Little About Nmap

Nmap is probably one of the most comprehensive port scanners to date. Looking at the Nmap usage might be daunting at first. However, once you start scanning you will quickly become accustomed to the syntax. In BackTrack, the Nmap configuration files (such as the default port scan list) are located in /usr/local/share/nmap/.

Note that when running Nmap as a root user, certain defaults are assumed (SYN scans, for instance). Begin with a simple port scan on 192.168.0.110. Note that running this scan as a root user is actually equivalent to running nmap -sS 192.168.0.110 :

root@bt:~# nmap 192.168.0.110
Starting Nmap 5.21 ( http://www.insecure.org/nmap/ ) at 2010-10-28 16:24 GMT
Interesting ports on 192.168.0.110:
Not shown: 1664 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
119/tcp open nntp
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
563/tcp open snews
…
7007/tcp open afs3-bos
MAC Address: 00:0C:29:C6:B3:23 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 1.524 seconds
root@bt:~#

The scan identified many open ports on 192.168.0.110. Next, try port scanning all of the available ports on this machine by explicitly specifying the ports to be scanned:

root@bt:~# nmap -p 1-65535 192.168.0.110Starting Nmap 5.21 ( http://www.insecure.org/nmap/ ) at 2010-10-28 16:28 GMTInteresting ports on 192.168.0.110:Not shown: 65517 closed portsPORT STATE SERVICE21/tcp open ftp25/tcp open smtp80/tcp open http119/tcp open nntp135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds563/tcp open snews…7007/tcp open afs3-bos8328/tcp open unknown30001/tcp open unknown50203/tcp open unknownMAC Address: 00:0C:29:C6:B3:23 (VMware)Nmap finished: 1 IP address (1 host up) scanned in 3.627 secondsroot@bt:~#

Notice how you’ve discovered some open ports that were not initially scanned because they are not present in the Nmap default port configuration file (/usr/local/share/nmap/nmap-services).