Forum Index  
 FAQ  ¤  Search  ¤  Memberlist  ¤  Usergroups  ¤  Profile  ¤  Log in to check your private messages   ¤  Join! (free)   ¤  Log in
Post new topicReply to topic
Author Message
Please Register and Login to this forum to stop seeing this advertising.

Posted: Back to top


Joined: 06 May 2007
Posts: 10

PostPosted: Sun May 06, 2007 8:15 pm  Reply with quoteBack to top

This is my BASIC guide to using nmap version 1.0;


Description: Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.

Inject Exec Root's BASIC Nmap Guide

Lets get started shall we?

NMAP, We Love It, They Hate It!

Lets go over some basic usage

I assume you installed it to allow working directory so boot up your command prompt and lets get scanning!

Go to command prompt
ping <target ip>

or you can type
nmap <target ip> -sP

To scan someone by standard methods type:
nmap <target ip>

You will be notified that it is bieng SYN* stealth scanned
Hit the space bar during the scan to be informed of the overall completion of the scan

(* syn is a type of packet that is sent to determine whether a pc is online and accepting connections or not, much like ping. When you send a SYN packet, the server you ping responds with an ack packet. You can read more by google searching network packets and protocols.)

When the scan is complete it will then list the PORT number and the SERVICE that it is associated with. If the port is OPEN that means it is listening and recieving incoming connections, if the port is closed that means you have no dice when it comes to hax0ring that port. and if it is filtered it only allows certain protocols to access it and is probably firewalled by a router.

First i will introduce the -p command. -p is invaluable when it comes to finding the ONE port you want to attack, connect to, etc.

When typing this the line make sure you put -p After the IP you wish to input:

now type:


Port 139 is the NETBIOS port for file and printer sharing on networks (network basic input output system) (futile to attack if target pc is behind a router... unless you are connected and assigned an ip from that router.)

You should have a similar box:

C:\Documents and Settings\Inject Exec Root>nmap 69.150.191.x -p 139

Interesting ports on adsl-69-150-191-x (69.150.191.x):

139/tcp filtered netbios-ssn

Nmap finished: 1 IP address (1 host up) scanned in 1.156 seconds

notice it says filtered. In this case that means it is only for network access and the user is most likely behind a router, switch, or hub.

Scanning Port Ranges

Lets say you dont know who you want to hack, or your looking at your entire network for vulnerable ports that need to be closed and you want to do it quickly and efficiently.

Scanning a network range:

I didnt get much out of my scan but that is how you scan a range.
This also applys with WAN connections too.


Lets say your buddy is online and you want to audit him and see if he is vulnerable. You know he is online... and you have his IP.. you nmap him... and it returns an error:

Note: Host seems down. If it is really up, but blocking our ping probes,

Nmap finished: 1 IP address (0 hosts up) scanned in 0.578 seconds

That doesnt make any sense you may ask. Well chances are your buddy's firewall blocked your port scan. Most firewalls consider it an attack.

So.. to get by this. type:

nmap <target ip> -P0

This will treat the host as online but makes the scan MUCH SLOWER but stealth is a good thing.. and for some strange reason, it usually works xD

Operating System Detection
nmap <target ip> -O

This will scan the fingerprints of the operating system of the target computer and give you statistics on what operating system the program think's it is. Its usually very accurate.

Entire Command List

Usage: nmap [Scan Type(s)] [Options] {target specification}

  Can pass hostnames, IP addresses, networks, etc.
  Ex:,,; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sP: Ping Scan - go no further than determining if host is online
  -P0: Treat all hosts as online -- skip host discovery
  -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idlescan
  -sO: IP protocol scan
  -b <ftp relay host>: FTP bounce scan
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
  -F: Fast - Scan only the ports listed in the nmap-services file)
  -r: Scan ports consecutively - don't randomize
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -O: Enable OS detection (try 2nd generation w/fallback to 1st)
  -O2: Only use the new OS detection system (no fallback)
  -O1: Only use the old (1st generation) OS detection system
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take <time> are in milliseconds, unless you append 's'
  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T[0-5]: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <time>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP checksum
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use twice for more effect)
  -d[level]: Set or increase debugging level (Up to 9 is meaningful)
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Insecure.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  -6: Enable IPv6 scanning
  -A: Enables OS detection and Version detection
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.

Is port scanning legal?
There is much controversy whether portscanning is legal or not. It is a detectable thing and it can be considered a attack. Many people do not pursue charges for portscanning if their firewall picks up on it... but, the legality is still controversial.
In all honesty, I do not believe it is illegal to port scan someone. Although without consent... Im sure the law will find a way to bitch you out for it.

Again, this is a very basic guide. I hope you learned something from it. =) If not, please note that it is a basic guide. And basics are essential to everyone.
Enjoy =)

~Inject Exec Root

View user's profileSend private messageAIM Address

Joined: 26 Mar 2007
Posts: 21

Location: UK

PostPosted: Mon May 21, 2007 5:07 pm Reply with quoteBack to top

nice tutorial, thanks


[Free Legal MP3's - Click here !!
View user's profileSend private messageVisit poster's websiteMSN Messenger
Display posts from previous:      
Post new topicReply to topic

 Jump to:   

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Card File  Gallery  Forum Archive
Powered by phpBB © 2001, 2002 phpBB Group
[ DarkBlack made by Shof515 ]
Create your own free forum | Buy a domain to use with your forum