Nmap is a security scanner software developed by computer networks expert Gordon Lyon (Fyodor) using C/C++ and Python languages. It can map the scanned network, observe the status of services running on machines in the network, their operating systems, and the status of ports.

With Nmap, various information about any computer connected to the network can be obtained, such as the operating system, types of physical devices running, uptime, which services the software uses, software version information, and whether the computer has a firewall.

It is completely free licensed software (GPL). It has also been used in the movie Matrix.

Areas of Use:

• Testing settings when preparing any network.
• Network mapping, maintenance, and management.
• Identifying unknown new servers and performing security audits.

Working Principle

If the name of the machine to be scanned is entered, nmap primarily performs a dns lookup operation, this is not actually an nmap function, it queries the ip address of the machine to scan the network traffic is visible, so it would be better to find the ip by different methods before scanning with the name.

It first pings the target machine. If we want to cancel the ping process, the -P0 option should be used.

By default, it performs an open port scan by establishing a full connect TCP connection. Full connect connection is a method called three-way handshake on TCP. A SYN packet is sent to the checked port, if the port is open, the server responds with a SYN/ACK packet. Then an ACK packet is sent by nmap and the connection is established.

nmap 192.168.1.1

We can change the port detection method. With the "-sT" parameter, we can cancel the last sent ACK packet and scan without establishing a complete TCP connection. This method is called half connect port scanning because the TCP connection is half opened, it may not appear in the target system's logs.

nmap -sT 192.168.1.1 = Half Connect Scan

nmap -sS 192.168.1.1 = Full Connect Scan

In addition to port scanning with Nmap, information about the operating system of the target system can also be obtained. The "-O" parameter can test the target computer's operating system using operating system-specific TCP/IP stack structures and various distinctive features.

nmap -O 192.168.1.1

Additionally, a fake IP can be shown to trick the target system with the "-S" parameter.

nmap 192.168.1.1 -S 192.168.1.20

Here, while scanning the computer with the IP address 192.168.1.1, the connection shown in the system logs indicates that the connection is coming from 192.168.1.20 even if you are connecting from 192.168.1.2 or anywhere else.

If there is a firewall on the target system, the scanning method with nmap may not work. In this case, sending packets by fragmentation may work. The "-f" parameter is used.

nmap -sT 192.168.1.1 -f

To learn the versions of services running on the target system, we use the "-sV" parameter.

nmap -sV 192.168.1.1

#############################

nmap -sS -sV -O 192.168.1.1

This command performs full connect scanning on the target system, and provides information about the versions of running services and the operating system.