Target Specification

SWITCH EXAMPLE DESCRIPTION

nmap 192.168.1.1 Scan a single IP

nmap 192.168.1.1 192.168.2.1 Scan specific IPs

nmap 192.168.1.1-254 Scan a range

nmap scanme.nmap.org Scan a domain

nmap 192.168.1.0/24 Scan using CIDR notation

-iL nmap -iL targets.txt Scan targets from a file

-iR nmap -iR 100 Scan 100 random hosts

-exclude nmap -exclude 192.168.1.1 Exclude listed hosts

Nmap Scan Techniques

SWITCH EXAMPLE DESCRIPTION

-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)

-sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege)

-sU nmap 192.168.1.1 -sU UDP port scan

-sA nmap 192.168.1.1 -sA TCP ACK port scan

-sW nmap 192.168.1.1 -sW TCP Window port scan

-sM nmap 192.168.1.1 -sM TCP Maimon port scan

Host Discovery

SWITCH EXAMPLE DESCRIPTION

-sL nmap 192.168.1.1-3 -sL No Scan. List targets only

-sn nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only.

-Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only.

TCP SYN discovery on port x.

-PS nmap 192.168.1.1-5 -PS22-25,80
Port 80 by default

TCP ACK discovery on port x.

-PA nmap 192.168.1.1-5 -PA22-25,80
Port 80 by default

UDP discovery on port x.

-PU nmap 192.168.1.1-5 -PU53
Port 40125 by default

-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network

-n nmap 192.168.1.1 -n Never do DNS resolution

Port Specification

SWITCH EXAMPLE DESCRIPTION

-p nmap 192.168.1.1 -p 21 Port scan for port x

-p nmap 192.168.1.1 -p 21-100 Port range

nmap 192.168.1.1 -p U:53,T:21-

-p Port scan multiple TCP and UDP ports
25,80
SWITCH EXAMPLE DESCRIPTION

-p nmap 192.168.1.1 -p- Port scan all ports

-p nmap 192.168.1.1 -p http,https Port scan from service name

-F nmap 192.168.1.1 -F Fast port scan (100 ports)

-top- nmap 192.168.1.1 -top-ports

Port scan the top x ports
ports 2000

Leaving off initial port in range makes the scan

-p-65535 nmap 192.168.1.1 -p-65535
start at port 1

Leaving off end port in range

-p0- nmap 192.168.1.1 -p0-
makes the scan go through to port 65535

Service and Version Detection

SWITCH EXAMPLE DESCRIPTION

Attempts to determine the version of the service

-sV nmap 192.168.1.1 -sV
running on port

-sV -version- nmap 192.168.1.1 -sV - Intensity level 0 to 9. Higher number increases
intensity version-intensity 8 possibility of correctness

-sV -version- nmap 192.168.1.1 -sV - Enable light mode. Lower possibility of
light version-light correctness. Faster

nmap 192.168.1.1 -sV - Enable intensity level 9. Higher possibility of

-sV -version-all
version-all correctness. Slower
SWITCH EXAMPLE DESCRIPTION

Enables OS detection, version detection, script

-A nmap 192.168.1.1 -A
scanning, and traceroute

OS Detection

SWITCH EXAMPLE DESCRIPTION

-O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting

-O -osscan- nmap 192.168.1.1 -O - If at least one open and one closed TCP port are not
limit osscan-limit found it will not try OS detection against host

-O -osscan- nmap 192.168.1.1 -O -

Makes Nmap guess more aggressively
guess osscan-guess

-O -max-os- nmap 192.168.1.1 -O - Set the maximum number x of OS detection tries against
tries max-os-tries 1 a target

Enables OS detection, version detection, script scanning,

-A nmap 192.168.1.1 -A
and traceroute

Timing and Performance

SWITCH EXAMPLE DESCRIPTION

-T0 nmap 192.168.1.1 -T0 Paranoid (0) Intrusion Detection System evasion

-T1 nmap 192.168.1.1 -T1 Sneaky (1) Intrusion Detection System evasion

-T2 nmap 192.168.1.1 -T2 Polite (2) slows down the scan to use less bandwidth and use
SWITCH EXAMPLE DESCRIPTION

less target machine resources

-T3 nmap 192.168.1.1 -T3 Normal (3) which is default speed

Aggressive (4) speeds scans; assumes you are on a reasonably

-T4 nmap 192.168.1.1 -T4
fast and reliable network

Insane (5) speeds scan; assumes you are on an extraordinarily

-T5 nmap 192.168.1.1 -T5
fast network

Timing and Performance Switches

EXAMPLE
SWITCH DESCRIPTION
INPUT

-host-timeout <time> 1s; 4m; 2h Give up on target after this long

-min-rtt-timeout/max-rtt-timeout/initial-
1s; 4m; 2h Specifies probe round trip time
rtt-timeout <time>

-min-hostgroup/max-
50; 1024 Parallel host scan group sizes
hostgroup <size<size>

-min-parallelism/max-
10; 1 Probe parallelization
parallelism <numprobes>

Specify the maximum number of port

-max-retries <tries> 3
scan probe retransmissions

Send packets no slower

-min-rate <number> 100
than <number> per second
 EXAMPLE
SWITCH DESCRIPTION
INPUT

Send packets no faster

-max-rate <number> 100
than <number> per second

NSE Scripts

SWITCH EXAMPLE DESCRIPTION

Scan with default NSE scripts.

