Skip to content

Latest commit

 

History

History
107 lines (66 loc) · 2.83 KB

nmap.md

File metadata and controls

107 lines (66 loc) · 2.83 KB

Nmap scans

Host discovery (simple)

Simple host discovery

Simple ping-based host discovery. May not discover all hosts due to firewalls blocking pings.

nmap -sP 10.10.10.0/24

List live hosts

Generate plain list of live IP addresses nmap -n -sn 10.10.10.0/24 -oG - | awk '/Up$/{print $2}'

General useful flags

  • -v Increase verbosity (can use -vv for higher verbosity level)
  • -O Operating system detection
  • -n Dissable reverse DNS resolution (don't translate IPs to hostnames)
  • -sn No port scan (just ping scan) -- light reconnaissance, reduces visibility
  • -sV Get service versions

Find elusive hosts

Helps find stealthy hosts. Will scan every port on the host with given flags..

  • -Pn No ping: Skip host discovery phase (treat all hosts as online)

Scan hosts from file

  • -iL [listfile] Scan hosts from a list of IPs

Fast scan

Quick scan of top 100 ports nmap -F

Get service versions

nmap -sV [host]

Aggressive scan

  • -A Enables OS detection, version detection, script scanning, and traceroute

Get as much info as possible, on all ports. Quite noisy. Optional '-T4' flag to increase speed

nmap -T4 -A -p- [host] -v

Scan and skip host discovery

Ping scans

  • -sP Ping scan only
  • -PN No ping
  • -PA ACK ping (unclear purpose of this)
  • -PU UDP ping (unclear purpose of this)
  • -PR ARP ping (unclear purpose)

Traceroute

Trace intermediary host IPs on route to target.

nmap --traceroute

Ultimate scan, all ports

Very slow, but thorough. Uses scripts, all ports.

nmap -sS -sC -sV -T4 -p-

Log to file

Log results to file, in various formats.

  • -oN [filename] Log out to normal text file
  • -oA [filename] Log out to all file formats
  • -oG [filename] Log out to a grep-friendly format (for text search)

Speed tricks

Flags to speed up scans.

  • --open Only scan open ports (discarding filtered)
  • -T4 Speed up scans (1-5). Too fast may miss ports.
  • --min-rate 10000 Send at least X packets per second.
  • --max-rtt-timeout 1500ms Wait X milliseconds at maximum for timeouts

Firewall evasion

  • -f fragment packets (needs explanation)
  • -D [decoyIp, ...] Send scans from decoy IPs
  • --spoof-mac [MAC_ADDR] Spoof sender mack adress

Advanced scans: Flags

Interesting variations, don't know as yet what cases these would be useful for, if anything.

  • -sS SYN scan -- performs TCP SYN request without followup. This is the default scan type.
  • -sT TCP connect scan -- performs a TCP connect. Use when SYN scan is not available.
  • -sA ACK scan -- send packet with ACK flag; does not inform if the port is open
  • -sN Null scan: doesn't set any flags -- assumes lack of response to mean ports are not closed.
  • -sF Scan via RST flag to determine closed ports vs filtered
  • -sX "Christmas tree scan" -- sends FIN, PSH, URG packets all at once