sin$le 2osts or #n IP #ddress
nmap -<..-&=.-.-
nmap www.facebook.com
nmap "; www.facebook.com
3. S%#n &*ltiple IP #ddress or s*)net
nmap -<..-&=.-.- -<..-&=.-.. -<..-&=.-.2
nmap -<..-&=.-,.,2
nmap -<..-&=.-.(/.8
nmap -<..-&=.-.>
4. E,%l*din$ /osts/net"or-s
nmap -<..-&=.-.(/.8 ""e6clude -<..-&=.-.<
5. T*rn on OS #nd 6ersion dete%tion s%#nnin$
nmap "0 -<..-&=.-..'8
nmap "; "0 -<..-&=.-..'8
7. Find o*t if # /osts/net"or-s is prote%ted )8 fire"#ll
nmap "s0 -<..-&=.-..'8
9. S%#n # /ost "/en prote%ted )8 fire"#ll
nmap "%N -<..-&=.-..'8
:. S%#n # net"or- #nd find o*t "/i%/ ser6er or de6i%es is *p
nmap "s% -<..-&=.-.(/.8
;. Displ#8 t/e re#son # port is in p#rti%*l#r st#te
nmap ""reason -<..-&=.-.-
<. S%#n # spe%ifi% ports
map "p ?port@ hostName
#. == S%#n port ;>
nmap "p =( -<..-&=.-.-
). == S%#n TCP port ;>
nmap "p ,=( -<..-&=.-.-
%. == S%#n UDP port 74
nmap "p *'2 -<..-&=.-.-
d. == S%#n t"o ports ==
nmap "p =(,882 -<..-&=.-.-
e. == S%#n port r#n$es ==
nmap "p =(".(( -<..-&=.-.-
f. == Co&)ine #ll options ==
nmap "p *'2,---,-2A,,.-".',=(,-2<,=(=( -<..-&=.-.-
nmap "p *'2,---,-2A,,.-".',=(,-2<,=(=( www.facebook.com
nmap "; "s* "s, "p *'2,---,-2A,,.-".',=(,-2<,=(=( -<..-&=.-..'8
$. == S%#n #ll ports "it/ ? "ild%#rd ==
nmap "p B>B -<..-&=.-.-
/. == S%#n top ports i.e. s%#n @n*&)er &ost %o&&on ports ==
nmap ""top"ports ' -<..-&=.-.-
nmap ""top"ports -( -<..-&=.-.-
.>. T/e f#stest "#8 to s%#n #ll 8o*r de6i%es/%o&p*ters for open ports e6er
nmap ",' -<..-&=.-.(/.8
... 2o" do I dete%t re&ote oper#tin$ s8ste&A
/ou can identify a remote host apps and #S using the "# option
nmap "# -<..-&=.-.-
nmap "# ""osscan"guess -<..-&=.-.-
nmap "; "# ""osscan"guess -<..-&=.-.-
.3. 2o" do I dete%t re&ote ser6i%es 0ser6er / d#e&on1 6ersion n*&)ersA
nmap "sC -<..-&=.-.-
.4. S%#n # /ost *sin$ TCP AC! 0PA1 #nd TCP S8n 0PS1 pin$
9f firewall is blocking standard 9)M% pings, try the following host disco;ery
methods
nmap "%S -<..-&=.-.-
nmap "%S =(,.-,882 -<..-&=.-.-
nmap "%0 -<..-&=.-.-
nmap "%0 =(,.-,.(("'-. -<..-&=.-.-
.5. S%#n # /ost *sin$ IP proto%ol pin$
nmap "%# -<..-&=.-.-
.7. S%#n # /ost *sin$ UDP pin$
,his scan bypasses firewalls and filters that only screen ,)%
nmap "%* -<..-&=.-.-
nmap "%* .(((..((- -<..-&=.-.-
.9. Find o*t t/e &ost %o&&onl8 *sed TCP ports *sin$ TCP SN S%#n
#. === Ste#lt/8 s%#n ===
nmap "sS -<..-&=.-.-
). === Find o*t t/e &ost %o&&onl8 *sed TCP ports *sin$ TCP %onne%t
s%#n 0"#rnin$' no ste#lt/ s%#n1
=== OS Fin$erprintin$ ===
nmap "s, -<..-&=.-.-
%. === Find o*t t/e &ost %o&&onl8 *sed TCP ports *sin$ TCP AC! s%#n
nmap "s0 -<..-&=.-.-
d. === Find o*t t/e &ost %o&&onl8 *sed TCP ports *sin$ TCP Bindo"
s%#n
nmap "sD -<..-&=.-.-
e. === Find o*t t/e &ost %o&&onl8 *sed TCP ports *sin$ TCP M#i&on
s%#n
nmap "sM -<..-&=.-.-
.:. S%#n # /ost for UDP ser6i%es 0UDP s%#n1
Most popular ser;ices on the 9nternet run o;er the ,)% protocol. 1NS, SNM%,
and 1!)% are three of the most common *1% ser;ices. *se the following synta6
to find out *1% ser;ices
nmap "s* nas(2
nmap "s* -<..-&=.-.-
.;. S%#n for IP proto%ol
,his type of scan allows you to determine which 9% protocols (,)%, 9)M%, 9EM%,
etc.) are supported by target machines
nmap "s# -<..-&=.-.-
.<. S%#n # fire"#ll for se%*rit8 "e#-ness
,he following scan types e6ploit a subtle loophole in the ,)% and good for testing
security of common attacks
a. 77 ,)% Null Scan to fool a firewall to generate a response 77
77 1oes not set any bits (,)% flag header is () 77
nmap "sN -<..-&=.-..'8
b. 77 ,)% $in scan to check firewall 77
77 Sets just the ,)% $9N bit 77
nmap "s$ -<..-&=.-..'8
c. 77 ,)% Fmas scan to check firewall 77
77 Sets the $9N, %S!, and *GE flags, lighting the packet up like a
)hristmas tree 77
nmap "sF -<..-&=.-..'8
See how to block Fmas packkets, syn"floods and other conman attacks
with iptables.
3>. S%#n # fire"#ll for p#%-ets fr#$&ents
,he "f option causes the reHuested scan (including ping scans) to use tiny
fragmented 9% packets. ,he idea is to split up the ,)% header o;er
se;eral packets to make it harder for packet filters, intrusion detection systems,
and other annoyances to detect what you are doing.
nmap "f -<..-&=.-.-
nmap "f fw..ni6craft.net.in
nmap "f -' fw..ni6craft.net.in
77 Set your own offset siIe with the ""mtu option 77
nmap ""mtu 2. -<..-&=.-.-
3.. Clo#- # s%#n "it/ de%o8s
,he "1 option it appear to the remote host that the host(s) you specify as decoys
are scanning the target network too. ,hus their 91S might report '"-( port scans
from uniHue 9% addresses, but they wonJt know which 9% was scanning them and
which were innocent decoys
nmap "n "1decoy"ip-,decoy"ip.,your"own"ip,decoy"ip2,decoy"ip8 remote"host"ip
nmap "n "1-<..-&=.-.',-(.'.-..,-A..-...8,2.8...- -<..-&=.-.'
33. S%#n # fire"#ll for MAC #ddress spoofin$
777 Spoof your M0) address 77
nmap ""spoof"mac M0)"011GKSS"!KGK -<..-&=.-.-
777 0dd other options 777
nmap "; "s, "%N ""spoof"mac M0)"011GKSS"!KGK -<..-&=.-.-
777 *se a random M0) address 777
777 ,he number (, means nmap chooses a completely random M0) address 777
nmap "; "s, "%N ""spoof"mac ( -<..-&=.-.-
34. 2o" do I s#6e o*tp*t to # te,t fileA
,he synta6 is
nmap -<..-&=.-.- L output.t6t
nmap "oN /path/to/filename -<..-&=.-.-
nmap "oN output.t6t -<..-&=.-.-
35. To find t/e n&#p 6ersionC enter'
7 nmap MC
At#*
7 nmap M;ersion
S#&ple o*tp*ts'
Nmap ;ersion '..- ( http//nmap.org )
37. To s%#n #n IP #ddressC enter'
7 nmap -<..-&=.-..
S#&ple o*tp*ts'
4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-"5 "&:&" 94T
9nteresting ports on ")$."%5.".$:
Not shown: )): closed ports
8;RT 4T(TE 4ER<9=E
$'+tcp open telnet
,'+tcp open domain
5+tcp open http
2(= (ddress: :&:&&:":&:,::0B 16nknown3