-sC nmap 192.168.1.1 -sC Considered useful for discovery and
safe

Scan with default NSE scripts.

-script
nmap 192.168.1.1 -script default Considered useful for discovery and
default
safe

Scan with a single script. Example

-script nmap 192.168.1.1 -script=banner
banner

-script nmap 192.168.1.1 -script=http* Scan with a wildcard. Example http

Scan with two scripts. Example http

-script nmap 192.168.1.1 -script=http,banner
and banner

Scan default, but remove intrusive

-script nmap 192.168.1.1 -script "not intrusive"
scripts

-script- nmap -script snmp-sysdescr -script-args

NSE script with arguments
args snmpcommunity=admin 192.168.1.1
Useful NSE Script Examples

COMMAND DESCRIPTION

nmap -Pn -script=http-sitemap-generator scanme.nmap.org http site map generator

Fast search for random web

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000
servers

Brute forces DNS hostnames

nmap -Pn -script=dns-brute domain.com
guessing subdomains

nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-

mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv Safe SMB scripts to run
192.168.1.1

nmap -script whois* domain.com Whois query

Detect cross site scripting

nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org
vulnerabilities

nmap -p80 -script http-sql-injection scanme.nmap.org Check for SQL injections

Firewall / IDS Evasion and Spoofing

SWITCH EXAMPLE DESCRIPTION

Requested scan
(including ping scans)
-f nmap 192.168.1.1 -f use tiny fragmented IP
packets. Harder for
packet filters
SWITCH EXAMPLE DESCRIPTION

-mtu nmap 192.168.1.1 -mtu 32 Set your own offset size

nmap -D
Send scans from spoofed
-D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23
IPs
192.168.1.1

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy- Above example

-D
ip3,decoy-ip4 remote-host-ip explained

Scan Facebook from

-S nmap -S www.microsoft.com www.facebook.com Microsoft (-e eth0 -Pn
may be required)

Use given source port

-g nmap -g 53 192.168.1.1
number

Relay connections
nmap -proxies http://192.168.1.1:8080,
-proxies through HTTP/SOCKS4
http://192.168.1.2:8080 192.168.1.1
proxies

-data- Appends random data to

nmap -data-length 200 192.168.1.1
length sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn --data-length 200 -D

192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23
192.168.1.1

Output
SWITCH EXAMPLE DESCRIPTION

-oN nmap 192.168.1.1 -oN normal.file Normal output to the file normal.file

-oX nmap 192.168.1.1 -oX xml.file XML output to the file xml.file

-oG nmap 192.168.1.1 -oG grep.file Grepable output to the file grep.file

-oA nmap 192.168.1.1 -oA results Output in the three major formats at once

Grepable output to screen. -oN -, -oX - also

-oG - nmap 192.168.1.1 -oG -
usable

-append- nmap 192.168.1.1 -oN file.file -

Append a scan to a previous scan file
output append-output

Increase the verbosity level (use -vv or more for

-v nmap 192.168.1.1 -v
greater effect)

Increase debugging level (use -dd or more for

-d nmap 192.168.1.1 -d
greater effect)

Display the reason a port is in a particular state,

-reason nmap 192.168.1.1 -reason
same output as -vv

-open nmap 192.168.1.1 -open Only show open (or possibly open) ports

nmap 192.168.1.1 -T4 -packet-

-packet-trace Show all packets sent and received
trace

-iflist nmap -iflist Shows the host interfaces and routes

-resume nmap -resume results.file Resume a scan

Helpful Nmap Output examples

COMMAND DESCRIPTION

nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep Scan for web servers and grep to show which
open IPs are running web servers

nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -

Generate a list of the IPs of live hosts
d " " -f5 > live-hosts.txt

nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut

Append IP to the list of live hosts
-d " " -f5 >> live-hosts.txt

ndiff scanl.xml scan2.xml Compare output from nmap using the ndif

xsltproc nmap.xml -o nmap.html Convert nmap xml files to html files

grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort |

Reverse sorted list of how often ports turn up
uniq -c | sort -rn | less

Other Useful Nmap Commands

COMMAND DESCRIPTION

nmap -iR 10 -PS22-

Discovery only on ports x, no port scan
25,80,113,1050,35000 -v -sn

nmap 192.168.1.1-1/24 -PR -sn -vv Arp discovery only on local network, no port scan

nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan

nmap 192.168.1.1-50 -sL -dns-server

Query the Internal DNS for hosts, list targets only
192.168.1.1

nmap 192.168.1.1 --packet-trace Show the details of the packets that are sent and received
COMMAND DESCRIPTION

during a scan and capture the traffic.