Friday , January 20 2017
Home / Basic / Dasar-dasar penggunaan NMAP

Dasar-dasar penggunaan NMAP

Definisi

Nmap (Network Mapper) adalah sebuah program open source yang berguna untuk mengesksplorasi jaringan.Nmap didesain untuk dapat melakukan scan jaringan yang besar, juga dapat digunakan untuk melakukan scan host tunggal.Nmap menggunakan paket IP untuk menentukan host- host yang aktif dalam suatu jaringan,port-port yang terbuka, sistem operasi yang dipunyai, tipe firewall yang dipakai, dll.

Kemampuan Nmap

  • Mengumpulkan informasi setiap host atau komputer yang hidup (life) pada jaringan lokal
  • Mengumpulkan informasi setiap ipaddress pada jaringan lokal
  • Mengumpulkan informasi setiap sistem operasi pada host maupun seluruh host pada target jaringan
  • Menemukan setiap port yang terbuka dari host target
  • Menemukan adanya infeksi dari virus maupun malware
  • Mengumpulkan informasi mengenai layanan-layanan (service) pada host target dan server pada jaringan target.

Instalasi

Instalasi dari repo

Beberapa distro sudah menyediakan nmap pada repo masing-masing. Beberapa sistem operasi yang telah menyediakan nmap pada repository adalah

Debian / Ubuntu

[text]apt-get install nmap[/text]

Fedora

[text]yum install nmap[/text]

Instalasi dari source code

[butuh konten]

Penggunaan

[text][email protected]:~# nmap
Nmap 6.01 ( http://[[nmap]].org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, [[IP address]]es, networks, etc.
Ex: scanme.[[nmap]].org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan – simply list targets to scan
-sn: Ping Scan – disable port scan
-Pn: Treat all hosts as online — skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes] –dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
–traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <[[FTP]] relay host>: [[FTP]] bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode – Scan fewer ports than the default scan
-r: Scan ports consecutively – don’t randomize
–top-ports <number>: Scan <number> most common ports
–port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
–version-intensity <level>: Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to –script=default
–script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
–script-args-file=filename: provide NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma separted list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append ‘ms’ (milliseconds),
‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes>: Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
–max-retries <tries>: Caps number of port scan probe retransmissions.
–host-timeout <time>: Give up on target after this long
–scan-delay/–max-scan-delay <time>: Adjust delay between probes
–min-rate <number>: Send packets no slower than <number> per second
–max-rate <number>: Send packets no faster than <number> per second
[[FIREWALL]]/IDS EVASION AND SPOOFING:
-f; –mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/–source-port <portnum>: Use given port number
–data-length <num>: Append random data to sent packets
–ip-options <options>: Send packets with specified ip options
–ttl <val>: Set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
–reason: Display the reason a port is in a particular state
–open: Only show open (or possibly open) ports
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files
–resume <filename>: Resume an aborted scan
–stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
–webxml: Reference stylesheet from [[Nmap]].Org for more portable XML
–no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
–datadir <dirname>: Specify custom [[Nmap]] data file location
–send-eth/–send-ip: Send using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
–unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
[[nmap]] -v -A scanme.[[nmap]].org
[[nmap]] -v -sn 192.168.0.0/16 10.0.0.0/8
[[nmap]] -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://[[nmap]].org/book/man.html) FOR MORE OPTIONS AND EXAMPLES[/text]

Single Host

Dengan penggunaan domain maupun ip address

Dengan ip address

#Perintah standart scanning ke single ip address

[text]nmap [ip-address][/text]

#Contoh

[text][email protected]:~# nmap 192.168.2.1[/text]

Output :

[text][email protected]:~# nmap 192.168.2.1

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 00:47 WIT
Nmap scan report for 192.168.2.1
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
49152/tcp open unknown
MAC Address: 84:A8:E4:AF:60:B1 (Huawei Device Co.)

Nmap done: 1 IP address (1 host up) scanned in 4.03 seconds[/text]

Dengan Domain

Perintah standart scanning dengan domain

[text]root@[[zee]]-eichel:~# nmap indonesianbacktrack.or.id

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 00:59 WIT
Warning: 141.101.118.197 giving up on port because retransmission cap hit (10).
[[Nmap]] scan report for indonesian[[backtrack]].or.id (141.101.118.197)
Host is up (0.094s latency).
Other addresses for indonesian[[backtrack]].or.id (not scanned): 141.101.118.196
PORT STATE SERVICE
1/tcp open tcpmux
20/tcp open ftp-data
[..snif..] 53/tcp open domain
70/tcp filtered gopher

Nmap done: 1 IP address (1 host up) scanned in 437.33 seconds[/text]

Perintah standart dengan tambahan informasi lainnya

[text]nmap -v indonesianbacktrack.or.id[/text]

