To download NMAP, go to http://www.insecure.org/nmap/nmap_download.html and scroll down to the Windows section. Select the .zip file of the current version. Once the file has been downloaded, extract all the files to a directory on your hard disk. The default directory is long and cumbersome to type from a command prompt. Shorten it to
After the files have been extracted, open a command prompt. Click Start > Run.
In the Run dialog, type
cmd and click OK.
The command prompt will open. Change the directory to where you installed NMAP, in our case
C:\nmap, by typing
nmap -A -P0 -p 1-65535 -oN <filename> <ip address>
This command is probably the most common. An explanation of the command switches follows.
Note: NMAP is case sensitive; P is very different from p.
-A Ã¢â‚¬â€ This command combines two other NMAP commands:
-O for OS fingerprinting and
-sV for version scanning. NMAP will "guess" the version of the software running on an open port.
-P0 Ã¢â‚¬â€ NMAP will not ping the machine before scanning it. This command is useful if you block ICMP pings on your network. Without this command, if the remote machine does not respond to pings, NMAP will report that the machine is down and will not scan.
-p 1-65535 Ã¢â‚¬â€ Designates which ports to scann. In mosts cases, scan all 65,535 ports that are available (1-65535). Other examples include:
- Range: 1-65535 (
nmap -A -p 1-65535)
- Single port: 80 (
nmap -A -p 80)
- List of ports: 135,137-139,445 (
nmap -A -p 135,137-139,445)
-oN <filename> Ã¢â‚¬â€: Sends the scan output from NMAP to a file you specify. Depending on the number of machines, the operations system(s) those machines are running and what services are running on those machines, sending the scan output to a text file is highly recommended. For example, when scanning a Novell server, ports 55000-59000 will report being filtered. If the output is not sent to a text file, the useful information will scrolled off the screen and will not be retrievable.
<ip address> Ã¢â‚¬â€ A single IP address or range of IP addresses to be scanned. Some examples include:
- Single IP address:
nmap -A -p 1-65535 10.1.1.1
- Range of IP addresses:
nmap -A -p 1-65535 10.1.1.1-254
- List of IP addresses:
nmap -A -p 1-65535 10.1.1.2,4,8,16,32,64,128
There are a number of other ways to include IP addresses and ranges. Please review the NMAP documentation for a more complete explanation.
Another useful flag that is not shown in the examples above is the
-vv (very verbose) flag. Using this flag will result in lots of information that may or may not be useful. With this flag, the command becomes:
nmap -vv -A -P0 -p 1-65535 -oN <filename> <ip address>
Although NMAP has many other flags, MOREnet Security uses these most often. You can get a complete list of NMAP's flags at http://www.insecure.org/nmap/data/nmap_manpage.html.