Nmap

Network Mapper

Port Status

  • open -> The connection through the NMAP scan has been successful.

  • closed -> The port is closed.

  • filtered -> Nmap does not know if the port is open or closed.

  • unfiltered -> Port is accessible, but we don't know if it's open or closed.

  • open | filtered -> This default state is assigned. It could be that a firewall is protecting the port.

  • closed | filtered -> It's impossible to determine if the port is open or closed.

TCP Scans

Connect Scan
nmap -sT 192.168.1.1
Specific Ports
nmap -p 22,80,443 192.168.1.1
All Ports
nmap -p- 192.168.1.1
ACK Scan
nmap -sA 192.168.1.1
Window Scan
nmap -sW 192.168.1.1
Maimon Scan
nmap -sM 192.168.1.1
Custom Source Port
nmap --source-port 53 192.168.1.1

Timing and performance control

  • Timing templates go from 0 to 5, being 3 the default

Set Timing Tables
nmap -T4 192.168.1.1
Very Fast Scan
nmap -T5 192.168.1.1
Very Slow Scan
nmap -T0 192.168.1.1
Control Parallelism
nmap --min-parallelism 10 192.168.1.1

Host Discovery

Ping Sweep
nmap -sn 192.168.1.0/24
Disable Host Discovery
nmap -Pn 192.168.1.0/24
List targets Only
nmap 192.168.1.1-3 -sL
From Target File
nmap -iL targets.txt
Range Scan
nmap 192.168.1.1-254
TCP SYN Ping
nmap 192.168.1.1-5 -PS22-25,80
TCP ACK Ping
nmap 192.168.1.1-5 -PA22-25,80
ARP Ping
nmap 192.168.1.1-1/24 -PR
Ping Host (ICMP, ACK, ARP)
nmap -PE -PA80 -PR 192.168.1.0/24
Random Host Scan with traceroute
nmap -iR 10 -sn -traceroute
Script for Discovery
nmap --script discovery 192.168.1.1

DNS

Standard Scan
nmap --dns-servers 8.8.8.8 192.168.1.1
Disable DNS Resolution
nmap 192.168.1.1 -n
Resolve Hostnames in a Range
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1

Service and OS Detection

Service Version Detection
nmap -sV 192.168.1.1
OS Detection
nmap -O 192.168.1.1
Limits OS Detection
nmap 192.168.1.1 -O -osscan-limit
Aggressive Scan
nmap -A 192.168.1.1

Examples

Service and Version + Specific Port
sudo nmap -sCV -oA nmap -p 'PORTS' [IP]

UDP Scans

Basic Scan
nmap -sU 192.168.1.1
Specific Ports
nmap -p 53,123,161 -sU 192.168.1.1
All Ports
nmap -p- -sU 192.168.1.1
Service Detection
nmap -sU -sV 192.168.1.1
Script Scanning
nmap -sU --script=udp* 192.168.1.1

Host Discovery

UDP Ping
nmap 192.168.1.1-5 -PU53

Examples

Specific Port + Scripts
sudo nmap -sU -p 161 -sC 10.10.10.92

Stealth Scans

SYN Scan
nmap -sS 192.168.1.1
FIN Scan
nmap -sF 192.168.1.1
Xmas
nmap -sX 192.168.1.1
Scan with Decoys
nmap -D RND:10 192.168.1.1
Fragments Packets
nmap -f 192.168.1.1
Zombie Scan
nmap -sI <zombie_host> 192.168.1.1
Spoofed Source Address
nmap -S 10.10.10.10 192.168.1.1
Set Offset Size
nmap 192.168.1.1 -mtu 32
Specific Source Port
nmap -g 53 192.168.1.1
Use proxies
nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1
Append Random Data
nmap -data-length 200 192.168.1.1
Non-intrusive Scripts
nmap 192.168.1.1 -script "not intrusive"

Examples

nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Scripting Engine (NSE)

List Scripts
locate scripts/citrix
Look At The Categories
locate .nse | xargs grep "categories" | grep -oP '".*?"' | sort -u
Look at any Specific category
locate .nse | xargs grep -l 'categories =.*"discovery"'
Default Scripts
nmap -sC 192.168.1.1
Specific Script
nmap --script smb-vuln* 192.168.1.1
Category Of Scripts (Wildcard)
nmap --script ssl* 192.168.1.1
Script From File
nmap --script /path/to/script.nse 192.168.1.1

Examples

Safe SMB
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1
Safe HTTP
nmap -n -Pn -vv -O -sV --script=http-enum,http-headers,http-methods,http-title,http-vuln* 192.168.1.1
HTTP Map Generator
nmap -Pn -script=http-sitemap-generator scanme.nmap.org
Fast Search For Random Web-Servers
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000
Bruteforce DNS Hostname
nmap -Pn -script=dns-brute domain.com
Whois Query
nmap -script whois* domain.com
Cross Site Scripting
nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org
SQLi
nmap -p80 -script http-sql-injection scanme.nmap.org
SNMP System Description
nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1
SSH Brute Force
nmap -n -p22 --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt <IP>
CMS Configuration Backups
nmap -n -p<PORT> --script http-config-backup <IP>
Service Version and Vulnerabilities
nmap -sV -p<PORT> --script vuln <IP>
Wordpress Enumeration
nmap -n -p<PORT> --script http-wordpress-enum <DNS>bash
HeartBleed Vulnerability Check
nmap -sV -p443 --script=ssl-heartbleed <DNS>
Banner Grab
nmap -n -p<PORT> --script dns-nsid <IP>
Shellshock Vulnerability Check
sudo nmap --script http-shellshock --script-args uri=<URL_ARCHIVO_SH> -p80 <IP>

Scan Output and Logging

Normal Output
nmap -oN output.txt 192.168.1.1
XML Output
nmap -oX output.xml 192.168.1.1
All formats
nmap -oA output_prefix 192.168.1.1
Grepable Output
nmap -oG output.txt 192.168.1.1

Filtering Outputs

Regex, Parse, Direct
cat nmap.txt | grep -oP '([\d]+)/open' | awk -F/ '{print $1}' | tr '\n' ','
Removes Duplicates
cat nmap.txt | grep open | grep -v '#' | cut -d"/" -f1 | sort | uniq | sed -z 's/\n/,/g;s/,$/\n/'
Filtering Function
function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	echo -e "\t[*] IP Address: $ip_address"  >> extractPorts.tmp
	echo -e "\t[*] Open ports: $ports\n"  >> extractPorts.tmp
	echo $ports | tr -d '\n' | xclip -sel clip
	echo -e "[*] Ports copied to clipboard\n"  >> extractPorts.tmp
	cat extractPorts.tmp; rm extractPorts.tmp
}

Examples

Web Server + Open Ports
nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep open
Generate a list of the IPs live hosts
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
Append IP to the list of live hosts
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt
Compare Output from Nmap
ndiff scanl.xml scan2.xml
Convert Nmap XML files to HTML files
xsltproc nmap.xml -o nmap.html
Reverse sorted list
grep " open " results.nmap | sed -r ā€˜s/ +/ /gā€™ | sort | uniq -c | sort -rn | less

Other Techniques

TCP and UDP
nmap 192.168.1.1 -p U:53,T:21-25,80
IPv6
nmap -6 2607:f0d0:1002:51::4

PreviousCryptographyNextcurl

Last updated