Nmap done: " 98 address 1" host up3 scanned in ".$5 seconds
39. To s%#n # r#n$e of IP #ddressesC enter'
> nmap ")$."%5.".$-"
3:. To s%#n #n entire s*)net'
> nmap ")$."%5.".+$&
More examples:
#. == Pin$ onl8 s%#n ==
nmap -s8 ")$."%5.".$
). == S%#n #nd do tr#%ero*te ==
nmap --traceroute 98-(DDRE44
nmap --traceroute D;2(9N-N(2E-?ERE
%. == TCP SN S%#n ==
nmap -s4 ")$."%5.".$
d. == UDP S%#n ==
nmap -s6 ")$."%5.".$
e. == IP proto%ol s%#n ==
nmap -s; ")$."%5.".$
f. == S%#n port ;>C 37C 554 ==
nmap -p 5 ")$."%5.".$
nmap -p http ")$."%5.".$
nmap -p $, ")$."%5.".$
nmap -p smtp ")$."%5.".$
nmap -p &&' ")$."%5.".$
nmap -p 5!$&!&&' ")$."%5.".$
$. == S%#n port r#n$es ==
nmap -p ,"$-"$& ")$."%5.".$
/. == S%#n for OS i.e. Oper#tin$ S8ste& Dete%tion ==
nmap -; ")$."%5.".$
nmap -; --osscan-guess ")$."%5.".$
i. == S%#n for #ppli%#tion ser6er 6ersion ==
nmap -s< ")$."%5.".$
3;. S%#n # sin$le /ost or #n IP #ddress 0IP651
#. === S%#n # sin$le ip #ddress ===
nmap ")$."%5."."

