Table of contents

Scan for active hosts

  • Ping sweep: use ICMP to scan for up hosts (previously -sP)
    nmap -sn 10.0.0.1-254
  • TCP SYN ping: TCP RST if port is closed, 3-way handshake if port is open
    nmap -PS 21,80,8080,443,3306 10.0.0.1-254
  • TCP ACK ping: TCP RST if port is open
    nmap -PA 21,80,8080,443,3306 10.0.0.1-254
  • UDP ping : ICMP port unreachable if active, ICMP host/network unreachable if inactive
    nmap -PU 10.0.0.1-254
  • ARP ping (local network only)
    nmap -PR 10.0.0.1-254
  • Disable/enable DNS resolution for every host (faster/slower)
    nmap -n/-R 10.0.0.1-254

Scan host open ports

  • Scan 1000 most common TCP ports
    nmap -sT 10.0.0.1
  • Scan 1000 most common UDP ports
    nmap -sU 10.0.0.1
  • Scan 20 most common TCP ports
    nmap -sT --top-ports=20 10.0.0.1
  • Scan range of TCP ports
    nmap -sT -p 1-1337 10.0.0.1
  • Scan known ports in nmap-services file (~1200)
    nmap -F 10.0.0.1
  • TCP SYN scan: default for root user, doesn't establish full TCP connection
    nmap -sS 10.0.0.1
  • TCP connect() scan: default for non-root user, does establish full TCP connection
    nmap -sT 10.0.0.1
  • UDP scan: DNS, SNMP, DHCP (can be combined with TCP scans)
    nmap -sU 10.0.0.1
  • Null/FIN/Xmas TCP scans: exploit TCP RFC breach to determine if a port is open/closed
    • Null scan: no TCP flag:
      nmap -sN 10.0.0.1
    • FIN scan: only FIN TCP flag:
      nmap -sF 10.0.0.1
    • Xmas scan: FIN, PSH and URG TCP flags:
      nmap -sX 10.0.0.1
    • Response: RST => closed | none => open
  • TCP ACK scan: Only determines if the firewall rules are statefull/stateless
    • Reponse: RST => non-filtered | none/ICMP => filtered
      nmap -sA 10.0.0.1
  • TCP window scan: Same as TCP ACK scan but can determine open/closed ports
    • If RST response: TCP window > 0 => open | TCP window = 0 => closed
      nmap -sW 10.0.0.1
  • Idle scan: full stealth blind TCP port scan
    nmap -sI 10.0.0.1
    nmap -sI 10.0.0.1:22
  • Scan host even if ping scan fails
    nmap -PN 10.0.0.1
  • Give the reason of the port state
    nmap --reason 10.0.0.1-254

Ports states

  • open
    • The service accepts TCP/UDP connections
  • closed
    • No service listening
  • filtered
    • Probes blocked by a firewall
  • unfiltered
    • Only from TCP ACK ping: port is accessible but nmap is unable to determine if open/closed. Other scan techniques can help finding it out
  • open|filtered
    • Nmap cannot determine if the service doesn't respond or if it is behind a firewall
  • closed|filtered
    • Only from Idle scan bases of IP packets identifier: nmap cannot determine if the port is closed or behind a firewall

Get more info on host

  • OS detection (based on default OS TTL, TCP window, stuff like that)
    nmap -O 10.0.0.1
  • OS detection (based on host's SMB server)
    nmap --script smb-os-discovery.nse 10.0.0.1
  • Aggressive scan (shortcut for ‘-O -sV -sC –traceroute’)
    nmap -A 10.0.0.1

Get more info on services

  • Services versions detection
    nmap -sV 10.0.0.1
    nmap -sV --version-intensity 9 10.0.0.1
  • Zone transfer
    nmap --script=dns-zone-transfer -p53 10.0.0.1

