Nmap

Network Mapper

Performance Tuning

  • Timing tables go from 0 to 5, being 3 the default.

nmap -T4 192.168.1.1

  • --min-parallelism allows to manually control the concurrency of the scan:

nmap -sS -T4 --min-parallelism 20 --max-retries 1 -p 80,443,22,3389 192.168.1.1

  • Rate Limiting (--min-rate/--max-rate) gives you a better control over packets/second:

nmap -sS --min-rate 500 192.168.1.1

  • --max-rtt-timeout adjusts how long Nmap waits for responses before retrying:

Optimized for LANs
nmap -sS --max-rtt-timeout 200ms 192.168.1.1
TCP Scans
Connect Scan
nmap -sT -sV -p- 192.168.1.1
ACK Scan
nmap -sA 192.168.1.1
Window Scan
nmap -sW 192.168.1.1
Maimon Scan
nmap -sM 192.168.1.1
Host Discovery
Ping Sweep
nmap -sn 192.168.1.0/24
Disable Host Discovery
nmap -Pn 192.168.1.0/24
List targets Only
nmap 192.168.1.1-3 -sL
From Target File
nmap -iL targets.txt
Range Scan
nmap 192.168.1.1-254
TCP SYN Ping
nmap 192.168.1.1-5 -PS22-25,80
TCP ACK Ping
nmap 192.168.1.1-5 -PA22-25,80
ARP Ping
nmap 192.168.1.1-1/24 -PR
Ping Host (ICMP, ACK, ARP)
nmap -PE -PA80 -PR 192.168.1.0/24
Host Scan with traceroute
nmap -iR 10 -sn -traceroute
Script for Discovery
nmap --script discovery 192.168.1.1
DNS Scans
Standard Scan
nmap --dns-servers 8.8.8.8 192.168.1.1
Disable DNS Resolution
nmap 192.168.1.1 -n
Resolve Hostnames in a Range
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1
Service and OS Detection
Service Version Detection
nmap -sV 192.168.1.1
OS Detection
nmap -O 192.168.1.1
Limits OS Detection
nmap 192.168.1.1 -O -osscan-limit
Aggressive Scan
nmap -A 192.168.1.1
Target Specific Ports
sudo nmap -sCV -oA nmap -p 'PORTS' [IP]
UDP Scans
Basic Scan
nmap -sU 192.168.1.1
Specific Ports
nmap -p 53,123,161 -sU -sC 192.168.1.1
All Ports
nmap -p- -sU 192.168.1.1
Service Detection
nmap -sU -sV 192.168.1.1
Script Scanning
nmap -sU --script=udp* 192.168.1.1

Host discovery for UDP

UDP Ping first
nmap -PU53,161,123 192.168.1.1-254 -oN udp_live_hosts.txt
Then scan live hosts
nmap -sS -sV -p- -iL udp_live_hosts.txt -oA full_scan --max-retries 1
Stealthy Scans
Example
nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
SYN Scan
nmap -sS 192.168.1.1
FIN Scan
nmap -sF 192.168.1.1
Xmas
nmap -sX 192.168.1.1
Scan with Decoys
nmap -D RND:10 192.168.1.1
Fragments Packets
nmap -f 192.168.1.1
Zombie Scan
nmap -sI <zombie_host> 192.168.1.1
Spoofed Source Address
nmap -S 10.10.10.10 192.168.1.1
Set Offset Size
nmap 192.168.1.1 -mtu 32
Specific Source Port
nmap -g 53 192.168.1.1
Use proxies
nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1
Append Random Data
nmap -data-length 200 192.168.1.1
Non-intrusive Scripts
nmap 192.168.1.1 -script "not intrusive"
Scripting Engine - NSE
List Scripts
locate scripts/citrix
Look At The Categories
locate .nse | xargs grep "categories" | grep -oP '".*?"' | sort -u
Look at any Specific category
locate .nse | xargs grep -l 'categories =.*"discovery"'
Default Scripts
nmap -sC 192.168.1.1
Specific Script
nmap --script smb-vuln* 192.168.1.1
Version and Vulnerabilities
nmap -sV -p<PORT> --script vuln <IP>
Outputs
Normal Output
nmap -oN output.txt 192.168.1.1
XML Output
nmap -oX output.xml 192.168.1.1
All formats
nmap -oA output_prefix 192.168.1.1
Grepable Output
nmap -oG output.txt 192.168.1.1

Filtering

Regex, Parse, Direct
cat nmap.txt | grep -oP '([\d]+)/open' | awk -F/ '{print $1}' | tr '\n' ','
Removes Duplicates
cat nmap.txt | grep open | grep -v '#' | cut -d"/" -f1 | sort | uniq | sed -z 's/\n/,/g;s/,$/\n/'
Filtering Function
function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	echo -e "\t[*] IP Address: $ip_address"  >> extractPorts.tmp
	echo -e "\t[*] Open ports: $ports\n"  >> extractPorts.tmp
	echo $ports | tr -d '\n' | xclip -sel clip
	echo -e "[*] Ports copied to clipboard\n"  >> extractPorts.tmp
	cat extractPorts.tmp; rm extractPorts.tmp
}
Reverse sorted list
grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less

Generate a IPs live hosts list

nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
Append IPs
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt

Other Techniques

TCP and UDP
nmap 192.168.1.1 -p U:53,T:21-25,80
IPv6
nmap -6 2607:f0d0:1002:51::4

PrevioustcpdumpNextWireshark

Last updated