). == S%#n # /ost n#&e ===
nmap ser#er".cyberciti.bi@

%. == S%#n # /ost n#&e "it/ &ore info===
nmap -# ser#er".cyberciti.bi@

Sample outputs
3<. S%#n &*ltiple IP #ddress or s*)net 0IP651
nmap ")$."%5."." ")$."%5.".$ ")$."%5.".'
## works with same subnet i.e. 192.168.1.0/24
nmap ")$."%5."."!$!'
o* %#n s%#n # r#n$e of IP #ddress too'
nmap ")$."%5."."-$
o* %#n s%#n # r#n$e of IP #ddress *sin$ # "ild%#rd'
nmap ")$."%5.".A
$inally, you scan an entire subnet
nmap ")$."%5.".+$&
4>. Re#d list of /osts/net"or-s fro& # file 0IP651
,he "i5 option allows you to read the list of target systems using a te6t file. ,his is
useful to scan a large number of hosts/networks. )reate a te6t file as follows
cat B +tmp+test.tCt
Sample outputs
ser#er".cyberciti.bi@
")$."%5.".+$&
")$."%5."."+$&
".".$.'
localhost
,he synta6 is
nmap -iD +tmp+test.tCt
4.. E,%l*din$ /osts/net"or-s 0IP651
Dhen scanning a large number of hosts/networks you can e6clude hosts from a
scan
nmap ")$."%5.".+$& --eCclude ")$."%5.".,
nmap ")$."%5.".+$& --eCclude ")$."%5.".,!")$."%5.".$,&
#G e6clude list from a file called /tmp/e6clude.t6t
nmap -iD +tmp+scanlist.tCt --eCcludefile
+tmp+eCclude.tCt
43. T*rn on OS #nd 6ersion dete%tion s%#nnin$ s%ript 0IP651
nmap -( ")$."%5.".$,&
nmap -# -( ")$."%5."."
nmap -( -iD +tmp+scanlist.tCt
44. Find o*t if # /ost/net"or- is prote%ted )8 # fire"#ll
nmap -s( ")$."%5.".$,&
nmap -s( ser#er".cyberciti.bi@
45. S%#n # /ost "/en prote%ted )8 t/e fire"#ll
nmap -8N ")$."%5."."
nmap -8N ser#er".cyberciti.bi@
47. S%#n #n IP69 /ost/#ddress
,he -6 option enable 9%;& scanning. ,he synta6 is
nmap -% 98#%-(ddress-?ere
nmap -% ser#er".cyberciti.bi@
nmap -% $%::fd:"$:,"::&
nmap -# ( -% $%::fd:"$:,"::&
49. S%#n # net"or- #nd find o*t "/i%/ ser6ers #nd de6i%es #re *p #nd r*nnin$
,his is known as host disco;ery or ping scan
nmap -s8 ")$."%5.".+$&
Sample outputs
?ost ")$."%5."." is up 1.',s latency3.
2(= (ddress: B=:(E:=,:=':"%:)' 16nknown3
?ost ")$."%5.".$ is up 1.'5s latency3.
2(= (ddress: :&:&&:":&:,::0B 16nknown3
?ost ")$."%5."., is up.
?ost nas' 1")$."%5."."$3 is up 1.)"s latency3.
2(= (ddress: :"":'$:"":",:0= 14ynology 9ncorporated3
Nmap done: $,% 98 addresses 1& hosts up3 scanned in $.5 second
4:. 2o" do I perfor& # f#st s%#nA
nmap -0 ")$."%5."."
4;. Displ#8 t/e re#son # port is in # p#rti%*l#r st#te
nmap --reason ")$."%5."."
nmap --reason ser#er".cyberciti.bi@
4<. Onl8 s/o" open 0or possi)l8 open1 ports
nmap --open ")$."%5."."
nmap --open ser#er".cyberciti.bi@
5>. S/o" #ll p#%-ets sent #nd re%ei6ed
nmap --packet-trace ")$."%5."."
nmap --packet-trace ser#er".cyberciti.bi@
5.. S/o" /ost interf#%es #nd ro*tes
,his is useful for debugging (ip command or route command or netstat command
like output using nmap)
nmap --iflist
Sample outputs
4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$: $:" 94T
AAAAAAAAAAAAAAAAAAAAAAAA9NTER0(=E4AAAAAAAAAAAAAAAAAAAAAAAA
DE< 14?;RT3 98+2(4E TF8E 68 2(=
lo 1lo3 "$:..."+5 loopback up
eth 1eth3 ")$."%5.".,+$& ethernet up B5:(=:%0:%,:'":E,
#mnet" 1#mnet"3 ")$."%5."$"."+$& ethernet up :,:,%:=::"
#mnet5 1#mnet53 ")$."%5.":)."+$& ethernet up :,:,%:=::5
ppp 1ppp3 ".".").%)+'$ point$point up

AAAAAAAAAAAAAAAAAAAAAAAAAAR;6TE4AAAAAAAAAAAAAAAAAAAAAAAAAA
D4T+2(4E DE< *(TEW(F
"..'".":5+'$ ppp
$)."''.%:.',+'$ eth ")$."%5.".$
")$."%5.".+ eth
")$."%5."$".+ #mnet"
")$."%5.":).+ #mnet5
"%).$,&..+ eth
"...+ ppp
...+ eth ")$."%5.".$

53. 2o" do I s%#n spe%ifi% portsA
map -p [port] hostName
## Scan port 80
nmap -p 5 ")$."%5."."

