nmap
Network discovery tool.
General
Nmap has a ton of functionalities, the following is some of the more often used ones.
-p <port>,-p-for all ports-sSfor a TCP SYN (Stealth) scan (probably the most used one)-sTfor a TCP Connect scan (the only option as unprivileged user)-sVfor detecting versions of the services running on the target-sUfor a UDP scanNOTE: Expect a longer scan time when using this
-snfor a ping scan with port scanning disabled-Pnto not ping a host before scanning it, bypassing a block of the ICMP protocolNOTE: Expect a longer scan time when using this
-Afor aggressive mode (enables OS and version detection, script scanning etc.)-Ofor OS detection--scriptto activate a script--script=vulnsto activate all scripts within the vulns category
-vfor verbosityNOTE: It is recommended to at least use verbosity level
-vv
-oN <filename>to redirect output in a normal form to a file
Host Discovery
Several methods can be used to discover live hosts, these are some of the most common. As a port scan often would be unnecessary during host discovery, the -sn flag is added on all examples.
Ping Scan without port-scanning:
nmap -sn ipSend ICMP Echo requests without port-scanning:
nmap -PE -sn ipSend ICMP Timestamp queries without port-scanning:
nmap -PP -sn ipSend ICMP Address Mask queries without port-scanning:
nmap -PM -sn ipNOTE: Many firewalls block ICMP in general, hence this is considered unreliable.
ARP Scan without port-scanning:
nmap -PR -sn ipNOTE: For a host to answer an ARP query, you must be on the same subnet.
TCP SYN ping can also be used for host discovery, where the 3-way handshake won't be completed if running it as a privileged user. The order of packets will then be SYN SYN/ACK RST instead of SYN SYN/ACK ACK. Unprivileged users will have to complete the handshake if the port is open. Done without port-scanning:
nmap -PS<port(s)> -sn ipTCP ACK ping can be used as well as a privileged user. The order of the packets will then be ACK RST, as this initial ACK packet won't be part of any ongoing connection, hence a RST is sent back. However, this tells us the host is up. Done without port-scanning:
nmap -PA<port(s)> -sn ipUDP ping can also be used to determine if a host is up. One cannot expect a reply if sending a UDP packet to an open UDP port, but if the port is closed, an ICMP Destination Unreachable packet is expected, revealing the host being up. Done without port-scanning:
nmap -PU -sn ipScripts
Nmap store its scripts at /usr/share/nmap/scripts and scripts can be searched for by searching within the file /usr/share/nmap/scripts/script.db or just by searching through the folder itself.
Some of the more useful scripts categories are the following:
authto attempt bypassing of authentication for running servicesbruteto attempt bruteforcing at running servicesdiscoveryto attempt to query running services to gather additional informationexploitto attempt to exploit a vulnerabilityintrusivewhich most likely will affect the targetsafewhich should not affect the targetvulnto scan for vulnerabilities
Scan timing
Scan timing can help with IDS evasion, but will also yield slower scans. The first two templates are for this. It can be adjusted by the -T<0-5> flag, where -T3 is the default value. The template names are:
paranoid (0)
sneaky (1)
polite (2)
normal (3)
aggressive (4)
insane (5)
One should expect to sacrifice accuracy for speed when using -T5.
Nice-to-know
Host Discovery
When no host discovery options are provided, nmap will by default use a ping scan to discover live hosts, followed by a port scan of the found hosts, where the following holds.
ARP requests is used when a privileged user scans a target on the local network.
ICMP echo requests, TCP ACK at port 80, TCP SYN at port 443 and ICMP timestamp requests is used when a privileged user scans a target outside the local network.
A TCP 3-way handshake is tried by sending TCP SYN at port 80 and 443 when an unprivileged user scans a target outside the local network.
Reference
Full documentation can be found at https://nmap.org/book/.
Last updated