Multi ip address dan subnet

Untuk melakukan scanning lebih dari satu ip address atau mungkin bertujuan untuk melakukan scanning ke satu subnet. Salah satu contoh jika kita hendak melakukan scanning terhadap 2 ip address 192.168.2.1 dan 192.168.2.2. Jika kita hendak melihat informasi host yang sedang dalam keadaan up pada satu subnet

[text][email protected]:~# nmap -n -sn 192.168.2.1/24
Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:43 WIT
Nmap scan report for 192.168.2.1
Host is up (0.028s latency).
MAC Address: 84:A8:E4:AF:60:B1 (Huawei Device Co.)
Nmap scan report for 192.168.2.2
Host is up (0.00016s latency).
MAC Address: 9C:B7:0D:3E:1A:A1 (Liteon Technology)
Nmap scan report for 192.168.2.11
Host is up (0.00072s latency).
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)
Nmap scan report for 192.168.2.20
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 10.12 seconds[/text]

Jika berdasarkan ip address

[text][email protected]:~# nmap 192.168.2.1 192.168.2.2

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 01:53 WIT
[[Nmap]] scan report for 192.168.2.1
Host is up (0.0035s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
49152/tcp open unknown
MAC Address: 84:A8:E4:AF:60:B1 (Huawei Device Co.)

[Nmap] scan report for 192.168.2.2
Host is up (0.00035s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
MAC Address: 9C:B7:0D:3E:1A:A1 (Liteon Technology)

[Nmap] done: 2 [[IP address]]es (2 hosts up) scanned in 8.14 seconds[/text]

Perintah untuk melakukan scann ke seluruh jaringan berdasarkan subnet

[text][email protected]:~# nmap 192.168.2.*
[email protected]:~# nmap 192.168.2.0/24

Dengan menggunakan patokan dari file tertentu

[butuh konten] Save output ke file

Anda dapat menyimpan hasil pada file-file tertentu

[text][email protected]:~# nmap 192.168.2.1 > output.txt
[email protected]:~# cat output.txt[/text]

Menampilkan paket diterima dan dikirim

Anda dapat menampilkan paket-paket yang dikirim dan diterima nmap pada proses scann

[text][email protected]:~# nmap –packet-trace 192.168.2.1

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:10 WIT
SENT (0.0923s) ARP who-has 192.168.2.1 tell 192.168.2.20
RCVD (0.0949s) ARP reply 192.168.2.1 is-at 84:A8:E4:AF:60:B1
NSOCK (0.0950s) UDP connection requested to 192.168.2.1:53 (IOD #1) EID 8
NSOCK (0.0960s) Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 18
NSOCK (0.0960s) Write request for 42 bytes to IOD #1 EID 27 [192.168.2.1:53]: ………….1.2.168.192.in-addr.arpa…..
NSOCK (0.0960s) Callback: CONNECT SUCCESS for EID 8 [192.168.2.1:53] NSOCK (0.0960s) Callback: WRITE SUCCESS for EID 27 [192.168.2.1:53] NSOCK (0.5660s) Callback: READ SUCCESS for EID 18 [192.168.2.1:53] (119 bytes)
NSOCK (0.5670s) Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 34
NSOCK (0.5670s) nsi_delete() (IOD #1)
NSOCK (0.5670s) msevent_cancel() on event #34 (type READ)
SENT (0.5686s) TCP 192.168.2.20:39594 > 192.168.2.1:256 S ttl=38 id=54844 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5693s) TCP 192.168.2.20:39594 > 192.168.2.1:1720 S ttl=50 id=10691 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5699s) TCP 192.168.2.20:39594 > 192.168.2.1:443 S ttl=50 id=2410 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5704s) TCP 192.168.2.20:39594 > 192.168.2.1:80 S ttl=38 id=46326 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5710s) TCP 192.168.2.20:39594 > 192.168.2.1:5900 S ttl=37 id=60552 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5719s) TCP 192.168.2.20:39594 > 192.168.2.1:445 S ttl=52 id=42181 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5724s) TCP 192.168.2.20:39594 > 192.168.2.1:587 S ttl=59 id=56548 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5731s) TCP 192.168.2.20:39594 > 192.168.2.1:53 S ttl=56 id=36706 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5738s) TCP 192.168.2.20:39594 > 192.168.2.1:21 S ttl=50 id=5214 iplen=44 seq=1439923272 win=1024 <mss 1460>
SENT (0.5740s) TCP 192.168.2.20:39594 > 192.168.2.1:23 S ttl=42 id=49474 iplen=44 seq=1439923272 win=1024 <mss 1460>

#sniff–[/text]

Menampilkan semua interface dan rute

Untuk menampilkan interface dan rute yang tersedia didalam os , anda dapat menggunakan perintah iflist

