Hacking Fundamentals: The Complete Nmap No-Nonsense Course

In this video you are going to learn how to install Kali Linux on VirtualBox.

Here are needed and useful Download and instruction/documentation links that are used in this video or can be used in relation to this video, (you can also download this list as .txt and .pdf files):

Oracle VirtualBox download for Windows, Linux and Mac:

https://www.virtualbox.org/wiki/Downloads

Oracle VirtualBox User Manual:

https://download.virtualbox.org/virtualbox/6.1.6/UserManual.pdf

Virtual Box extension pack (if you need usb 2.0 and 3.0 support):

https://download.virtualbox.org/virtualbox/6.1.6/Oracle_VM_VirtualBox_Extension_Pack-6.1.6.vbox-extpack

Download KALI LINUX virtual images:

https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/#1572305786534-030ce714-cc3b

Official instructions for Kali Linux VBOX installation:

https://www.kali.org/docs/virtualization/install-virtualbox-kali-host/

Official documentation for installation of Kali Linux (Single boot and dual boot, on Mac and PC, encrypted disk install and dual boot with Linux):

https://www.kali.org/docs/installation/

Tutorial for nstallation of Nmap on MacOS X.

Official Nmap installation instructions and documentation: 
https://nmap.org/book/inst-macosx.html

Download Nmap for MacOS (scroll down to Mac OS X Binaries):
https://nmap.org/download.html

Install Nmap on Microsoft Windows operating systems (Windows 7, 8/8.1 and 10).
We strongly recommend downloading and installing Nmap using Latest stable release self-installer, which will automatically install al needed dependencies for Nmap on windows. 

Official instructions/documentation for Nmap installation on Windows: 
https://nmap.org/book/inst-windows.html

Download nmap installation for Windows (Scroll down to Microsoft Windows Binaries): 
https://nmap.org/download.html

Nmap windows installation direct download link:
https://nmap.org/dist/nmap-7.80-setup.exe

(These links are also available as External Resources and Downloadable Materials for this lecture)

Lecture on How to install Nmap on Linux: 

We reccomend using KALI LINUX installed natively or using virtualization on your computer/laptop. Kali Linux has ROOT/SYSTEM privileges, and comes with Nmap preinstalled. Since Nmap is very simple and easy to use within Kali Linux environment, we decided to utilize KALI in our Lectures.   

In order to check Nmap installation status and functionality,  open the terminal and type in: 
nmap

or just to check the version of Nmap use: 
nmap --version

and if your Linux system does not have Nmap installed use:
sudo apt-get install nmap
(sudo stands for superuser-do in Linux, allows using superuser privileges, you will probably be prompted to enter sudo password that you entered during Linux OS installation. See https://help.ubuntu.com/community/RootSudo for more information.)

If you wish to install nmap on Linux using github mirror navigate to:
https://github.com/nmap/nmap

and to download and install nmap, inside your terminal run:
sudo git clone https://github.com/nmap/nmap.git

and when cloning is finished navigate to nmap directory using:
cd nmap

and then:
./configure

and:
make

and:
make install

to test Nmap run on of these or both of them:
nmap
nmap --version

to test Nmap scanning functionality, run a basic scan:
nmap scanme.nmap.org
(more about this in later video lectures)

Learn how to do port scans and how to list open ports.

To see if a host is alive, open your terminal and use ping command:

ping <address/hostname>

and real examples would look like this:

ping scanme.nmap.org

ping google.com

ping 192.168.1.1

ping 192.168.1.0

http://scanme.nmap.org/ is a service provided by Nmap project and insecure.org to help

people learn about nmap and test their nmap installations. Respect the Nmap team, few scans

a day is OK, and don't hammer on the server too hard.

