Nmap is a free and open source networks scanner that provides information about the hosts and services on a computer network. It can show the machines that are live on the network, the operating system, the open ports on them and even the services that could be running on them
To install the tool run the following command on Kali Linux, if you are using Windows, you can download Zenmap.
sudo apt install nmap
We will try to scan for live hosts on a local area network of 192.168.43.0 (192.168.43.1-250) and we will use a TCP scan with service enumeration (-sV) you can use a UDP scan with (-sU)with no DNS resolution (-n)
nmap -n -sV 192.168.43.1-250
When you look at the results, you are able to see the hosts that were found (red arrow). For each host, we show the port numbers that were found (green arrow) and for each port there is a banner grab so it shows the service running for that port (blue arrow)
We can also scan a specific IP address. In this case, I enable OS detection, version detection, script scanning and traceroute. Open TCP ports and a target IP address (192.168.43.1). You can also use a domain name such as google.com instead of an IP address. I wanted to save the output to a file so I used "-oN results.txt"
nmap -oN -v -A -sV 192.168.43.141
The results are long so I have highlighted a few sections below starting with the open ports
services enumerated
OS Scan, Script and trace route results
nmap -sT -v 192.168.43.141
This is a scan that sends SYN and ACK as part of the three way handshake. This scans a port by connecting to the machine on the ports that are scanned. Because of the full connection, this is normally easily detected by an intrusion detection system.
nmap -sX -v 192.168.43.141
The xmas scan does not connect with the host because it sends fin,psh, urg and ack packets. As a result, it is less likely to trigger an intrusion detection system. It is regarded as a stealth scan.
nmap -n -sS 192.168.43.141
The "-sS" option is used, which stands for "stealth scan" or "TCP SYN scan". This type of scan sends SYN packets to the target ports to determine if they are open, without completing the TCP handshake. It's stealthier than other scan types because it doesn't establish a full TCP connection, reducing the chances of detection by intrusion detection systems (IDS) or firewalls
nmap -n -sS -f 192.168.43.141
The fragmentation scanning sends packets in smaller fragments which makes it harder for systems to know what packets are sent. This is even more covert than just using the stealth scan alone.