Timing and performance

  • Paranoid: 0
    • IDS evasion
    • 5 minutes between porbes
  • Sneaky: 1
    • IDS evasion
    • 15 seconds between probes
  • Polite: 2
    • Less bandwidth/target machine resources
    • May take 10 times longer than default (0.4 seconds between probes)
  • Normal: 3
    • Default
  • Aggressive: 4
    • Reasonably fast, modern and reliable network
  • Insane: 5
    • Sacrifice some accuracy for speed
    • Not recommended
  • nmap -T5 10.0.0.1

Firewall/IDS evasion and spoofing

  • Fragment packets (only TCP/UDP scans and OS detection)
    nmap -f -sS -sU -O 10.0.0.1
  • Spoof source IP address (Reply sent to spoofed IP)
    nmap -S 10.0.0.42 -e eth0 -Pn 10.0.0.1
  • Spoof source MAC address
    • Random MAC address
      nmap --spoof-mac 0 10.0.0.1
    • Specific vendor
      nmap --spoof-mac Apple 10.0.0.1
    • Specific MAC address
      nmap --spoof-mac 01:02:03:04:05:06 10.0.0.1
      nmap --spoof-mac deadcafebabe 10.0.0.1
  • Source port nmap --source-port 1337 10.0.0.1
    nmap -g 1337 10.0.0.1
  • Randomize target hosts order
    nmap --randomize-hosts 10.0.0.1-254
  • Relay TCP connections through proxies
    • No authentication
    • Only HTTP and SOCKS4
      nmap --proxies http://10.0.0.10:1337,http://10.0.0.11:4242 10.0.0.1
  • Append data to sent packets
    • Binary data (hex format)
      nmap --data 0xdeadbeef 10.0.0.1
    • String data
      nmap --data-string "l1k3 my h4xx0r 5k1llz ?" 10.0.0.1
    • Random data (number of bytes to append)
      nmap --data-length 10 10.0.0.1

Nmap Script Engine (NSE)

  • Scan using the default set of scripts (legal disclaimer)
    nmap -sC 10.0.0.1
    nmap --script=default 10.0.0.1
  • Script located in a custom directory (nmap default scripts in $NMAPDIR/scripts/scripts.db)
    nmap --datadir=/home/user/nmap-scripts/ --script "my-script1,my-script2" 10.0.0.1
    nmap --script "/home/user/nmap-scripts/my-script1.nse" 10.0.0.1
  • Wildcard script selection (only works in scripts.db)
    nmap --script "http-*" 10.0.0.1
  • Not intrusive scripts
    nmap --script "not intrusive"
  • Scripts in categories default OR safe
    nmap --script "default,safe"
  • Scripts in categories default AND safe
    nmap --script "default and safe"
  • Scripts in categories default OR safe, not starting with “http”
    nmap --script "(default or safe) and not http-*"
  • Print incoming/outcoming scripts communications
    nmap -sC --script-trace 10.0.0.1
  • Update scripts.db (used by itself)
    • Useful if scripts were added/removed from nmap's default location, or changed categories
      nmap --script-updatedb

Output options

  • Verbosity level
    nmap -v3 10.0.0.1
  • Debugging level
    nmap -d9 10.0.0.1
  • Reason of scan results
    nmap --reason 10.0.0.1
  • Periodic timing stats
    nmap --stats-every 30s 10.0.0.1

Save results in a file

  • Normal format
    nmap 10.0.0.1 -oN scan.nmap
  • XML format
    nmap 10.0.0.1 -oX nmap.xml
  • Grepable format
    nmap 10.0.0.1 -oG scan.gnmap
  • Skiddy format (recommended for hacking)
    nmap 10.0.0.1 -oS hacking.txt
  • All formats (.nmap, .xml, .gnmap)
    nmap 10.0.0.1 -oA scan
  • Append rather than overwrite
    nmap 10.0.0.1 -oN scan.nmap --append-output
  • Resume scan from file
    nmap --resume scan.nmap

Misc

  • IPv6 scanning
    nmap -6 10.0.0.1

Runtime interaction

  • Verbosity level increase/decrease
    v/V
  • Debugging level increase/decrease
    d/D
  • Packet tracing on/off
    p/P
  • Runtime interaction help screen
    ?
  • Status message (time elapsed, scan current %)
    Any key (space ftw)