Nmap

Nmap (Network Mapper) is a powerful open-source tool for network exploration and security auditing. It allows users to discover hosts, services, and vulnerabilities on a network by employing various scan types and techniques.

Usage:

nmap [Scan Type(s)] [Options] {target specification}

Target Specification:

  • Can include hostnames, multiple IP addresses, networks, etc.

    • Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

Host Discovery:

  • -sn: Ping Scan (disable port scan)

  • -Pn: Treat all hosts as online (skip host discovery)

  • -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP, or SCTP discovery to given ports

  • -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  • -PO[protocol list]: IP Protocol Ping

  • -A: Traceroute

Scan Techniques:

  • -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  • -sU: UDP Scan

  • -sN/sF/sX: TCP Null (Network sweeping, begins with broad scans then use detailed ones), FIN, and Xmas scans

  • --scanflags <flags>: Customize TCP scan flags

  • -sI <zombie host[:probeport]>: Idle scan

  • -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  • -sO: IP protocol scan

  • -b <FTP relay host>: FTP bounce scan

Port Specification and Scan Order:

  • -p <port ranges>: Only scan specified ports

    • Ex: -p22, -p1-65535, -p U:53,111,137,T:21-25,80,139,8080,S:9

  • --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  • --top-ports:10 : scans top 10 ports

Output Options:

  • -oG <filename>: Output in greppable format

  • -oN <filename>: Normal output

  • -oX <filename>: Output in XML format

OS Fingerprinting:

  • -O: Enable OS detection

Examples:

  • TCP SYN scan on ports 80 and 443, output to greppable file:

    nmap -sS -p 80,443 -oG output.txt example.com
  • UDP scan on default ports, enable OS detection:

    nmap -sU -O example.com
  • Fingerprinting web servers on port80

    kali@kali:~$ sudo nmap -p80  -sV example.com
    Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-28 05:13 EDT
    Nmap scan report for example.com
    Host is up (0.11s latency).
    
    PORT   STATE SERVICE VERSION
    80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
  • Extract information using grep from the greppable output:

    grep "Host:" output.txt

Resources:

Last updated