Nmap

Nmap, which stands for Network Mapper, was written by Gordon Lyon. In practical use, this tool can be used to check for open ports, what is running on those ports, and can be used to retrieve header information from the daemons servicing the open ports.

Emerge
Installing nmap is simple, and no configuration should be required. You should of course pay attention to your use flags, in case there are some non-stock features that you might like to include in your install.

Using NMap
Open up a command prompt & try a few of these examples out to get the hang of using nmap.

Let's say you wanted to see if port 80 was open at example.com, you would run nmap with the -p trigger to specify the port you want to check.

If you wanted to check multiple ports, like 80 & 8080 then you would separate each port with a comma.

Let's say you wanted to check a range of ports, such as ports 1-1000, you would just separate the low-end & high-end of the range with a -.

You can also specify multiple ranges like this:

If we wanted to find out if a server was running an IRCd, and then find out information about that IRCd we would do the same as above, but add the -sV trigger as well, like so:

This command would then output something like the following: Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-07 20:11 CDT Nmap scan report for irc.afraidirc.net (174.122.223.81) Host is up (0.060s latency). rDNS record for 174.122.223.81: 51.df.7aae.static.theplanet.com PORT    STATE  SERVICE  VERSION 6660/tcp closed unknown 6661/tcp closed unknown 6662/tcp closed radmind 6663/tcp closed unknown 6664/tcp closed unknown 6665/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6666/tcp open  irc 6667/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6668/tcp open  irc 6669/tcp open  irc 6670/tcp closed irc 6690/tcp closed unknown 6691/tcp closed unknown 6692/tcp closed unknown 6693/tcp closed unknown 6694/tcp closed unknown 6695/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6696/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6697/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6698/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6699/tcp open  irc      ratbox, charybdis, or ircd-seven ircd 6700/tcp closed carracho Service Info: Host: BloodyMary.AfraidIRC.net

Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 12.14 seconds

The output above shows us the hostname as defined in the IRCd configuration, as well as the IRCd version name. In this case, it happens to be Charybdis, which is a fork of ratbox. ircd-seven is also a fork from ratbox, so nmap is unable to tell exactly which IRCd is in use, but rather give you the IRCd "family".

We can do the same to get information about webservers, and other services running on a target machine. In this example we will get the webserver & OS running on Google.com:

The above command will give this output: Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-07 20:16 CDT Nmap scan report for google.com (74.125.224.66) Host is up (0.022s latency). rDNS record for 74.125.224.66: lax17s02-in-f2.1e100.net PORT  STATE SERVICE VERSION 80/tcp open http    Google httpd 2.0 (GFE) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds

Os Fingerprinting
To fingerprint an os:

Easter Egg
At least one Easter Egg is contained within nmap, if you find more please document them!

STArt1nG Nmap 6.25 ( Http://nMAp.oRg ) aT 2013-09-07 20:22 CDT Nmap ScaN rEpOrt f0r g00gLe.c0m (74.125.224.71) H0St |s up (0.012z lat3ncy). rdNS r3coRd For 74.125.224.71: lax17S02-in-f7.1E100.n3t Not Sh0wn: 998 F!lTErEd p0rt$ PORT   $T4T3 seRVIc3 80/Tcp 0p3n  HTTp 443/tCP Open hTtps

Nmap d0nE: 1 Ip adDr3SS (1 Host up) $canned 1N 5.05 $3condz