(this article is going to deal with the console version of Nmap)

As you may or may not know, Nmap is one of, if not the best tool available for network scanning (along with Nessus.) Nmap can be used to uncover a lot of information about a remote host, and that in turn may open the door to bigger and better things.

First off, you're going to need a copy of the program. You can get that at the Official website (http://insecure.org), or if you are running Linux, you can install via the command line. For Debian based distros the string is "sudo apt-get install nmap".

Once you have the app installed and looking alright, you can begin trying it out. For a basic test run, just scan a host. You can easily do that by just running "nmap enigmagroup.org". That should take a few minutes, and you'll get a list of "interesting ports".


Next, a slightly more "advanced" string would be to scan multiple hosts at random. To do that, you need to open nmap and enter "nmap -v -iR 1 -P0 -p 80"

here's the output of that command:
--------------------
ishkur@linuxbox:~$ nmap -v -iR 1 -P0 -p 80

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-03 21:21 EDT
Initiating Parallel DNS resolution of 1 host. at 21:21
Completed Parallel DNS resolution of 1 host. at 21:21, 1.26s elapsed
Initiating Connect() Scan at 21:21
Scanning 87.255.246.128 [1 port]
Completed Connect() Scan at 21:21, 12.01s elapsed (1 total ports)
Host 87.255.246.128 appears to be up ... good.
Interesting ports on 87.255.246.128:
PORT   STATE    SERVICE
80/tcp filtered http

Nmap finishead: 1 IP address (1 host up) scanned in 13.271 seconds
ishkur@linuxbox:~$
--------------------

A little explanation is in order. The First command there (-v) just makes it a more intense scan, more packets being sent. Secondly, (-iR) tells it to scan random hosts, then the number right after it tells it how many to scan. The next bit (-P0) tell it to just skip host discovery. Last but not least, the (-p 80) part should be self explanatory... but basically that just defines what port to scan.

And for a little bit more advanced string.
"sudo nmap -v -f 205.217.153.53 -e eth1 -P0 -S RND -p 80 "

What that string does:

1.) runs the app as root, a key to the more tricky functions
2.) sends more packets with the -v command.
3.) fragments the packets and makes it harder for the host to figure out what's going on.
4.) targets the host (in this case, insecure.org)
5.) specifies what interface to send out of (eth1 for me)
6.) tells it to skip host discovery
7.) spoofs the source with a Random (RND) source,
8.) and finally tells it what port to look for.

here's the output of that:
---------------------
ishkur@linuxbox:~$ sudo nmap -v -f 205.217.153.53 -e eth1 -P0 -S RND -p 80

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-03 22:12 EDT
Initiating Parallel DNS resolution of 1 host. at 22:12
Completed Parallel DNS resolution of 1 host. at 22:12, 0.07s elapsed
Initiating SYN Stealth Scan at 22:12
Scanning www.insecure.org (205.217.153.53) [1 port]
Completed SYN Stealth Scan at 22:12, 2.02s elapsed (1 total ports)
Host www.insecure.org (205.217.153.53) appears to be up ... good.
Interesting ports on www.insecure.org (205.217.153.53):
PORT   STATE    SERVICE
80/tcp filtered http

Nmap finished: 1 IP address (1 host up) scanned in 2.182 seconds
               Raw packets sent: 6 (168B) | Rcvd: 0 (0B)
ishkur@linuxbox:~$
--------------------

Well, hope I didn't make too many mistakes, and hope you peoples make good use of Nmap