Nmap
Network Mapper
Performance Tuning
Timing tablesgo from0to5, being3the default.
nmap -T4 192.168.1.1--min-parallelismallows to manually control the concurrency of the scan:
nmap -sS -T4 --min-parallelism 20 --max-retries 1 -p 80,443,22,3389 192.168.1.1Rate Limiting(--min-rate/--max-rate) gives you a better control over packets/second:
nmap -sS --min-rate 500 192.168.1.1--max-rtt-timeoutadjusts how long Nmap waits for responses before retrying:
Optimized for LANs
nmap -sS --max-rtt-timeout 200ms 192.168.1.1TCP Scans
Connect Scan
nmap -sT -sV -p- 192.168.1.1ACK Scan
nmap -sA 192.168.1.1Window Scan
nmap -sW 192.168.1.1Maimon Scan
nmap -sM 192.168.1.1Host Discovery
Ping Sweep
nmap -sn 192.168.1.0/24Disable Host Discovery
nmap -Pn 192.168.1.0/24List targets Only
nmap 192.168.1.1-3 -sLFrom Target File
nmap -iL targets.txtRange Scan
nmap 192.168.1.1-254TCP SYN Ping
nmap 192.168.1.1-5 -PS22-25,80TCP ACK Ping
nmap 192.168.1.1-5 -PA22-25,80ARP Ping
nmap 192.168.1.1-1/24 -PRPing Host (ICMP, ACK, ARP)
nmap -PE -PA80 -PR 192.168.1.0/24Host Scan with traceroute
nmap -iR 10 -sn -tracerouteScript for Discovery
nmap --script discovery 192.168.1.1DNS Scans
Standard Scan
nmap --dns-servers 8.8.8.8 192.168.1.1Disable DNS Resolution
nmap 192.168.1.1 -nResolve Hostnames in a Range
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1Service and OS Detection
Service Version Detection
nmap -sV 192.168.1.1OS Detection
nmap -O 192.168.1.1Limits OS Detection
nmap 192.168.1.1 -O -osscan-limitAggressive Scan
nmap -A 192.168.1.1Target Specific Ports
sudo nmap -sCV -oA nmap -p 'PORTS' [IP]UDP Scans
Basic Scan
nmap -sU 192.168.1.1Specific Ports
nmap -p 53,123,161 -sU -sC 192.168.1.1All Ports
nmap -p- -sU 192.168.1.1Service Detection
nmap -sU -sV 192.168.1.1Script Scanning
nmap -sU --script=udp* 192.168.1.1Host discovery for UDP
UDP Ping first
nmap -PU53,161,123 192.168.1.1-254 -oN udp_live_hosts.txt Then scan live hosts
nmap -sS -sV -p- -iL udp_live_hosts.txt -oA full_scan --max-retries 1 Stealthy Scans
Example
nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1SYN Scan
nmap -sS 192.168.1.1FIN Scan
nmap -sF 192.168.1.1Xmas
nmap -sX 192.168.1.1Scan with Decoys
nmap -D RND:10 192.168.1.1Fragments Packets
nmap -f 192.168.1.1Zombie Scan
nmap -sI <zombie_host> 192.168.1.1Spoofed Source Address
nmap -S 10.10.10.10 192.168.1.1Set Offset Size
nmap 192.168.1.1 -mtu 32Specific Source Port
nmap -g 53 192.168.1.1Use proxies
nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1Append Random Data
nmap -data-length 200 192.168.1.1Non-intrusive Scripts
nmap 192.168.1.1 -script "not intrusive"Scripting Engine - NSE
List Scripts
locate scripts/citrixLook At The Categories
locate .nse | xargs grep "categories" | grep -oP '".*?"' | sort -uLook at any Specific category
locate .nse | xargs grep -l 'categories =.*"discovery"'Default Scripts
nmap -sC 192.168.1.1Specific Script
nmap --script smb-vuln* 192.168.1.1Version and Vulnerabilities
nmap -sV -p<PORT> --script vuln <IP>Outputs
Normal Output
nmap -oN output.txt 192.168.1.1XML Output
nmap -oX output.xml 192.168.1.1All formats
nmap -oA output_prefix 192.168.1.1Grepable Output
nmap -oG output.txt 192.168.1.1Filtering
Regex, Parse, Direct
cat nmap.txt | grep -oP '([\d]+)/open' | awk -F/ '{print $1}' | tr '\n' ','Removes Duplicates
cat nmap.txt | grep open | grep -v '#' | cut -d"/" -f1 | sort | uniq | sed -z 's/\n/,/g;s/,$/\n/'Filtering Function
function extractPorts(){
ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
echo -e "\t[*] IP Address: $ip_address" >> extractPorts.tmp
echo -e "\t[*] Open ports: $ports\n" >> extractPorts.tmp
echo $ports | tr -d '\n' | xclip -sel clip
echo -e "[*] Ports copied to clipboard\n" >> extractPorts.tmp
cat extractPorts.tmp; rm extractPorts.tmp
}Reverse sorted list
grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | lessGenerate a IPs live hosts list
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txtAppend IPs
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txtOther Techniques
TCP and UDP
nmap 192.168.1.1 -p U:53,T:21-25,80IPv6
nmap -6 2607:f0d0:1002:51::4Last updated