One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. After performing dozens of tests, Nmap compares the results to its database and prints out the OS details if there is a match. Turn on OS Detection. Nmap uses packet sniffing to detect responses to its probes for host discovery, port scanning, and OS discovery. Any time a valid response (i.e. One that is likely to have come from the target) is received and has a MAC address in it, the address is recorded. Nmap includes useful functionality of listing MAC Address Vendor name during scans, but my version listed many as 'Unknown'. The source of this information is a file called 'nmap-mac-prefixes', as discussed in Chapter 14 of the NMAP book. Nmap can discover the MAC address of a remote target only if. The target is on the same link as the machine nmap runs on, or; the target leaks this information through SNMP, NetBIOS etc. Another possibility comes with IPv6 if the target uses EUI-64 identifiers, then the MAC address can be deduced from the IP address. The manufacturer then assigns a unique value for the last 3 bytes, which ensures that every MAC address is globaly unique. In the following picture we can see the structure of a MAC address: MAC addresses are usually written in the form of 12 hexadecimal digits. For example, this is a valid MAC address: D8-D3-85-EA-1B-EE.
About the App
Install the App
Done! You can now use
nmap .
Similar Software for Mac
Nmap (network mapper), the god of port scanners used for network discovery and the basis for most security enumeration during the initial stages of a penetration test. The tool was written and maintained by Fyodor AKA Gordon Lyon.
Nmap displays exposed services on a target machine along with other useful information such as the verion and OS detection.
Nmap has made twelve movie appearances, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.
Nmap in a nutshell
Nmap Examples
Basic Nmap scanning examples, often used at the first stage of enumeration.
Agressive scan timings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
Nmap scan from file
Nmap output formats
Nmap Netbios Examples
--script-args=unsafe=1 has the potential to crash servers / services
Becareful when running this command.
Nmap Nikto Scan
Nmap CheatsheetTarget Specification
Nmap allows hostnames, IP addresses, subnets.
Example blah.highon.coffee, nmap.org/24, 192.168.0.1; 10.0.0-255.1-254
Host Discovery
Scan Techniques
Port Specification and Scan Order
Service Version Detection
Script Scan
OS Detection
![]() Timing and Performance
Options which take TIME are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
Firewalls IDS Evasion and Spoofing
Nmap Output Options
Misc Nmap Options
Nmap Enumeration Examples
The following are real world examples of Nmap enumeration.
Enumerating Netbios
The following example enumerates Netbios on the target networks, the same process can be applied to other services by modifying ports / NSE scripts.
Detect all exposed Netbios servers on the subnet.
Nmap find exposed Netbios servers Malware scan for mac.
root:~#nmap -sV -v -p 139,445 10.0.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT Nmap scan report for nas.decepticons 10.0.1.12 Host is up (0.014s latency). PORT STATE SERVICE VERSION Macos Nmap139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds </p>
Nmap find Netbios name.
Nmap find exposed Netbios servers
root:~#nmap -sU --script nbstat.nse -p 137 10.0.1.12
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT Nmap scan report for nas.decepticons 10.0.1.12 Host is up (0.014s latency). PORT STATE SERVICE VERSION 137/udp open netbios-ns Host script results: ![]() Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds </p>
Check if Netbios servers are vulnerable to MS08-067
Nmap check MS08-067
root:~#nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 44510.0.0.1
Nmap scan report for ie6winxp.decepticons (10.0.1.1) Host is up (0.00026s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-check-vulns: | MS08-067: VULNERABLE | Conficker: Likely CLEAN | regsvc DoS: NOT VULNERABLE Nmap For Mac Os Download| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive) Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds </p>
The information gathered during the enumeration indicates the target is vulnerable to MS08-067, exploitation will confirm if it’s vulnerable to MS08-067.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |