Nmap
Host Discovery
Scan Type Example Command
ARP Scan
sudo nmap -PR -sn MACHINE_IP/24ICMP Echo Scan
sudo nmap -PE -sn MACHINE_IP/24ICMP Timestamp Scan
sudo nmap -PP -sn MACHINE_IP/24ICMP Address Mask Scan
sudo nmap -PM -sn MACHINE_IP/24TCP SYN Ping Scan
sudo nmap -PS22,80,443 -sn MACHINE_IP/30TCP ACK Ping Scan
sudo nmap -PA22,80,443 -sn MACHINE_IP/30UDP Ping Scan
sudo nmap -PU53,161,162 -sn MACHINE_IP/30Remember to add
-snif you are only interested in host discovery without port-scanning. Omitting-snwill let Nmap default to port-scanning the live hosts.
Option Purpose
-nno DNS lookup-Rreverse-DNS lookup for all hosts-snhost discovery only
Port Scan Type Example Command
TCP Connect Scan
nmap -sT MACHINE_IPTCP SYN Scan
sudo nmap -sS MACHINE_IPUDP Scan
sudo nmap -sU MACHINE_IPThese scan types should get you started discovering running TCP and UDP services on a target host.
Option Purpose
-p-all ports-p1-1023scan ports 1 to 1023-F100 most common ports-rscan ports in consecutive order-T<0-5>-T0being the slowest andT5the fastest--max-rate 50rate <= 50 packets/sec--min-rate 15rate >= 15 packets/sec--min-parallelism 100at least 100 probes in parallel
Nmap Results
Open: indicates that a service is listening on the specified port.Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
Nmap Advanced Scanning
Port Scan Type Example Command
TCP Null Scan
sudo nmap -sN MACHINE_IPTCP FIN Scan
sudo nmap -sF MACHINE_IPTCP Xmas Scan
sudo nmap -sX MACHINE_IPThree above scan types can be efficient when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it.
TCP Maimon Scan
sudo nmap -sM MACHINE_IPTCP ACK Scan
sudo nmap -sA MACHINE_IPTCP Window Scan
sudo nmap -sW MACHINE_IPCustom TCP Scan
sudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IPSpoofed Source IP
sudo nmap -S SPOOFED_IP MACHINE_IPSpoofed MAC Address
--spoof-mac SPOOFED_MACDecoy Scan
nmap -D DECOY_IP,ME MACHINE_IPIdle (Zombie) Scan
sudo nmap -sI ZOMBIE_IP MACHINE_IPFragment IP data into 8 bytes
-fFragment IP data into 16 bytes
-ff
Option Purpose
--source-port PORT_NUMspecify source port number--data-length NUMappend random data to reach given lengthThese scan types rely on setting TCP flags in unexpected ways to prompt ports for a reply. Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.
Option Purpose
--reasonexplains how Nmap made its conclusion-vverbose-vvvery verbose-ddebugging-ddmore details for debugging
Subnet enumeration
user@slingshot:~$ nmap -n -sn 10.130.10.0/24 --packet-trace
Starting Nmap 7.60 ( https://nmap.org )
SENT (0.0509s) ICMP [10.254.252.2 > 10.130.10.1 Echo request (type=8/code=0) id=65308 seq=0] IP [ttl=44 id=3373 iplen=28 ]
SENT (0.0513s) ICMP [10.254.252.2 > 10.130.10.2 Echo request (type=8/code=0) id=27237 seq=0] IP [ttl=37 id=41108 iplen=28 ]
SENT (0.0517s) ICMP [10.254.252.2 > 10.130.10.3 Echo request (type=8/code=0) id=64932 seq=0] IP [ttl=37 id=40840 iplen=28 ]
SENT (0.0520s) ICMP [10.254.252.2 > 10.130.10.4 Echo request (type=8/code=0) id=45780 seq=0] IP [ttl=59 id=29404 iplen=28 ]
--packet-tracewill show you the enumeration packets sent out
Top 3000 Packets
By default nmap will scan the top 1000 ports, if you dont want to scan all 65536 ports but want to scan more than just 1000 you can scan 3000 like seen below
sudo nmap -n -sT 10.130.10.33 --top-ports 3000TCP Header
NSE
Script Category Description
authAuthentication related scriptsbroadcastDiscover hosts by sending broadcast messagesbrutePerforms brute-force password auditing against loginsdefaultDefault scripts, same as -sCdiscoveryRetrieve accessible information, such as database tables and DNS namesdosDetects servers vulnerable to Denial of Service (DoS)exploitAttempts to exploit various vulnerable servicesexternalChecks using a third-party service, such as Geoplugin and VirustotalfuzzerLaunch fuzzing attacksintrusiveIntrusive scripts such as brute-force attacks and exploitationmalwareScans for backdoorssafeSafe scripts that won’t crash the targetversionRetrieve service versionsvulnChecks for vulnerabilities or exploit vulnerable services
Run Scripts
nmap --script "http*" 10.10.10.10
nmap --script "ssh2-enum-algos" 10.10.220.56NSE + Output
Option Meaning
-sVdetermine service/version info on open ports-sV --version-lighttry the most likely probes (2)-sV --version-alltry all available probes (9)-Odetect OS--tracerouterun traceroute to target--script=SCRIPTSNmap scripts to run-sCor--script=defaultrun default scripts-Aequivalent to -sV -O -sC --traceroute-oNsave output in normal format-oGsave output in grepable format-oXsave output in XML format-oAsave output in normal, XML and Grepable formats
Searching Through Output
Looking for open port 445 in nmap output and returning ips
grep ' 445/open/' /tmp/scan.gnmap | cut -d ' ' -f 2
10.130.10.4
10.130.10.5
10.130.10.6
10.130.10.21
10.130.10.25
10.130.10.33
10.130.10.44
10.130.10.45Last updated