## Scan TCP port 80
nmap -p T:5 ")$."%5."."

## Scan UDP port 53
nmap -p 6:,' ")$."%5."."

## Scan two ports ##
nmap -p 5!&&' ")$."%5."."

## Scan port ranges ##
nmap -p 5-$ ")$."%5."."

## Combine all options ##
nmap -p 6:,'!"""!"':!T:$"-$,!5!"')!55 ")$."%5."."
nmap -p 6:,'!"""!"':!T:$"-$,!5!"')!55 ser#er".cyberciti.bi@
nmap -# -s6 -sT -p 6:,'!"""!"':!T:$"-$,!5!"')!55 ")$."%5.".$,&

## Scan all ports with * wildcard ##
nmap -p GAG ")$."%5."."

## Scan top ports i.e. scan n!mber most common ports ##
nmap --top-ports , ")$."%5."."
nmap --top-ports " ")$."%5."."

Sample outputs
4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$: ":$' 94T
9nteresting ports on ")$."%5.".":
8;RT 4T(TE 4ER<9=E
$"+tcp closed ftp
$$+tcp open ssh
$'+tcp closed telnet
$,+tcp closed smtp
5+tcp open http
""+tcp closed pop'
"')+tcp closed netbios-ssn
&&'+tcp closed https
&&,+tcp closed microsoft-ds
''5)+tcp closed ms-term-ser#
2(= (ddress: B=:(E:=,:=':"%:)' 16nknown3
Nmap done: " 98 address 1" host up3 scanned in .," seconds

54. T/e f#stest "#8 to s%#n #ll 8o*r de6i%es/%o&p*ters for open ports e6er
nmap -T, ")$."%5.".+$&
55. 2o" do I dete%t re&ote oper#tin$ s8ste&A
/ou can identify a remote host apps and #S using the "# option

nmap -; ")$."%5."."
nmap -; --osscan-guess ")$."%5."."
nmap -# -; --osscan-guess ")$."%5."."
Sample outputs
4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$: ":$) 94T
N4E: Doaded scripts for scanning.
9nitiating (R8 8ing 4can at ":$)
4canning ")$."%5."." ." port/
=ompleted (R8 8ing 4can at ":$)! ."s elapsed 1" total hosts3
9nitiating 8arallel DN4 resolution of " host. at ":$)
=ompleted 8arallel DN4 resolution of " host. at ":$)! .$$s
elapsed
9nitiating 4FN 4tealth 4can at ":$)
4canning ")$."%5."." ." ports/
Disco#ered open port 5+tcp on ")$."%5."."
Disco#ered open port $$+tcp on ")$."%5."."
=ompleted 4FN 4tealth 4can at ":$)! ."%s elapsed 1" total
ports3
9nitiating ;4 detection 1try >"3 against ")$."%5."."
Retrying ;4 detection 1try >$3 against ")$."%5."."
Retrying ;4 detection 1try >'3 against ")$."%5."."
Retrying ;4 detection 1try >&3 against ")$."%5."."
Retrying ;4 detection 1try >,3 against ")$."%5."."
?ost ")$."%5."." is up 1.&)s latency3.
9nteresting ports on ")$."%5.".":
Not shown: ))5 closed ports
8;RT 4T(TE 4ER<9=E
$$+tcp open ssh
5+tcp open http
2(= (ddress: B=:(E:=,:=':"%:)' 16nknown3
De#ice type: W(8Hgeneral purposeHrouterHprinterHbroadband router
Running 1I64T *6E449N*3 : Dinksys DinuC $.&.J 1),K3! DinuC $.&.JH
$.%.J 1)&K3! 2ikroTik Router;4 '.J 1)$K3! DeCmark embedded 1)K3!
Enterasys embedded 15)K3! D-Dink DinuC $.&.J 15)K3! Netgear DinuC
$.&.J 15)K3
(ggressi#e ;4 guesses: ;penWrt White Russian .) 1DinuC $.&.'3
1),K3! ;penWrt .) - :.) 1DinuC $.&.' - $.&.'&3 1)&K3! ;penWrt
Eamika@e :.) 1DinuC $.%.$$3 1)&K3! DinuC $.&.$" - $.&.'" 1likely
embedded3 1)$K3! DinuC $.%.", - $.%.$' 1embedded3 1)$K3! DinuC
$.%.", - $.%.$& 1)$K3! 2ikroTik Router;4 '.beta, 1)$K3! 2ikroTik
Router;4 '.": 1)$K3! DinuC $.%.$& 1)"K3! DinuC $.%.$$ 1)K3
No eCact ;4 matches for host 19f you know what ;4 is running on
it! see http:++nmap.org+submit+ 3.
T=8+98 fingerprint:
;4:4=(N1<L,.KDL""+$:K;TL$$K=TL"K=6L'%)K8<LFKD4L"K*LF
K2LB=(E=,KT2L,B'=(
;4:&BK8LC5%7%&-unknown-linuC-gnu34EM148L=5K*=DL"K94RL=BKT9LNK=9LN
K99L9KT4L:
;4:3;841;"L2$'4T""NW$K;$L2$'4T""NW$K;'L2$'NNT""NW$K;&L2$'4
T""NW$K;,
;4:L2$'4T""NW$K;%L2$'4T""3W9N1W"L&,E5KW$L&,E5KW'L&,E5KW&L&,E5K
W,L&,E5KW
;4:%L&,E53E=N1RLFKD0LFKTL&KWL&%K;L2$'NN4NW$K==LNKML3T"1RLF
KD0LFKTL&K4
;4:L;K(L4OK0L(4KRDLKML3T$1RLN3T'1RLN3T&1RLFKD0LFKTL&KWLK4L(K(LN
K0LRK;LKR
;4:DLKML3T,1RLFKD0LFKTL&KWLK4LNK(L4OK0L(RK;LKRDLKML3T%1RLF
KD0LFKTL&KWL
;4:K4L(K(LNK0LRK;LKRDLKML3T:1RLN36"1RLFKD0LN
KTL&K98DL"%&K6NLKR98DL*KR9D
;4:L*KR98=EL*KR6=EL*KR6DL*39E1RLFKD09LNKTL&K=DL43
6ptime guess: "$.)) days 1since Wed No# "& ":&&:& $"$3
Network Distance: " hop
T=8 4ePuence 8rediction: DifficultyL$ 1*ood luckQ3
98 9D 4ePuence *eneration: (ll @eros
Read data files from: +usr+share+nmap
;4 detection performed. 8lease report any incorrect results at
http:++nmap.org+submit+ .
Nmap done: " 98 address 1" host up3 scanned in "$.'5 seconds
Raw packets sent: ""$% 1,'.5'$EB3 H Rc#d: "%%
1&%."EB3
See also $ingerprinting a web"ser;er and a dns ser;er command line tools for
more information.
57. 2o" do I dete%t re&ote ser6i%es 0ser6er / d#e&on1 6ersion n*&)ersA
nmap -s< ")$."%5."."
Sample outputs
4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$:
":'& 94T
9nteresting ports on ")$."%5.".":
Not shown: ))5 closed ports
8;RT 4T(TE 4ER<9=E <ER49;N
$$+tcp open ssh Dropbear sshd 0.52 (protocol 2.0)
5+tcp open httpR
" ser#ice unrecogni@ed despite returning data.
59. S%#n # /ost *sin$ TCP AC! 0PA1 #nd TCP S8n 0PS1 pin$
9f firewall is blocking standard 9)M% pings, try the following host disco;ery
methods
nmap -84 ")$."%5."."
nmap -84 5!$"!&&' ")$."%5."."
nmap -8( ")$."%5."."
nmap -8( 5!$"!$-,"$ ")$."%5."."
5:. S%#n # /ost *sin$ IP proto%ol pin$
nmap -8; ")$."%5."."
5;. S%#n # /ost *sin$ UDP pin$
,his scan bypasses firewalls and filters that only screen ,)%
nmap -86 ")$."%5."."
nmap -86 $.$" ")$."%5."."
5<. Find o*t t/e &ost %o&&onl8 *sed TCP ports *sin$ TCP SN S%#n

### Stealth" scan ###
nmap -s4 ")$."%5."."

### #ind o!t the most commonl" !sed TCP ports !sing TCP connect
scan (warning$ no stealth scan)
### %S #ingerprinting ###
nmap -sT ")$."%5."."

### #ind o!t the most commonl" !sed TCP ports !sing TCP &C' scan
nmap -s( ")$."%5."."

### #ind o!t the most commonl" !sed TCP ports !sing TCP (indow
scan
nmap -sW ")$."%5."."

### #ind o!t the most commonl" !sed TCP ports !sing TCP )aimon
scan
nmap -s2 ")$."%5."."

7>. S%#n # /ost for UDP ser6i%es 0UDP s%#n1
Most popular ser;ices on the 9nternet run o;er the ,)% protocol. 1NS, SNM%,
and 1!)% are three of the most common *1% ser;ices. *se the following synta6
to find out *1% ser;ices
nmap -s6 nas'
nmap -s6 ")$."%5."."
Sample outputs

4tarting Nmap ,. 1 http:++nmap.org 3 at $"$-""-$: :,$ 94T
4tats: :,:$) elapsed* 0 hosts completed +, !p-. , !ndergoing UDP
Scan
6D8 4can Timing: (bout '$.&)K done* /TC$ 0,$00 +0$,,$12 remaining-
9nteresting ports on nas' 1")$."%5."."$3:
Not shown: )), closed ports
8;RT 4T(TE 4ER<9=E
"""+udp openHfiltered rpcbind
"$'+udp openHfiltered ntp
"%"+udp openHfiltered snmp
$&)+udp openHfiltered nfs
,','+udp openHfiltered @eroconf
2(= (ddress: :"":'$:"":",:0= 14ynology 9ncorporated3

Nmap done: " 98 address 1" host up3 scanned in ")).,, seconds

7.. Scan for IP protocol
,his type of scan allows you to determine which 9% protocols (,)%, 9)M%, 9EM%,
etc.) are supported by target machines
nmap -s; ")$."%5."."
73. S%#n # fire"#ll for se%*rit8 "e#-ness
,he following scan types e6ploit a subtle loophole in the ,)% and good for testing
security of common attacks

## TCP 3!ll Scan to 4ool a 4irewall to generate a response ##
## Does not set an" bits (TCP 4lag header is 0) ##
nmap -sN ")$."%5.".$,&

## TCP #in scan to chec5 4irewall ##
## Sets 6!st the TCP #73 bit ##
nmap -s0 ")$."%5.".$,&

## TCP 8mas scan to chec5 4irewall ##
## Sets the #73. PS9. and U:; 4lags. lighting the pac5et !p li5e a
Christmas tree ##
nmap -sJ ")$."%5.".$,&

See how to block Fmas packkets, syn"floods and other conman attacks with
iptables.
74. S%#n # fire"#ll for p#%-ets fr#$&ents
,he "f option causes the reHuested scan (including ping scans) to use tiny
fragmented 9% packets. ,he idea is to split up the ,)% header o;er se;eral packets
to make it harder for packet filters, intrusion detection systems, and other
annoyances to detect what you are doing.
nmap -f ")$."%5."."
nmap -f fw$.niCcraft.net.in
nmap -f ", fw$.niCcraft.net.in
>> 4et your own offset si@e with the --mtu option >>
nmap --mtu '$ ")$."%5."."
75. Clo#- # s%#n "it/ de%o8s
,he -D option it appear to the remote host that the host(s) you specify as decoys
are scanning the target network too. ,hus their 91S might report '"-( port scans
from uniHue 9% addresses, but they wonJt know which 9% was scanning them and
which were innocent decoys
nmap -n -Ddecoy-ip"!decoy-ip$!your-own-ip!decoy-
ip'!decoy-ip& remote-host-ip
nmap -n -D")$."%5.".,!".,.".$!":$.".$.&!'.&.$."
")$."%5.".,
77. S%#n # fire"#ll for MAC #ddress spoofin$

