LabEx
Log InJoin For Free

Scan Specific Hosts in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to scan specific hosts using Nmap, a powerful network scanning tool. The lab covers scanning a single host by IP address and hostname.

You will start by scanning the IP address 192.168.1.10, then scan the hostname scanme.nmap.org. Furthermore, you will learn to resolve IP addresses using the -R flag, increase verbosity with the -v flag, and save scan results to a file named specific.txt. Finally, you will review the saved results in the Xfce terminal.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/syn_scan("SYN Scan") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/basic_syntax -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} nmap/save_output -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} nmap/port_scanning -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} nmap/target_specification -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} nmap/verbosity -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} nmap/syn_scan -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} nmap/service_detection -.-> lab-547111{{"Scan Specific Hosts in Nmap"}} end

Scan single host with nmap 192.168.1.10

In this step, we will perform a basic scan of a single host using Nmap. Nmap is a powerful network scanning tool used to discover hosts and services on a computer network by sending packets and analyzing the responses. This is a fundamental skill for network administrators and security professionals.

First, let's understand the basic syntax of an Nmap command:

nmap [options] target

Where:

  • nmap is the command to invoke the Nmap tool.
  • [options] are various flags that modify the scan's behavior (e.g., specifying the type of scan, verbosity level, etc.).
  • target is the IP address or hostname of the machine you want to scan.

In this step, our target is the IP address 192.168.1.10. We will perform a simple scan to identify open ports and services running on this host.

Open your Xfce terminal. Ensure you are in the ~/project directory.

Now, execute the following command:

nmap 192.168.1.10

This command will initiate a scan of the target IP address 192.168.1.10. Nmap will attempt to determine which ports are open on the target machine.

You should see output similar to the following (the exact output will depend on the target machine's configuration):

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.10
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds

This output shows that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open on the target machine. Nmap also indicates that 997 ports are closed and not shown in the output.

Scan hostname with nmap scanme.nmap.org

In the previous step, we scanned a single host using its IP address. In this step, we will scan a host using its hostname. This is useful when you don't know the IP address of a target, but you know its domain name. Nmap will automatically resolve the hostname to its corresponding IP address before performing the scan.

scanme.nmap.org is a dedicated host provided by the Nmap project for testing and educational purposes. It is safe and legal to scan this host.

Open your Xfce terminal. Ensure you are in the ~/project directory.

Now, execute the following command:

nmap scanme.nmap.org

This command will initiate a scan of the target hostname scanme.nmap.org. Nmap will first resolve the hostname to an IP address and then perform the scan.

You should see output similar to the following:

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.072s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::a02f:d731
Not shown: 994 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds

This output shows the Nmap scan report for scanme.nmap.org. It displays the resolved IP address (45.33.32.156), the open ports (22 and 80), and the filtered ports (25, 135, 139, and 445). Filtered ports mean that Nmap could not determine whether the port is open or closed due to network filtering.

Resolve IP with nmap -R 192.168.1.10

In this step, we will use the -R option with Nmap to perform a reverse DNS resolution on the IP address 192.168.1.10. Reverse DNS resolution attempts to find the hostname associated with a given IP address. This can be useful for identifying the purpose or owner of a particular IP address.

Open your Xfce terminal. Ensure you are in the ~/project directory.

Now, execute the following command:

nmap -R 192.168.1.10

The -R option tells Nmap to always do a reverse DNS resolution for the target IP address.

You should see output similar to the following (the exact output will depend on whether a reverse DNS record exists for the IP address and the network configuration):

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.10
Host is up (0.00020s latency).
rDNS record for 192.168.1.10: myhost.localdomain (This is just an example, the actual output depends on your network)
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds

In this example, Nmap was able to resolve the IP address 192.168.1.10 to the hostname myhost.localdomain. If no reverse DNS record is found, Nmap will typically only show the IP address without a hostname.

Note: The -R option can increase the scan time, as Nmap needs to perform a DNS query for each IP address.