to do a nmap scan against scanme.nmap.org use:

nmap scanme.nmap.org

or if you want to add verbosity(you can do -v, -vv and -vvv, three levels of verbosity in

order to increase the level of output and information during scan):

nmap scanme.nmap.org -v

to change DNS server that we want to conduct our scan through use (to learn more about

what DNS is and how it works visit: https://www.cloudflare.com/learning/dns/what-is-dns/):

nmap --dns-servers 1.1.1.1 scanme.nmap.org

to use multiple DNS servers, separate DNS addresses with commas:

nmap --dns-servers 1.1.1.1, 4.4.4.4 scanme.nmap.org

to skip using DNS resolution during scans use -n:

nmap -n scanme.nmap.org

to force nmap to do DNS resolution use -R:

nmap -R scanme.nmap.org

In order to specify port range when conducting Nmap scans use -p, and after it specify

two numbers by using dash (-) character between them, this scan specifies all ports from

1 to 30:

nmap -p1-30 scanme.nmap.org

to scan a single specific port you can do it like this way, command below is going to scan only the port 4444:

nmap -p4444 scanme.nmap.org

to scan two specific ports use (both 4444 and 81):

nmap -p4444,81 scanme.nmap.org

to conduct a scan against single port (443) using a 1.1.1.1 DNS server (Cloudflare) use:

nmap --dns-servers 1.1.1.1 -p443 scanme.nmap.org

Learn how to detect service versions on remote hosts

to do a service version detection use (adding verbosity (-v) is optional):

nmap -sV -v scanme.nmap.org

to increase the intensity of version detection use levels from 1 to 9:

nmap -sv --version-intentsity 9 scanme.nmap.org

to use aggressive service detection use -A, this nmap flag incorporates

three modes -O (operating system detection), -sV (service version detection) and

-sC (script scanning):

nmap -A scanme.nmap.org

or use longer version:

nmap -sC -sV -O scanme.nmap.org

Learn how to find live hosts in local area networks.

To run nmap through Microsoft Windows, inside nmap installation directory,

hold Left Shift on your keyboard, do a right click and click on "open command

windows here". In order to run nmap through that terminal run:

nmap.exe

To check for live hosts in local network through Windows cmd/terminal

(i am using default gateway of my own network in the example):

nmap.exe -sP 192.168.7.1/24 

To display Internet protocol versions (IPv4 and IPv6), subnet masks, and

default gateway for all adapters run ipconfig (ifconfig is equivalent to

this command in linux):

ipconfig

or for linux

ifconfig

Go to your Linux OS (preferably KALI LINUX), because windows does not support

sending raw IP packets.

To discover hosts you can also use non-nmap application:

netdiscover

To send IP level packets instead of raw ethernet packets while discovering hosts use:

nmap -sP --send-ip 192.168.7.1/25

To use nse script for host discovery, in order to get more detailed output about hosts:

nmap -sP --script discovery 192.168.7.1/24

Learn how to scan port ranges in nmap.

To run a port scan against only a port 80 run:

nmap -p80 google.com -v

To run a port scan against only a port 443 run:

nmap -p443 google.com -v

To run a port scan against only a port 4444 run:

nmap -p4444 google.com -v

To scan for port 80 on all local addresses run:

nmap -p80 192.168.7.1/24 -v 

To scan port 80 on localhost run:

nmap -p80 localhost -v

or

nmap -p80 127.0.0.1

To scan multiple ports on one host run:

nmap -p80,443,2000,4444 google.com

nmap -p80,443,2000,4444 scanme.nmap.org

To scan a range of ports from 1 to 100 or any given range, run:

nmap -p1-100 google.com

To scan for all available ports run:

nmap -p- scanme.nmap.org

To scan for specific service, http for example run:

nmap -p http localhost

or

nmap -p http 127.0.0.1

To scan for all http related services run:

nmap -p http* localhost

or

nmap -p http* 127.0.0.1

To scan for https service run:

nmap -p https localhost

To scan for all https related services run:

nmap -p https* localhost

Another way for scanning port ranges is:

nmap -p[1-65535] scanme.nmap.org

To scan full range of port against your local network:

nmap -p[1-65535] 192.168.7.1/24

Learn how to use specific network interfaces when conducting nmap scans: 

To determine the network interface (on linux) use:

ip link show

or

ifconfig

To do the same in windows, navigate to nmap/zenmap installation directory,

hold Left Shift and do a right click inside a folder and click "open command

window here" and run:

ipconfig

Inside linux environment to scan using specific interface run:

nmap -e eth0 scanme.nmap.org

To check if our network interface can proplerly communicate with

host on a network run:

nmap -sP -e eth0 192.168.7.1

to begin with nse scripts run this example:

nmap -sV --script http-title scanme.nmap.org

to include multiple nse scripts in one scan:

nmap -sV --script http-title,http-headers scanme.nmap.org

to run all the scripts in NSE vulnerability category run:

nmap --script vuln scanme.nmap.org

to run all the scripts from multiple NSE categories run:

nmap -sV --script="version,discovery" scanme.nmap.org

to run all the scripts from exploit category run:

nmap -sV --script exploit scanme.nmap.org

to exclude specific nse category (in this case exploit category) run:

nmap -sV --script "not exploit: scanme.nmap.org

to exclude specific nse scripts (in this example we are excluding

http-slowloris and http-brute) from nse category run:

nmap -sV --script "(http-*) and not (http-slowloris or http-brute)" scanme.nmap.org

Learn how to brute force DNS records.

To bruteforce DNS records run:

nmap --script dns-brute scanme.nmap.org

Learn how to conduct OS scanning through nmap.

To run a simple OS scan run:
nmap -O scanme.nmap.org -v

Increase the number of OS scanning tries, by changing the value from 1 to 50:
nmap -O --max-os-tries=1 scanme.nmap.org 

Learn how to scan UDP services using nmap.

To scan all UDP ports run:

nmap -sU -p- scanme.nmap.org

To quickly identify UDP port, we can use fast port scan (-F):

nmap -sU -F scanme.nmap.org

To run UDP scan with specific port range(1-400 in this example):

nmap -p1-400 -sU scanme.nmap.org

Learn how to identify protocols behind hosts using nmap.

To determine protocol numbers behind a host run:

nmap -sO scanme.nmap.org

to do the same against a host on your local network run:

nmap -sO 192.168.7.2

Learn to discover firewalls using nmap.

To determine the firewall state and state of ports (closed/open/filtered/unfiltered) run:

nmap -sA 192.168.7.105

To determine the same against a specific port run:

nmap -p80 -sA 192.168.7.105

or to do the same against range of ports:

nmap -p1-100 -sA 192.168.7.105 -v

to discover the state of all available ports:

nmap -p- -sA 192.168.7.105 -v

Learn how to identify services with vulnerabilities:

Run inside your terminal:

cd /usr/share/nmap/scripts/

then clone the github repository:

git clone https://github.com/scipag/vulscan

then run the following:

wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

to check if a script is working:

nmap --script vulners -sV scanme.nmap.org

Learn how to use zombie hosts to spoof origins of port scans.

To find addresses with incremental IP ID sequences run:

nmap --script ipidseq 192.168.7.0/24

to use address with incremental IP ID sequence (if you found one using method above)

to spoof the origin of the port scan:

nmap -Pn -sI 192.168.7.1 192.168.7.102   

another option for zombie host discovery is using os scan:

nmap -sV -v -O scanme.nmap.org

to check for IP ID sequence against a IP address:

nmap -p80 --script ipidseq 45.33.32.156

Learn how and when to use TCP SYN ping scans.

To do a TCP SYN scan (more easily discover hosts behind firewalls) run:

nmap -sP -PS 192.168.7.1/24

to do regular ping scan:

nmap -sP scanme.nmap.org

scan multiple ports this way:

nmap -sP -PS80,21,53, 192.168.7.2

scan a range of ports:

nmap -sP -PS1-1000 192.168.7.2

Learn how to conduct TCP ACK scans through nmap.

To condut TCP ACK scan, type in your terminal:

nmap -sP -PA scanme.nmap.org

to skip the ping scan when conducting TCP ACK scan do: 

nmap -Pn -sP -PA scanme.nmap.org

to select specific ports when conducting TCP ACK scans:

nmap -sP -PA21,22,81,88,4444 scanme.nmap.org

to use port range when conducting TCP ACK scans: 

nmap -sP -PA21-150 scanme.nmap.org

Learn How to conduct UDP scans.