[text][email protected]:~# nmap –iflist

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:00 WIT
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 16436
lo (lo) ::1/128 loopback up 16436
eth1 (eth1) 192.168.2.20/24 ethernet up 1500 08:00:27:9D:19:E3
eth1 (eth1) fe80::a00:27ff:fe9d:19e3/64 ethernet up 1500 08:00:27:9D:19:E3

**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.2.0/24 eth1
0.0.0.0/0 eth1 192.168.2.1

Excluding hosts/networks[/text]

Anda dapat tidak menyertakan host dengan domain dan ip address tertentu saat melakukan scanning terhadap sebuah jaringan. Hal ini sangatlah bermanfaat pada saat anda melakukan scanning pada tingkat jaringan yang besar.

[text]nmap 192.168.2.0/24 –exclude 192.168.2.3
nmap 192.168.2.0/24 –exclude 192.168.2.5,192.168.2.254[/text]

Contoh di atas berarti anda tidak melakukan scanning pada ip 192.168.2.3, 192.168.2.5, 192.168.2.254 pada sebuah subnet 192.168.2.0/24

Mendeteksi sistem operasi dan layanan (services) target

[text]root@[[zee]]-eichel:~# nmap -A 192.168.2.11

Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-25 16:23 WIT
Nmap scan report for 192.168.2.11
Host is up (0.00088s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: TARGET-6B5E8C15, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:cf:c7:37 (Cadmus Computer Systems)
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: target-6b5e8c15
| NetBIOS computer name: TARGET-6B5E8C15
| Workgroup: MSHOME
|_ System time: 2013-04-25 16:23:12 UTC+7

TRACEROUTE
HOP RTT ADDRESS
1 0.88 ms 192.168.2.11

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.02 seconds[/text]

Dari hasil di atas anda dapat mengetahui beberapa service yang berjalan serta Operating system yang digunakan target. OS: Windows XP (Windows 2000 LAN Manager)

Penggunaan -v (service scan) juga akan menampilkan hasil yang akurat ..

[text][email protected]:~# nmap -v -A 192.168.2.11

Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-25 16:28 WIT
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 16:28
Scanning 192.168.2.11 [1 port] Completed ARP Ping Scan at 16:28, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:28
Completed Parallel DNS resolution of 1 host. at 16:28, 0.65s elapsed
Initiating SYN Stealth Scan at 16:28
Scanning 192.168.2.11 [1000 ports] Discovered open port 445/tcp on 192.168.2.11
Discovered open port 139/tcp on 192.168.2.11
Discovered open port 135/tcp on 192.168.2.11
Discovered open port 3389/tcp on 192.168.2.11
Completed SYN Stealth Scan at 16:28, 1.31s elapsed (1000 total ports)
Initiating Service scan at 16:28
Scanning 4 services on 192.168.2.11
Completed Service scan at 16:28, 6.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.2.11
NSE: Script scanning 192.168.2.11.
Initiating NSE at 16:28
Completed NSE at 16:28, 0.23s elapsed
Nmap scan report for 192.168.2.11
Host is up (0.00092s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat:
| NetBIOS name: TARGET-6B5E8C15, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:cf:c7:37 (Cadmus Computer Systems)
| Names
| TARGET-6B5E8C15<00> Flags: <unique><active>
| MSHOME<00> Flags: <group><active>
| TARGET-6B5E8C15<20> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
|_ x01x02__MSBROWSE__x02<01> Flags: <group><active>
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: target-6b5e8c15
| NetBIOS computer name: TARGET-6B5E8C15
| Workgroup: MSHOME
|_ System time: 2013-04-25 16:28:36 UTC+7

TRACEROUTE
HOP RTT ADDRESS
1 0.92 ms 192.168.2.11

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[[Nmap]] done: 1 [[IP address]] (1 host up) scanned in 10.98 seconds
Raw packets sent: 1069 (47.734KB) | Rcvd: 1017 (41.238KB)[/text]

remote operating system

[text][email protected]:~# nmap -O 192.168.2.11

Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-25 16:32 WIT
Nmap scan report for 192.168.2.11
Host is up (0.00079s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.65 seconds[/text]

Beberapa kombinasi yang dapat digunakan

[text]nmap -O –osscan-guess 192.168.1.1
nmap -v -O –osscan-guess 192.168.1.1[/text]

Mendeteksi layanan dan device yang sedang up

Untuk mendeteksi layanan (services) dan device yang sedang up pada satu jaringan/subnet tertentu