### Spoo4 "o!r )&C address ##
nmap --spoof-mac 2(=-(DDRE44-?ERE ")$."%5."."

### &dd other options ###
nmap -# -sT -8N --spoof-mac 2(=-(DDRE44-?ERE ")$."%5."."


### Use a random )&C address ###
### The n!mber 0. means nmap chooses a completel" random )&C
address ###
nmap -# -sT -8N --spoof-mac ")$."%5."."

79. 2o" do I s#6e o*tp*t to # te,t fileA
,he synta6 is
nmap ")$."%5."." B output.tCt
nmap -oN +path+to+filename ")$."%5."."
nmap -oN output.tCt ")$."%5."."
7:. Not # f#n of %o&&#nd line toolsA
,ry Ienmap the official network mapper front end
Nenmap is the official Nmap Security Scanner E*9. 9t is a multi"platform (5inu6,
Dindows, Mac #S F, 3S1, etc.) free and open source application which aims to
make Nmap easy for beginners to use while pro;iding ad;anced features for
e6perienced Nmap users. $reHuently used scans can be sa;ed as profiles to make
them easy to run repeatedly. 0 command creator allows interacti;e creation of
Nmap command lines. Scan results can be sa;ed and ;iewed later. Sa;ed scan
results can be compared with one another to see how they differ. ,he results of
recent scans are stored in a searchable database.
/ou can install Ienmap using the following apt"get command
S sudo apt-get install @enmap
Sample outputs
.sudo/ password for #i#ek:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
@enmap
upgraded! " newly installed! to remo#e and "" not upgraded.
Need to get %"% kB of archi#es.
(fter this operation! "!5$: kB of additional disk space will be
used.
*et:" http:++debian.osuosl.org+debian+ sPuee@e+main @enmap
amd%& ,.-' .%"% kB/
0etched %"% kB in 's 1")) kB+s3
4electing pre#iously deselected package @enmap.
1Reading database ... $5"", files and directories currently
installed.3
6npacking @enmap 1from ...+@enmap7,.-'7amd%&.deb3 ...
8rocessing triggers for desktop-file-utils ...
8rocessing triggers for gnome-menus ...
8rocessing triggers for man-db ...
4etting up @enmap 1,.-'3 ...
8rocessing triggers for python-central ...
,ype the following command to start Ienmap
S sudo @enmap
Sample outputs
D. Men$$*n#-#n NMAP IP d#n Port S%#nner Di U)*nt*
)ara untuk install nmap di *buntu sangatlah mudah, cuma melakukan download dari
internet
yasserTyasser-laptop:US sudo apt-get install nmap
.sudo/ password for yasser:
Reading package listsV Done
Building dependency tree
Reading state informationV Done
The following packages were automatically installed and are no
longer rePuired:
linuC-headers-$.%.'$-$" linuC-headers-$.%.'$-$"-generic
6se Wapt-get autoremo#eX to remo#e them.
The following eCtra packages will be installed:
liblua,."-
The following NEW packages will be installed:
liblua,."- nmap
upgraded! $ newly installed! to remo#e and $) not upgraded.
Need to get "!%:"kB of archi#es.
(fter this operation! %!,&"kB of additional disk space will be
used.
Do you want to continue .F+n/R y
*et:" http:++id.archi#e.ubuntu.com+ubuntu+ lucid+main liblua,."-
,.".&-, .5$.$kB/
*et:$ http:++id.archi#e.ubuntu.com+ubuntu+ lucid+main nmap ,.-'
."!,5)kB/
0etched "!%:"kB in ,s 1''kB+s3
4electing pre#iously deselected package liblua,."-.
1Reading database V "&)'": files and directories currently
installed.3
6npacking liblua,."- 1from V+liblua,."-7,.".&-,7i'5%.deb3 V
4electing pre#iously deselected package nmap.
6npacking nmap 1from V+archi#es+nmap7,.-'7i'5%.deb3 V
8rocessing triggers for man-db V
4etting up liblua,."- 1,.".&-,3 V
4etting up nmap 1,.-'3 V
8rocessing triggers for libc-bin V
ldconfig deferred processing now taking place
to run nmap to scan ip address with range 10.10.28.0
10.10.28.254, ou !ust run command "
yasserTyasser-laptop:US nmap -s8 ".".$5.+$&
and the result :
4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' "::$' W9T
?ost ".".$5." is up 1.$,s latency3.
?ost ".".$5.' is up 1.'$s latency3.
?ost ".".$5.: is up 1.)5s latency3.
?ost ".".$5.) is up 1.$$s latency3.
?ost ".".$5.$" is up 1.'$s latency3.
?ost ".".$5.$$ is up 1.'s latency3.
?ost ".".$5.&" is up 1."$s latency3.
?ost ".".$5.&$ is up 1.""s latency3.
?ost ".".$5.&' is up 1."s latency3.
?ost ".".$5.&& is up 1."s latency3.
?ost ".".$5.&, is up 1."'s latency3.
?ost ".".$5.&% is up 1."$s latency3.
?ost ".".$5.&: is up 1."%s latency3.
?ost ".".$5.&5 is up 1.",s latency3.
?ost ".".$5.&) is up 1.",s latency3.
?ost ".".$5., is up 1.",s latency3.