To conduct UDP nmap scan run: 
nmap -sP -PU scanme.nmap.org

To select ports when conducting UDP scans run: 
nmap -sP -PU1337,111111 scanme.nmap.org

To select range of ports when conducting UDP scans: 
nmap -sP -PU1337,111111 scanme.nmap.org

Learn about conducting ICMP ping scans through nmap.

To conduct ICMP ping scan run: 
nmap -sP -PE scanme.nmap.org

To conduct timestamp and address mask commands through nmap run:
nmap -sP -PM 192.168.7.1 -v

Learn IP protcol ping scanning through nmap.

To conduct basic IP protocol ping scan run:
nmap -sP -PO scanme.nmap.org

To have a better picture of what is happening in the background during this scan:
nmap -sP -PO --packet-trace scanme.nmap.org

To run a IP protocol ping scan with specific protocol run: 

nmap -sP -P<number of protocol> scanme.nmap.org

example (1 is for ICMP, 2 is for IGMP, TCP is 6 and UDP is 17):
nmap -sP -PO1 scanme.nmap.org

Generate random data to be used instead of empty packets: 
nmap -sP -PO --data-length 100 scanme.nmap.org

Learn nmap ARP ping scans.

Scan all 256 addresses on your local netwok using ARP ping scan (this example was used on my own netwok, so notation may be different):
nmap -sP -PR 192.168.7.1/24

To see what is happening in the background:
nmap -sP -PR  --packet-trace 192.168.7.1/24

Force nmap not to perform ARP ping scan: 
nmap -sP -PR --packet-trace --send-ip 192.168.7.1/24

To spoof your MAC address (enter the desired mac address): 
nmap -sP -PR --spoof-mac  <mac-address> 192.168.7.1/24

Learn broadcast ping scanning:

To conduct broadcast ping scan run: 

nmap --script broadcast-ping 192.168.7.1/24

Increase number of ICMP echo requests:

nmap --script broadcast-ping --script-args broadcast-ping.num_probes=5 192.168.7.0/24 -v

Increase timeout for scanning larger networks (there was a mistake in the video): 

nmap --script broadcast-ping --script-args broadcast-ping.timeout=10000 192.168.7.0/24 -v

To specify interface:

nmap  --script broadcast-ping --script-args broadcast-ping.interface=eth0 192.168.7.1/24

To add new targets automatically:

nmap --script broadcast-ping --script-args newtargets 192.168.7.1/24

To add specific number of new targets:

nmap --script broadcast-ping --script-args max-newtargets=1 192.168.7.1/24

Learn how to hide traffic with random data.

To begin run inside your terminal:
nmap -sS -PS --data-length 300 192.168.7.1

To force nmap not to use any payloads run:
nmap --data-length 0 scanme.nmap.org

Learn how to gather information using forced DNS resolution.

To begin run in your terminal:
nmap -sS -PS -f -R scanme.nmap.org 45.33.32.1/24

Learn how to exclude hosts from scanning.

run inside one terminal:
netdiscover

in second terminal run (after you decided which addresses to exclude):
nmap -sV -O --exclude 192.168.7.102,192.168.7.105 192.168.7.1-200 0v

Learn how to gather info using broadcast scripts: 

run basic broadcast script:
nmap --script broadcast

to sniff network for a given amout of time:
nmap --script broadcast --script-args targets-sniffer.timeout 30

to add newtargets: 
nmap --script broadcast-ping --script-args newtargets 192.168.7.1/24

To list HTTP methods use: 

nmap -p80,443 --script http-methods scanme.nmap.org

to individually check responses for OPTIONS request use: 
nmap -p80,443 --script http-methods --script-args.retest scanme.nmap.org

to modify the number of pipeline requests use: 

nmap -p80,443 --script http-methods --script-args http-methods.retest scanme.nmap.org

In this lecture we are going to cover the following:

• Python download and installation

• Pip download and installation ( python package manager ) 

• python nmap library download

• perform a basic scan

In this lecture we're going to take a look at the functions NmapScanTechniques provides us with.