[text]root@[[zee]]-eichel:~# [[nmap]] -sP 192.168.2.1/24

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:41 WIT
[[Nmap]] scan report for 192.168.2.1
Host is up (0.0032s latency).
MAC Address: 84:A8:E4:AF:60:B1 (Huawei Device Co.)
[[Nmap]] scan report for 192.168.2.2
Host is up (0.00021s latency).
MAC Address: 9C:B7:0D:3E:1A:A1 (Liteon Technology)
[[Nmap]] scan report for 192.168.2.11
Host is up (0.00091s latency).
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)
[[Nmap]] scan report for 192.168.2.20
Host is up.
[[Nmap]] done: 256 [[IP address]]es (4 hosts up) scanned in 11.00 seconds[/text]

Mendeteksi versi dari layanan (service)

Untuk mendeteksi beberapa versi layanan (service) pada target , anda dapat menggunakan opsi -sV

[text]root@[[zee]]-eichel:~# [[nmap]] -sV 192.168.2.2

Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-25 16:35 WIT
Nmap scan report for 192.168.2.2
Host is up (0.00031s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
MAC Address: 9C:B7:0D:3E:1A:A1 (Liteon Technology)

Service detection performed. Please report any incorrect results at http://[[nmap]].org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.86 seconds[/text] [text][email protected]]]-eichel:~# nmap -sV 192.168.2.11

Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-25 16:38 WIT
Nmap scan report for 192.168.2.11
Host is up (0.00041s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.60 seconds[/text]

Mendeteksi firewall

Mendeteksi adanya penggunaan firewall pada service berjalan, anda dapat menggunakan opsi -sA.

[text][email protected]:~# nmap -sA 192.168.2.11

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:49 WIT
[[Nmap]] scan report for 192.168.2.11
Host is up (0.00055s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
139/tcp unfiltered netbios-ssn
445/tcp unfiltered microsoft-ds
2869/tcp unfiltered icslap
3389/tcp unfiltered ms-wbt-server
MAC Address: 08:00:27:CF:C7:37 (Cadmus Computer Systems)

[[Nmap]] done: 1 [[IP address]] (1 host up) scanned in 4.62 seconds[/text]

Hasil di atas memberitahu kita bahwa beberapa service tanpa dalam keadaan status unfiltered.

Contoh kasus adanya penggunaan Firewall terhadap sebuah server

[text][email protected]:~# nmap -sA site.org

Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:52 WIT
[[Nmap]] scan report for site.org (110.144.306.64)
Host is up (0.077s latency).
rDNS record for 110.144.306.64: colo-site-tes.co.id
All 1000 scanned ports on site.org (110.144.306.64) are filtered

[[Nmap]] done: 1 [[IP address]] (1 host up) scanned in 83.71 seconds[/text]

Scanning firewall

Untuk mendeteksi kelemahan firewall pada sistem target

TCP Null Scan untuk menipu firewall untuk memberikan respon ,dalam kondisi TCP flag header adalah nol (null)

[text]nmap -sN 192.168.2.1[/text]

TCP Fin scan untuk mengecek firewall ,hanya TCP FIN bit

[text]nmap -sF 192.168.2.1[/text]

Penggunaan TCP Xmas

setting FIN, PSH, dan URG

[text]nmap -sX 192.168.2.1[/text]

Firewall untuk packets fragments

opsi ini akan membuat nmap mengirimkan paket data dengan menggunakan tiny fragmented IP packets. Dengan menggunakan opsi ini , anda dapat melewati berbagai filtered, IDS/IPS

[text][email protected]:~# nmap -f site.org

Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-25 17:26 WIT
Nmap scan report for site.org (110.144.306.64)
Host is up (0.053s latency).
rDNS record for 110.144.306.64: colo-site-tes.co.id
PORT STATE SERVICE
1/tcp open tcpmux
3/tcp open compressnet
4/tcp open unknown
6/tcp open unknown
7/tcp open echo
9/tcp open discard
13/tcp open daytime
# — sniff[/text]

Melakukan scanning disaat target menggunakan firewall

[email protected]:~# nmap -PN site.org

[text]Starting [[Nmap]] 6.01 ( http://[[nmap]].org ) at 2013-04-25 16:58 WIT
[[Nmap]] scan report for site.org (110.144.306.64)
Host is up (0.076s latency).
rDNS record for 110.144.306.64: colo-site-tes.co.id
PORT STATE SERVICE
1/tcp open tcpmux
3/tcp open compressnet
4/tcp open unknown
6/tcp open unknown
7/tcp open echo
9/tcp filtered discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
20/tcp open [[ftp]]-data
21/tcp open [[ftp]] 22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
26/tcp open rs[[ftp]] 30/tcp open unknown
32/tcp open unknown
33/tcp open dsp
37/tcp open time
42/tcp open nameserver
43/tcp open whois
49/tcp open tacacs
53/tcp open domain
70/tcp open gopher
79/tcp open finger
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
[/text]