?ost ".".$5.," is up 1."$s latency3.
?ost ".".$5." is up 1."$s latency3.
?ost ".".$5.", is up 1.&"s latency3.
?ost ".".$5."'" is up 1.&"s latency3.
Nmap done: $,% 98 addresses 1$ hosts up3 scanned in $.'%
seconds
Port Scanning ith range !00"!50
yasserTyasser-laptop:US nmap ".".$5.$$ -p"-",
4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' "::'' W9T
9nteresting ports on ".".$5.$$:
Not shown: &) closed ports
8;RT 4T(TE 4ER<9=E
"',+tcp open msrpc
"')+tcp open netbios-ssn
Nmap done: " 98 address 1" host up3 scanned in "."% seconds
#or Scan $perating S%stem :
yasserTyasser-laptop:US sudo nmap ".".$5.$$ -;
4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' "::', W9T
9nteresting ports on ".".$5.$$:
Not shown: )55 closed ports
8;RT 4T(TE 4ER<9=E
"',+tcp open msrpc
"')+tcp open netbios-ssn
&&,+tcp open microsoft-ds
''5)+tcp open ms-term-ser#
,""+tcp open admdog
&)",$+tcp open unknown
&)",'+tcp open unknown
&)",&+tcp open unknown
&)",,+tcp open unknown
&)",%+tcp open unknown
&)",:+tcp open unknown
&)"%+tcp open unknown
2(= (ddress: :&:&B:"%:,):5) 1N#idia3
De#ice type: general purpose
Running: 2icrosoft Windows <istaH$5H:
;4 details: 2icrosoft Windows <ista 48 or 48"! 4er#er $5! or
Windows : 6ltimate 1build :3
Network Distance: " hop
;4 detection performed. 8lease report any incorrect results at
http:++nmap.org+submit+ .
Nmap done: " 98 address 1" host up3 scanned in 5.') seconds
nmap &aster 'xec(tion
)# %o( ant to ma*e #aster scan+ (se ",- option on
nmap command.
yasserTyasser-laptop:US sudo nmap -( -T& ".".$5.'
4tarting Nmap ,. 1 http:++nmap.org 3 at $"-5-' "::'5 W9T
9nteresting ports on ".".$5.':
Not shown: ))5 closed ports
8;RT 4T(TE 4ER<9=E <ER49;N
,)+tcp open airport-admin (pple (ir8ort admin
"+tcp open snet-sensor-mgmtR
2(= (ddress: :"0:0':&$:BD::, 1(pple3
De#ice type: general purpose
Running: NetB4D &.J
;4 details: NetB4D &.)).&
Network Distance: " hop
;4 and 4er#ice detection performed. 8lease report any incorrect
results at http:++nmap.org+submit+ .
Nmap done: " 98 address 1" host up3 scanned in 5'.%5 seconds
Top 4> N&#p Co&&#nd E,#&ples For
S8s/Net"or- Ad&ins
Nmap is short for Network Mapper. 9t is an open source security tool for network e6ploration,
security scanning and auditing. !owe;er, nmap command comes with lots of options that can
make the utility more robust and difficult to follow for new users.
,he purpose of this post is to introduce a user to the nmap command line tool to scan a host
and/or network, so to find out the possible ;ulnerable points in the hosts. /ou will also learn
how to use Nmap for offensi;e and defensi;e purposes.
nmap in action
More about nmap
$rom the man page
Nmap (BNetwork MapperB) is an open source tool for network e6ploration and security
auditing. 9t was designed to rapidly scan large networks, although it works fine against single
hosts. Nmap uses raw 9% packets in no;el ways to determine what hosts are a;ailable on the
network, what ser;ices (application name and ;ersion) those hosts are offering, what
operating systems (and #S ;ersions) they are running, what type of packet filters/firewalls
are in use, and doIens of other characteristics. Dhile Nmap is commonly used for security
audits, many systems and network administrators find it useful for routine tasks such as
network in;entory, managing ser;ice upgrade schedules, and monitoring host or ser;ice
uptime.
9t was originally written by Eordon 5yon and it can answer the following Huestions easily
1. What computers did you fnd running on the local network?
2. What IP addresses did you fnd running on the local network?
3. What is the operating system of your target machine?
4. ind out what ports are open on the machine that you !ust scanned?
". ind out if the system is infected with malware or #irus.
$. %earch for unauthori&ed ser#ers or network ser#ice on your network.
'. ind and remo#e computers which don(t meet the organi&ation(s minimum
le#el of security.
Sample setup (LAB)
%ort scanning may be illegal in some jurisdictions. So setup a lab as follows
O---------O
O---------O H Network H O--------O
H ser#er" H-----------O swtich O---------Hser#er$ H
O---------O H 1sw3 H O--------O
O----O----O
H
H
O---------O----------O
H wks" DinuC+;4J H
O--------------------O
Dhere,
wks)1 is your computer either running *inu+,-% . or /ni+ like operating
