Question

real example of using nmap in real life

Answer 1

Scanning of ports of remote system for cheking the vulnerability:

Answer 2

nmap -v scanme.nmap.org

This option scans all reserved TCP ports on the machine scanme.nmap.org . The -v option enables verbose mode.

nmap -sS -O scanme.nmap.org/24

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on the class C sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

nmap -v -iR 100000 -Pn -p 80

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -Pn since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

Answer 3

The following scenarios are common examples that are found in many organizations. These are written from the perspective of a network or security manager who provides uptime and availability of an organization's systems. It's also assumed that the security team will have nmap scanning systems that run with privileged access.

With every nmap scan, there are some options that are always recommended. The verbose option should always be specified at its highest level (-vv), and the universal output format (-oA) should also be used. Since the differently formatted nmap output files occasionally contain different pieces of information, saving the nmap information into all formats can provide important information after the scan. It's also assumed that the security team will have nmap scanning system that run with privileged access.

The --excludefile option should also be used with every nmap scan. The exclude file should be updated with the most important IP addresses in the organization, or the IP addresses that should never be scanned under any circumstances. Nmap scans that operate without incident on some systems may have far-reaching effects on others! For example, an older telephone system or a legacy router may not be able to provide the resources required by nmap, and these systems may crash or become unavailable if the nmap scan is too aggressive. Exclude options always take priority over any includes, so identifying these IP addresses in an exclude file will ensure that they are never scanned by nmap.