NMAP
Nmap is a Security Scanner, Port Scanner, & Network Exploration Tool
Background
Nmap is a popular security tool that can be used as a network exploration and port scanner. It can help you identify hosts and services on a network, as well as other valuable information like operating system details, open ports, services running on those ports, and potential vulnerabilities.
Installation
Download: https://nmap.org/download.html
Linux:
Usage
Basic Usage
Base Syntax:
nmap [ScanType] [Options] {targets}
Access Help:
nmap -h
Nmap Discovery Steps: 1. Enumerate Targets -> 2. Discover Live Hosts -> 3. Reverse DNS Lookup -> 4. Scan Ports -> 5. Detect Versions -> 6. Detect OS -> 7. Tracert -> 8. Run Scripts -> 9. Write Output
TCP Flags:
URG: urgent incoming data
ACK: TCP receipt acknowledgement
PSH: promptly push data into application
RST: reset connection
SYN: synchornize initiates TCP handshake
FIN: sender has no more data to send
Scan Types
Description | Switch | Example |
---|---|---|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
Targeting
Description | Switch | Example |
---|---|---|
Scan a single IP |
| |
Scan specific IPs |
| |
Scan a range |
| |
Scan a domain |
| |
Scan using CIDR notation |
| |
Scan targets from a file |
|
|
Scan 100 random hosts |
|
|
Exclude listed hosts |
|
|
Host Discovery
Description | Switch | Example |
---|---|---|
Don't Scan. List targets only |
|
|
Disable port scanning. Host discovery only. |
|
|
Disable host discovery. Port scan only. |
|
|
TCP SYN discovery on port x (port 80 default) |
|
|
TCP ACK discovery on port x (port 80 default) |
|
|
UDP discovery on port x (port 40125 default) |
|
|
ARP discovery on local network |
|
|
Don't do DNS resolution |
|
|
Specify DNS server. Example 192.168.1.2 |
|
|
Perform DNS resolution, even for offline hosts. |
|
|
ICMP timestamp request |
|
|
ICMP address mask |
|
|
ICMP echo request |
|
|
Port Discovery
Description | Switch | Example |
---|---|---|
Port scan for single port |
|
|
Port range |
|
|
Port scan multiple TCP and UDP ports |
|
|
Port scan all ports |
|
|
Port scan from service name |
|
|
Fast port scan (100 ports) |
|
|
Port scan the top x ports |
|
|
Omitting beginning range starts scan at 1 |
|
|
Omitting ending range runs scan through 65535 |
|
|
OS Discovery
Description | Switch | Example |
---|---|---|
Remote OS detection using TCP/IP fingerprinting |
|
|
OS host detection if open and closed ports >=1 |
|
|
Makes Nmap guess more aggressively |
|
|
Maximum OS detection tries against a target |
|
|
OS detection, version detection, script scanning, traceroute |
|
|
Run traceroute |
|
|
Service Discovery
Description | Switch | Example |
---|---|---|
Attempts to determine version of service running on port |
|
|
Intensity level 0 to 9. Higher increases correctness |
|
|
Light mode. Lower possibility of correctness. Faster |
|
|
Intensity level 9. Higher possibility of correctness. Slower |
|
|
OS detection, version detection, script scanning, traceroute |
|
|
Evasion
Description | Switch | Example |
---|---|---|
Use fragmented IP packets (-ff increases fragmentation) |
|
|
Set your own offset size |
|
|
Send scans from spoofed/decoy IPs |
|
|
Above example explained |
|
|
Spoofed scan of Facebook from Microsoft (-e eth0 -Pn may be required) |
|
|
Use given source port number |
|
|
Relay connections through HTTP/SOCKS4 proxies |
|
|
Appends random data to sent packets |
|
|
Spoof MAC address |
|
|
Idle/zombie scan. Example using 192.168.1.2 as zombie to scan 192.168.1.1 |
|
|
Custom scan flags. Example with SYN and FIN flags set |
|
|
Output
Description | Switch | Example |
---|---|---|
Normal output to the file normal.file |
|
|
XML output to the file xml.file |
|
|
Grepable output to the file grep.file |
|
|
Output in the three major formats at once |
|
|
Grepable output to screen. -oN -, -oX – also usable |
|
|
Append a scan to a previous scan file |
|
|
Increase the verbosity level (-vv or more for greater effect) |
|
|
Increase debugging level (-dd or more for greater effect) |
|
|
Display the reason a port is in a state, same output as -vv |
|
|
Only show open (or possibly open) ports |
|
|
Show all packets sent and received |
|
|
Shows the host interfaces and routes |
|
|
Resume a scan |
|
|
Scripting
Description | Switch | Example |
---|---|---|
View all local scripts |
|
|
Search local scripts with wildcards. Example http |
|
|
Default NSE scripts. Useful/safe for discovery |
|
|
Default NSE scripts. Useful/safe for discovery |
|
|
Use Single script. Example banner |
|
|
Use wildcard. Example http |
|
|
Use two scripts. Example http and banner |
|
|
Use a category. Example auth |
|
|
Default with intrusive scripts removed |
|
|
NSE script with arguments |
|
|
Display help for script. Example banner |
|
|
Get page titles from HTTP services |
|
|
Get HTTP headers of web services |
|
|
Find apps from known paths |
|
|
Get IP info |
|
|
Heartbleed vulnerability detection |
|
|
CVE detection |
|
|
Malware scan |
|
|
Malware scan using Google malware check |
|
|
SMB vulnerability detection |
|
|
Timing Templates
Description | Switch | Example |
---|---|---|
Paranoid (0) Intrusion Detection System evasion |
|
|
Sneaky (1) Intrusion Detection System evasion |
|
|
Polite (2) slows down to use less bandwidth and less target machine resources |
|
|
Normal (3) which is default speed |
|
|
Aggressive (4) speeds scans; assumes you are on a fast network |
|
|
Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
|
|
Timing and Performance
Description | Switch | Example |
---|---|---|
Give up on target after this long |
| 1s; 4m; 2h |
Specifies probe round trip time |
| 1s; 4m; 2h |
Parallel host scan group sizes |
| 50; 1024 |
Probe parallelization |
| 10; 1 |
Maximum number of port scan probe retransmissions |
| 3 |
Send packets no slower than |
| 100 |
Send packets no faster than |
| 100 |
Resources
Last updated