nmap memiliki beberapa option untuk meningkatkan performa dan efisiensi scan terhadap sebuah atau beberapa target. Untuk melakukan scanning terhadap port tertentu dapat digunakan perintah sebagai berikut : 

 root@bt:~# nmap -p80 192.168.2.1
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 12:56 UTC
Interesting ports on 192.168.2.1:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:E0:0F:7B:D2:C9 (Shanghai Baud Data)
 
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
 
 
 
 
 
root@bt:~# nmap -p80 -sV 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 13:08 UTC
Interesting ports on 192.168.2.4:
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.6 ((Fedora))
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds

 

 

Untuk scanning terhadap beberapa host, perintah yang dapat digunakan adalah sebagai berikut :

 root@bt:~# nmap -p80 192.168.2.1,3,4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 12:57 UTC
Interesting ports on 192.168.2.1:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:E0:0F:7B:D2:C9 (Shanghai Baud Data)
 
Interesting ports on 192.168.2.3:
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:01:4A:F8:03:A5 (Sony)
 
Interesting ports on 192.168.2.4:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 3 IP addresses (3 hosts up) scanned in 0.31 seconds

 

Untuk scanning terhadap host 192.168.2.4 dengan range port 1 sampai dengan 5000, perintah yang dapat digunakan adalah sebagai berikut :

 root@bt:~# nmap -p 1-5000 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 13:05 UTC
Interesting ports on 192.168.2.4:
Not shown: 4991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.96 seconds
 
 
 

Timing and Operation

nmap menyediakan opsi durasi pengiriman packet scanning terhadap target. Pengaturan timing berguna untuk menghindari Intrusion Detection System (IDS) dan Intrusion Prevention System (IPS) yang dipasang pada target. Nmap memiliki 6 mode pengaturan timing, yaitu :

T0     : paranoid

T1     : sneaky

T2     : polite

T3     : normal

T4     : aggressive

T5     : insane

Secara default nmap akan menggunakan dengan template timing T3. Scanning dengan template waktu yang lebih lambat ditujukan untuk menghindari jatuhnya performa jaringan dan mencegah logging oleh Intrusion Detection System (IDS).

 root@bt:~# nmap -T4 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 06:23 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

 

 

root@bt:~# nmap -T3 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 06:25 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
 
 
 
 
 
root@bt:~# nmap -T5 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 06:25 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
 
 
 

nmap juga menyediakan fitur fragmentation terhadap packet yang dikirimkan kepada target. Fitur ini akan memecah dalam kelipatan 8 MB. Ini juga ditujukan untuk menghindari IDS maupun IPS. Untuk memecah packet scanning menjadi 8 byte data dapat digunakan perintah sebagai berikut :

 root@bt:~# nmap -f 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 05:32 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled.
 Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

 

 

Untuk memecah packet scanning menjadi 16 byte data dapat digunakan perintah sebagai berikut :

 root@bt:~# nmap -f –f 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 05:36 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled.                                                               Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds

 

  Juga dapat digunakan option –mtu untuk mengatur besaran byte data yang akan dikirimkan.

 root@bt:~# nmap –mtu 16 192.168.2.4

 Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 05:39 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds
root@bt:~#

 

Decoy and Spoofing

Fitur decoy memungkinkan nmap menggunakan IP Address host lain secara bergantian dalam melakukan scanning, perintah yang dapat digunakan adalah sebagai berikut :

 root@bt:~# nmap -D 192.168.2.3,192.168.2.100,192.168.2.1 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 05:45 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
 

 

Untuk melakukan scanning dengan fake IP Address dapat digunakan perintah sebagai berikut :

 root@bt:~# nmap -S 192.168.2.1 -e eth0 192.168.2.4
WARNING:  If -S is being used to fake your source address, you may also have to use -e <interface> and -PN .  If you are using it to specify your real source address, you can ignore this warning.
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 12:58 UTC
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

 

 Untuk scanning dengan spoofing MAC Address, perintah-perintah yang dapat digunakan adalah sebagai berikut :

 root@bt:~# nmap –spoof-mac -0 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 05:52 UTC
Spoofing MAC address 00:A0:C9:41:63:FD (Intel – Hf1-06)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed portsroot@bt:~# nmap –spoof-mac 11:22:33:44:55:66 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 05:54 UTC
Spoofing MAC address 11:22:33:44:55:66 (No registered vendor)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
 
 
 
 
root@bt:~# nmap –spoof-mac D-Link 192.168.2.3
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 06:04 UTC
Spoofing MAC address 00:05:5D:42:F6:99 (D-Link Systems)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.3:
Not shown: 997 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
912/tcp   open  unknown
51493/tcp open  unknown
MAC Address: 00:01:4A:F8:03:A5 (Sony)
 
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
 
 
 
 
 
root@bt:~# nmap –spoof-mac D-Link 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 06:04 UTC
Spoofing MAC address 00:05:5D:35:B2:C9 (D-Link Systems)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using –system-dns or specify valid servers with –dns-servers
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
 
 
 

Output Logging

nmap mempunyai fitur output untuk menyimpan hasil scanning kedalam file. Perintah yang dapat digunakan adalah sebagai berikut :

 root@bt:~# nmap -oN /root/hasil.scan 192.168.2.4
 
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2010-01-20 13:31 UTC
Interesting ports on 192.168.2.4:
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3306/tcp open  mysql
MAC Address: 00:0C:29:18:53:42 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
 

 Bila menginginkan output dalam format XML, dapat digunakan perintah nmap -oX

Source : IlmuJaringan(dot)Com Courseware (Scanning and Enumeration)