Add verbosity with nmap -v scanme.nmap.org

In this step, we will add verbosity to our Nmap scan using the -v option. Verbosity increases the amount of information Nmap displays during the scan, providing more details about the scan process and results. This can be helpful for troubleshooting or understanding how Nmap is working.

Open your Xfce terminal. Ensure you are in the ~/project directory.

Now, execute the following command:

nmap -v scanme.nmap.org

The -v option tells Nmap to increase the verbosity level. You can use -vv for even more verbosity.

You should see output similar to the following (the exact output will depend on the target machine's configuration and network conditions):

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Initiating Ping Scan at 10:15
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 10:15, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.01s elapsed
Initiating SYN Stealth Scan at 10:15
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Completed SYN Stealth Scan at 10:15, 4.69s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.072s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::a02f:d731
Not shown: 994 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 4.79 seconds

Notice the additional information displayed, such as the start and end times of different scan phases, the ports being scanned, and any discovered open ports as they are found. This verbose output can be very helpful for understanding the progress and results of your Nmap scan.

Save scan results with nmap -oN specific.txt scanme.nmap.org

In this step, we will learn how to save Nmap scan results to a file using the -oN option. This is useful for documenting your findings, analyzing results later, or sharing them with others. The -oN option saves the results in a "normal" human-readable format.

Open your Xfce terminal. Ensure you are in the ~/project directory.

Now, execute the following command:

nmap -oN specific.txt scanme.nmap.org

The -oN specific.txt option tells Nmap to save the scan results in normal format to a file named specific.txt. The file will be created in your current directory (~/project).

After the scan completes, you can view the contents of the file using the cat command:

cat specific.txt

You should see the Nmap scan report for scanme.nmap.org printed to the terminal. This is the same information that was displayed on the screen during the scan, but now it's saved in a file.

The contents of specific.txt will be similar to:

## Nmap 7.92 scan initiated Fri Oct 27 10:20:00 2023
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.072s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::a02f:d731
Not shown: 994 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds

## Nmap done at Fri Oct 27 10:20:10 2023 -- 1 IP address (1 host up) scanned in 10.00 seconds

Review results in Xfce terminal

In the previous steps, we performed various Nmap scans and saved the results to a file named specific.txt. In this step, we will review the contents of this file using the Xfce terminal. This allows us to analyze the scan results and identify potential vulnerabilities or open ports on the target system.

Open your Xfce terminal. Ensure you are in the ~/project directory.

To view the contents of the specific.txt file, you can use the cat command:

cat specific.txt

This command will display the entire contents of the file in the terminal.

Alternatively, you can use the less command to view the file page by page:

less specific.txt

This command allows you to scroll through the file using the arrow keys or the Page Up and Page Down keys. To exit less, press q.

You can also use the nano text editor to open and review the file:

nano specific.txt

This command will open the file in the nano editor, allowing you to scroll through the file and even make changes if needed. To exit nano, press Ctrl+X, then N if you haven't made any changes or Y if you want to save the changes, and finally press Enter.

By reviewing the scan results, you can identify open ports, running services, and other information about the target system. This information can be used to assess the security posture of the system and identify potential vulnerabilities. For example, if you see port 22 (SSH) is open, you might want to investigate the SSH configuration to ensure it is secure. If you see port 80 (HTTP) or 443 (HTTPS) are open, you might want to examine the web server configuration and any web applications running on the system.

This concludes the Nmap lab. You have learned how to perform basic Nmap scans, resolve hostnames, increase verbosity, and save scan results to a file for later review.

Summary

In this lab, we learned how to use Nmap to scan specific hosts. We started by scanning a single host using its IP address, 192.168.1.10, to identify open ports and services. The basic Nmap syntax nmap [options] target was introduced.

We then progressed to scanning a host using its hostname, scanme.nmap.org. Further steps, although truncated in the provided content, would likely cover resolving IP addresses, increasing verbosity, and saving scan results to a file.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner