If you want to get some real information out of nmap, you’ll need root permissions on the linux box or be in the sudoers file.<\/p>\n

To scan just one host that you know or believe to be windows, you can add several arguments to your nmap scan to find out what’s going on. My favorite general scan is the Stealth Version scan with a few arguments, here it is:<\/p>\n

timg@plethora:~$ sudo nmap -sV -vv -PN ip.address<\/p>\n

That will use nmap’s stealth version scan instead of the basic ping sweep (-sT or just nmap ip.address) the -vv tells nmap to be very verbose with its output and the -PN switch turns off pinging of the host. You get some more information with that scan, here is a sample from my network:<\/p>\n

Interesting ports on test04.primarydc.local (192.168.0.79):
\nNot shown: 995 closed ports
\nPORT STATE SERVICE VERSION
\n135/tcp open msrpc Microsoft Windows RPC
\n139/tcp open netbios-ssn
\n445/tcp open microsoft-ds Microsoft Windows XP
\n1151/tcp open msrpc Microsoft Windows RPC
\n42510/tcp open msrpc Microsoft Windows RPC
\nMAC Address: 00:24:E8:00:B9:DE (Unknown)
\nService Info: OS: Windows<\/p>\n

I truncated the data, but that’s a pretty typical result for a Windows XP machine. Using various combinations of these command line switches will help you find out more information about your target.<\/p>\n

The above scan is helpful in identifying machines that keep connecting to you or your servers, finding out what services they’re running and on what port could tell you if they’re a zombie or just a bored high school kid.<\/p>\n<\/div>\n

There is far too much information about nmap to put in one how-to, so this should familiarize you with the scanner if you’ve never used it or haven’t used it much. You can always just type nmap into the command line for a list of arguments and switches to use. Nmap has such advanced features as source IP spoofing, FTP bounce and recently added scripting. You can send packets through firewalls and all sorts of crazy stuff if you just learn a few basic concepts.<\/p>\n

I apologize for calling you a little girl for using the GUI version, because using it for a while (The windows version comes with profiles to pick from) will get you familiar with the various arguments. Scan for a while with zenmap, then give it a try through the terminal, it’s a blast.<\/p>","step":[{"@type":"HowToStep","name":"Install the binaries for your OS","text":"\nVisit http://nmap.org/download.html and download your binary of choice, in this How-To we will be using the linux binary, personally, I'm a fan of Ubuntu and Debian for their package system. Use this command to install:\n\nsudo apt-get install nmap \n\nWe won't be using the front end in this document, if you're lost without a GUI, you can use this command\n\nsudo apt-get install zenmap \n\nThis should take care of installation."},{"@type":"HowToStep","name":"Simple Scan","text":"\n\n\nTo get your hands dirty, let's try a simple scan of your local IP range. To initiate the most basic, user-level scan type nmap, then the IP range you'd like to scan. Like this:\n\ntimg@plethora:~$ nmap 192.168.0.1-254\n\nAfter running the command, nmap will start a ping sweep on all hosts on 192.168.0.1 through 192.168.0.254, this can be done without root access. You will see several results scroll across your screen that look kind of like this:\n\nInteresting ports on 192.168.0.119:\nNot shown: 995 closed ports\nPORT STATE SERVICE\n22/tcp open ssh\n80/tcp open http\n5900/tcp open vnc\n5901/tcp open vnc-1\n6000/tcp open X11\n\nThe command you used is just asking what ports are open on the target hosts. If you want detailed information like what OS, the services and their versions running on each port or even if the host is infected or infectable with Conficker, you'll need to learn some of nmap's command line switches. Some of these options are offered as easy radio buttons in the graphical front end for nmap (Xenmap/Zenmap), but that won't make you l33t.\n","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/7/c/5/7c5e0e1aa059a4abee4a5ac39d3c3f1473db8010.jpeg"},{"@type":"HowToStep","name":"Getting More Info","text":"\nIf you want to get some real information out of nmap, you'll need root permissions on the linux box or be in the sudoers file. \n\nTo scan just one host that you know or believe to be windows, you can add several arguments to your nmap scan to find out what's going on. My favorite general scan is the Stealth Version scan with a few arguments, here it is:\n\ntimg@plethora:~$ sudo nmap -sV -vv -PN ip.address\n\nThat will use nmap's stealth version scan instead of the basic ping sweep (-sT or just nmap ip.address) the -vv tells nmap to be very verbose with its output and the -PN switch turns off pinging of the host. You get some more information with that scan, here is a sample from my network:\n\nInteresting ports on test04.primarydc.local (192.168.0.79):\nNot shown: 995 closed ports\nPORT STATE SERVICE VERSION\n135/tcp open msrpc Microsoft Windows RPC\n139/tcp open netbios-ssn\n445/tcp open microsoft-ds Microsoft Windows XP \n1151/tcp open msrpc Microsoft Windows RPC\n42510/tcp open msrpc Microsoft Windows RPC\nMAC Address: 00:24:E8:00:B9:DE (Unknown)\nService Info: OS: Windows\n\nI truncated the data, but that's a pretty typical result for a Windows XP machine. Using various combinations of these command line switches will help you find out more information about your target. \n\nThe above scan is helpful in identifying machines that keep connecting to you or your servers, finding out what services they're running and on what port could tell you if they're a zombie or just a bored high school kid.\n"}]}