Linuxtaki Nmap komutuyla veya windowsta Nmap - Zenmap GUI programıyla bu işlemi gerçekleştirebilirsiniz. Nmap'in dökümanlarından parametrelerin ne işe yaradığına bakabilirsiniz ancak ben doğrudan yukarıdaki ihtiyaca yönelik komut göstereceğim.
nmap -sn -v -n 10.0.0.0/24Burada hedeflediğimiz /24 havuzunda 10.0.0.0 networkü için tarama yapmak istiyoruz.
Bu komutu Linuxta bu şekilde kullanabilir veya zenmap GUI üzerindeki command kısmına da yazabilirsiniz. Parametre açıklamaları:
-v -> kapalı(kullanılmayan) makineleri de yazar. verbose parametresi o esnada yapılan işlemleri de gösterdiğinden kapalı olan makineleri de görebilirsiniz.
-sn -> port taraması yapmadan tara. Bu komut ICMP echo isteği, 443 portuna TCP SYN ,80 portuna TCP ACK ve varsayılan olarak ICMP zaman damgasını kullanarak konakçı (host) tespitini yapmaktadır.
-n -> reverse dns lookup yapmayı atla diyerek sadece IP lere bakar alan adlarına bakmaz.
Aşağıda da Nmap yardım dökümanlarından aldığım parametrelerin açıklaması yer almaktadır.
-sn(No port scan)
- This option tells Nmap not to do a port scan after host
discovery, and only print out the available hosts that
responded to the host discovery probes. This is often known as a “ping
scan”, but you can also request that traceroute and
NSE host scripts be run. This is by default
one step more intrusive than the list scan, and can often
be used for the same purposes. It allows light
reconnaissance of a target network without attracting much
attention. Knowing how many hosts are up is more valuable
to attackers than the list provided by list scan of every
single IP and host name.
Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.
The default host discovery done with
-snconsists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a
connectcall) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless
--send-ipwas specified. The
-snoption can be combined with any of the discovery probe types (the
-Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.
In previous releases of Nmap,
-snwas known as
-n(No DNS resolution)
- Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.
-v(Increase verbosity level) ,
-v(Set verbosity level)
- Increases the verbosity level, causing Nmap to
print more information about the scan in progress. Open
ports are shown as they are found and completion time
estimates are provided when Nmap thinks a scan will take
more than a few minutes. Use it twice or more for even greater
-vv, or give a verbosity level directly, for example
Most changes only affect interactive output, and some also affect normal and script kiddie output. The other output types are meant to be processed by machines, so Nmap can give substantial detail by default in those formats without fatiguing a human user. However, there are a few changes in other modes where output size can be reduced substantially by omitting some detail. For example, a comment line in the grepable output that provides a list of all ports scanned is only printed in verbose mode because it can be quite long.