Nmap Ping Sweep Examples
Defining Ports to Scan with Nmap
Nmap NULL Scan
Nmap FIN Scan
Nmap Xmas Scan
Nmap ARP Scan
Updating Nmap NSE database
Get devices OS, workgroup, domain, device name over SMB protocol
Finding Zombie for Idle Scan
Executing an Idle scan
Scanning ranges for vulnerabilities
Scanning for smb-vuln-ms08-067 vulnerability
Brute force against SSH with Nmap NSE
Related articles
Brief introduction to this article
This article is a summary of subjects related to Nmap which were explained in previous articles (you can access them at the Related Articles section). In it examples of what was previously taught are applied, when possible, on real scenarios. Examples include from host discover to vulnerability audit, network problems diagnostics and more. Yet this tutorial avoids basic description on Nmap and deep explanations on flags which can be found on the articles linked at the end, here you’ll find examples from basic scans to complex vulnerability scans on vulnerable virtual machines and real scenarios.
Nmap Ping Sweep Examples
Nmap ping sweep examples were deeply exposed on the tutorial Nmap ping sweep, in short, summarized by Wikipedia “In computing, a ping sweep is a method that can establish a range of IP addresses which map to live hosts.” , it simply a method to discover online devices within a network or range.
The option -sP or -sn (equivalents) instruct Nmap to avoid port scan after discovery. In the following example the wildcard (*) is applied instructing Nmap to discovery all hosts of a class C network (described on the chapter Brief Introduction to Subnets).
This flag or option instructs nmap to avoid initial ping assuming the host is alive. The following scan skips ping to discover hosts within the range 192.168.0.2 and 192.168.0.240, note a hyphen was implemented in the last octet to define the range.
nmap -PA 192.168.*.*
Defining Ports to Scan with Nmap
Defining ports with the -p flag:
Defining a port to scan with Nmap is pretty easy, just add the flag -p and the port, or ports separated by commas.
In the following example the port range is defined with a hyphen to scan LinuxHint port range from 22 to 80:
The next example shows Nmap scanning two different port ranges separated by commas:
Nmap ARP Scan
Nmap ARP scan main features belong now to Nping, a tool belonging to the Nmap suite, the following examples include 2 using Nmap and one using Nping.
Contrary, the following example forces a discovery (no port) and non-ARP scan in a local network
The final example shows an ARP scan executed through Nping, part of the Nmap suite, which inherited Nmap flags to customize ARP scans.
As you see Nping identifies every IP with the proper MAC address.
Nmap FIN Scan
The next example is an aggressive FIN scan against a port range:
This is an example of an insane FIN scan against a single device:
To end FIN scan examples, let’s do a less aggressive scan against a metasploit virtual device:
Nmap NULL Scan example
The following example shows a NULL scan against linuxhint.com port 80. Remember Nmap NULL, Xmas and FIN scans can’t distinguish between open and filtered ports, in many scenarios.
Now let’s try an insane scan against a router:
Usually NULL, Xmas and FIN scans can’t distinguish between filtered and open ports when the port is open, the next example includes the -sV option to help it distinguish, but adding this option results in a less sthealty scan:
Nmap Xmas Scan example
An example of an aggressive Xmas scan:
Now a less aggressive Xmas scan against port 80 and 22.
The next example is similar to the above, but includes level 2 verbosity:
Update scripts database
Before using the Nmap NSE update the database by running:
Get devices OS, workgroup, domain, device name over SMB protocol
The following example uses the NSE script –script smb-os-discovery (https://nmap.org/nsedoc/scripts/smb-os-discovery.html) against whole last 2 octets of the network 172.31.X.X
Two Windows XP computers were found, great candidates for a Idle scan which will be explained later below in this tutorial.
Finding Zombie for Idle Scan
The following example shows how to search for a zombie candidate to execute an Idle scan by scanning the last octet of the 10.100.100.X network by using the NSE script ipidseq (https://nmap.org/nsedoc/scripts/ipidseq.html).
Another way to find potential zombie candidates for Idle scans:
Executing an Idle scan
Running an Idle scan using a candidate found in the previous step.
Another Idle scan using the same candidate against a gateway:
An Idle scan against the FTP of a router using a Windows 98 virtualized device:
Scanning ranges for vulnerabilities
Scanning for smb-vuln-ms08-067 vulnerability
The following scan uses the NSE script smb-vuln-ms08-067 (https://nmap.org/nsedoc/scripts/smb-vuln-ms08-067.html) to search for a remote execution vulnerability on two last octets of the network:
Brute force against SSH with Nmap NSE
As the title says, by using the ssh-brute.nse NSE script you can bruteforce vulnerable SSH services by running:
I hope you found the examples above interesting, below you have a list of articles explaining each example deeply. Keep following LinuxHint for more tips and updates on Linux and networking.
Related articles:
NMAP basics Tutorial
nmap network scanning
Nmap Stealth Scan
Nping and Nmap arp scan
Nmap: scan IP ranges
nmap ping sweep
Using nmap scripts: Nmap banner grab
Traceroute with Nmap
Nmap Idle Scan tutorial
How to scan for services and vulnerabilities with Nmap
