Nmap
Common switches
Live Host Discovery and Port Scan
Basisc scan types
- -sT TCP Connect Scans (Default)
- -sS SYN "Half-open" Scans. With sudo (Default when using sudo)
- -sU UDP Scans. With sudo
- -sN TCP Null Scans. No response, port open or filtered.
- -sF TCP FIN Scans. No response, port open or filtered.
- -sX TCP Xmas Scans. No response, port open or filtered.
- -sA TCP ACK Scan. The target would respond to the ACK with RST regardless of the port. FIREWALL EVASION. We can learn wich ports are not filtered.
ICMP Network Scanning
- nmap -sn 10.10.0.(1-254 or /24)
- The -sn switch tells Nmap not to scan any ports
Port specification
- -p 21 Port 21
- -p 21-100 Port range
- -p- Scan all ports (The 65535)
- --top-ports 2000 Scan the top 200 ports
- -F Most commont 100 ports
Service and Version Detection
- -sV Attempts to determine the version of the service running on port
- -A Enable OS detection, version detection, script scanning, and traceroute
OS Detection
- -O Remote OS detection using TCP/IP stack fingerprinting
Timing and Performance (0-5) Default 3
- -T0 Paranoid IDS evasion. 5 minutes between each probe.
- -T4 Often used during CTFs
- -T5 Insane speeds scan (extraordinarily fast network)
- --min-rate 15. Rate >= 15 packets/sec
- --max-rate 50. Rate <= 50 packets/sec
- --min-parallelism 100 At least 100 probes in parallel
Getting More Details
- --reason. Gives us the explicit reason why Nmap concluded that the system is up or a particular port is open.
- -v or -vv verbosity
- -d or -dd debuggin
Firewall Evasion
- -f Fragment packets in 8 Bytes
- --mtu number Must be a multiple of 8
- --scan-delay "time"ms Used to add a delay between packets sent
- --badsum Used to generate an invalid checksum for packets. Instead of dropping it, firewalls may respond automatically, without bothering to check the checksum of the packet. Can be used to determine the presence of a firewall/IDS.
Spoofing and Decoys
- nmap -S SPOOFED_IP 10.10.208.223. Only works if we can monitor the network for responses.
- nmap -e NET_INTERFACE -S SPOOFED_IP 10.10.208.223
- nmap --spoof-mac SPOOFED_MAC -e NET_INTERFACE -S SPOOFED_IP 10.10.208.223 Only works in the same subnet.
- nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.208.223 -D is decoy ip(another IP that send the packages). RND is random IP. ME is my ip. The last one is the destination IP.
- nmap -sI ZOMBIE_IP 10.10.208.223 To use an Idle/Zombie Scan
Detect live hosts
- -PR -sn ARP Scan. In the same subnet
- -PE -sn ICMP Echo Scan. Usually blocked
- -PP -sn ICMP Timestamp Scan. Expect ICMP Type 14. Usefull to bypass the Echo block.
- -PM -sn ICMP Adress Mask Scan. Similar to -PP, type 18.
- -PS22,80,443 -sn TCP SYN Ping Scan. Use with sudo to avoid 3-way handshake. GOOD RESULTS
- -PA22,80,443 -sn TCP ACK Ping Scan. Expect RST.
- -PU53,161,162 -sn UDP Ping Scan. Expect the response of a closed port from an active host.
- -sn Host discovery only
- -n no DNS lookup
- -R reverse-DNS lookup for all hosts
Disable Host discovery
- -Pn Host discovery disabled
Post Port Scan
Service Detection
- -sV Service and version information for open ports. -sS is not possible when using -sV. TCP 3-WHandshake must be done
- --version-intensity LEVEL Between 0 and 9.
OS Detection
- -O
Traceroute
- --traceroute Starts with a packet of low TTL and keeps increasing until it reaches the target.
NSE Scripts
There are many categories available: NSE
- -sC or --script=default Run the scripts in default
Usage: --script=script-name
- --script=safe
- --script=smb-enum-users, smb-enum-shares
- --script "ftp*" patern
Where can i find the scripts? /usr/share/nmap/scripts and /usr/share/nmap/scripts/script.db
Saving the Output
There are 3 formats: normal, grepable and XML.
- -oN FILENAME Normal format
- -oG FILENAME Grepable format.
- grep KEYWORD TEXT_FILE
- -oX XML Format. To process the output in other programs.
- -oA All three formats
Examples
- sudo nmap -Pn -A -T5 IPDEST