system. It is used for scanning your local network. 0he nmap command
must 1e installed on this computer.
ser#er1 can 1e powered 1y *inu+ , /ni+ , 2%3Windows operating systems.
0his is an unpatched ser#er. eel free to install a few ser#ices such as a
we13ser#er4 fle ser#er and so on.
ser#er2 can 1e powered 1y *inu+ , /ni+ , 2%3Windows operating systems.
0his is a fully patched ser#er with frewall. 5gain4 feel free to install few
ser#ices such as a we13ser#er4 fle ser#er and so on.
5ll three systems are connected #ia switch.
T*tori#l N&#p
%ublished about a year ago by )andra 0di %utra
Nmap adalah tool yang digunakan untuk mengecek port yang terbuka dari sebuah ser;er atau
komputer. :etika sebuah port jaringan terbuka maka pasti ada layanan dibelakangnya, bisa
berupa webser;er, $,% dan layanan lainnya. Nmap sendiri adalah tool hacking yang sangat
canggih dan komplek. Nmap tersedia baik di 5inu6 maupun windows. +ika anda pengguna
ubuntu anda bisa menginstallnya dengan cara
sudo apt-get install nmap
Sedangkan jika anda pemakai windows silahkan download installernya di nmap.org
1i tutorial ini saya hanya akan mengajarkan cara praktis memakai nmap untuk melakukan 2
hal yaitu
-. Mendeteksi komputer yang hidup dalam jaringan
.. Mendeteksi port yang terbuka
2. Mendeteksi #S komputer target
Mendete-si -o&p*ter 8#n$ /id*p d#l#& D#rin$#n
%erintah nmap -48 .rangeip/
=:YDocuments and 4ettingsYcandraBnmap -s8 ")$."%5.,,.,-%
4tarting Nmap %." 1 http:++nmap.org 3 at $"$-"-$) ":$% 4E (sia
Nmap scan report for ")$."%5.,,.,,
?ost is up 1.s latency3.
2(= (ddress: 0:DE:0":%%:"":$= 1Wistron 9nfo=omm 1Eunshan3=o3
Nmap scan report for ")$."%5.,,.,%
?ost is up 1.:5s latency3.
2(= (ddress: )::&E:5::0:(5 1?on ?ai 8recision 9nd. =o.3
Nmap scan report for ")$."%5.,,.,:
?ost is up 1.%'s latency3.
2(= (ddress: B=:&::%::=:D(:,E 14amsung Electronics =o.3
Nmap done: & 98 addresses 1' hosts up3 scanned in ".$5 seconds
1ari hasil analisa tampak bahwa dari range ip -<..-&=.''.'( M -<..-&=.''.&( ada 2 komputer
yan hidup. Nilai plusnya anda juga bisa melihat mac 0ddres sekaligus merek kartu
jaringannya.
Mendete-si Port 8#n$ ter)*-#
+ika yang kita scan adalah ser;er yang sedang kita bangun, kita bisa dengan cepat mengecek
apakah sebuah ser;ice berjalan atau tidak dengan nmap. )ontoh realnya ketika anda
menginstall SS! ser;er namun ketika di remote selalu gagal, bisa saja karena memang
ser;ice SS! belum di jalankan.
%erintah nmap -s4 .98target/
=:YDocuments and 4ettingsYcandraBnmap -s4 ")$."%5.,,.,,
4tarting Nmap %." 1 http:++nmap.org 3 at $"$-"-$) ":'$ 4E (s
Nmap scan report for ")$."%5.,,.,,
?ost is up 1.'$s latency3.
Not shown: )5) closed ports
8;RT 4T(TE 4ER<9=E
"',+tcp open msrpc
"')+tcp open netbios-ssn
&&,+tcp open microsoft-ds
,5+tcp open #nc-http
,)+tcp open #nc
2(= (ddress: )::&E:5::0:(5 1?on ?ai 8recision 9nd. =o.3
1ari hasil scanning, tampak bahwa ada ' port yang terbuka. 1ari layananya port port ini
ternyata menyediakan file sharing dan remote desktop CN). sepertinya :omputernya
menggunakan windows4 ,api anda yakin itu windows4 Mari kita gunakan teknik ke 2.
Mendete-si Siste& oper#si t#r$et
perintah nmap -; .iptarget/
=:YDocuments and 4ettingsYcandraBnmap -; ")$."%5.,,.,,
4tarting Nmap %." 1 http:++nmap.org 3 at $"$-"-$) ":$5 4E (sia 4tandard
T
Nmap scan report for ")$."%5.,,.,,
?ost is up 1.,'s latency3.
Not shown: )5) closed ports
8;RT 4T(TE 4ER<9=E
"',+tcp open msrpc
"')+tcp open netbios-ssn
&&,+tcp open microsoft-ds
,5+tcp open #nc-http
,)+tcp open #nc
2(= (ddress: )::&E:5::0:(5 1?on ?ai 8recision 9nd. =o.3
De#ice type: general purpose
Running: 2icrosoft Windows :H$5
;4 =8E: cpe:+o:microsoft:windows7:
cpe:+o:microsoft:windows7ser#er7$5::sp"
;4 details: 2icrosoft Windows : or Windows 4er#er $5 48"
Network Distance: " hop
Nmap tidak bisa memberikan info pasti tentang #S, namun hanya terbatas menebak sistem
operasi yang dipakai. %erhatikan hasil scan diatas, ip -<..-&=.''.'' kemungkinan besar
menggunakan Dindows A atau Dindows ser;er .((=.
!al yang penting saat menggunakan nmap, gunakan pada jaringan anda sendiri, bukan
jaringan orang lain. Nmap sendiri mempunyai banyak parameter dan fitur lain yang sangat
canggih, apa yang saya tulis disini tidak lebih dari -(O kemampuan nmap yang sebenarnya.
/up, sekian dulu semoga tutorial ini bermanfaat.