yum install nmap; # centos/redhat
apt-get install nmap; # debian/ubuntu # get a quick overview over the LAN-network (this is pretty fast, 2seconds even on wifi) nmap -sP -PA21,22,25,3389 192.168.0.* # find all network printers, output printer vendor and MAC and IP nmap -p 9100,515,631 192.168.0.* --open # this is the detailed scan nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA networkscan-result-nmap-%D 192.168.0.0-255 # it takes a lot of time... so please be patient and come back later (3 cups coffee kind of later X-D) also: the resulting xml is not well viewable inside a browser, you need to convert: xsltproc networkscan-result-nmap-030118.xml -o networkscan-result-nmap-030118.html
root or non-root?short answer: use nmap as root or some systems mide be able to hide from your scan. long answer: „Nmap adapts its techniques to use the best available methods using the current privilege level, unless you explicitly request something different. The things that Nmap needs root (or sudo) privilege for on Linux are: Sniffing network traffic with libpcap Sending raw network traffic You can use the -d option to see what Nmap is doing in the background, but the short answer is that with root privilege on an Ethernet LAN (like you are using, based on the IP addresses you listed), Nmap will send raw ARP packets and sniff for results. Responding to ARP requests is a prerequisite to IP communication on such a network, so it’s nearly impossible to block or hide from this type of scan. If you do not have root privilege, Nmap falls back to trying to connect to 2 TCP ports (80 and 443), considering the host „up“ if the connection succeeds or is reset. A system with a drop-all firewall and no services on 80 or 443 will not show up with this scan. You can read more about Nmap’s host discovery techniques in the host discovery section of the man page.“ (src)
Example Results: for nmap detailed scan fritzbox 7170nmap detailed scan fritzbox 7170[/caption] These options are described in later chapters, but here is a quick summary of them. -sS Enables the efficient TCP port scanning technique known as SYN scan. Felix would have added a U at the end if he also wanted to do a UDP scan, but he is saving that for later. SYN scan is the default scan type, but stating it explicitly does not hurt.
-p- Requests that Nmap scan every port from 1-65535. This is more comprehensive than the default, which is to scan only the 1,000 ports which we’ve found to be most commonly accessible in large-scale Internet testing. This option format is simply a short cut for -p1-65535. Felix could have specified -p0-65535 if he wanted to scan the rather illegitimate port zero as well. The -p option has a very flexible syntax, even allowing the specification of a differing set of UDP and TCP ports.
-PE -PP -PS80,443 -PA3389 -PU40125 These are all host discovery techniques (ping types) used in combination to determine which targets on a network really available and avoid wasting a lot of time scanning IP addresses that are not in use. This particular incantation sends ICMP echo request and timestamp request packets; TCP SYN packet to ports 80 and 443; TCP ACK packets to port 3389; and a UDP packet to port 40,125. If Nmap receives a response from a target host to any of these probes, it considers the host to be up and available for scanning. This is the most effective six-probe combination that we’ve found in large-scale empirical testing for host discovery against targets over the Internet. It is more extensive than the Nmap default, which is -PE -PS443 -PA80 -PP. In a pen-testing situation, you often want to scan every host even if they do not seem to be up. After all, they could just be heavily filtered in such a way that the probes you selected are ignored but some other obscure port may be available. To scan every IP whether it shows an available host or not, specify the -Pn option instead of all of the above. Felix starts such a scan in the background, though it may take many hours to complete.
-A This shortcut option turns on Advanced and Aggressive features such as OS and service detection. At the time of this writing it is equivalent to -sV -sC -O –traceroute (version detection, Nmap Scripting Engine with the default set of scripts, remote OS detection, and traceroute). More features may be added to -A later.
-T4 Adjusts timing to the aggressive level (#4 of 5). This is the same as specifying -T aggressive, but is easier to type and spell. In general, the -T4 option is recommended if the connection between you and the target networks id reasonably fast and reliable.
-oA avatartcpscan-%D Outputs results in every format (normal, XML, grepable) to files named avatartcpscan-. where the extensions are .nmap, .xml, and .gnmap respectively. The gives the month, day, and year in a format like 073010. All of the output formats include the start date and time, but Felix likes to note the date explicitly in the filename. Normal output and errors are still sent to stdout as well.
22.214.171.124/24 126.96.36.199/22 These are the Avatar Online netblocks discussed above. They are given in CIDR notation, but Nmap allows them to be specified in many other formats. For example, 188.8.131.52/24 could instead be specified as 184.108.40.206-255. Since such a comprehensive scan against more than a thousand IP addresses could take a while, Felix simply starts it executing and resumes work on his Yagi antenna. An couple hours later he notices that it has finished and takes a peek at the results. Example 1.2 shows one of the machines discovered. https://nmap.org/book/nmap-overview-and-demos.html