Skip to content

Nmap

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.

nmap 

sudo apt remove nmap
sudo apt autoclean nmap
sudo apt autoremove name
sudo apt install nmap
nmap 
sudo nmap -p- -Pn -vv $IP
# cat ports.txt | cut -d "/" -f 1 | tr '\n' ','
sudo nmap -p {PORTS} -Pn -sC -sV -vv $IP
-Pn - no ICMP (no ping)

Network discovery

Command Description
nmap -PEPM -sP -vvvv -n 10.0.2.0/24 Perform host discovery using ICMPv4 echo, timestamp and subnet mask request
nmap -PEPM -sP -n 10.0.2.0/24 Perform host discovery using ICMPv4 echo, timestamp and subnet mask request

Target

Command Description
nmap 10.0.0.1 Scan a single IP
nmap scanme.nmap.org Scan a host
nmap 10.0.0.1-20 Scan a range of IPs
nmap 10.0.0.0/24 Scan a subnet
nmap -iL list-of-ips.txt Scan targets from a text file

Port

Command Description
nmap 10.0.0.1 Scan TOP 1K port
nmap -p 22 10.0.0.1 Scan a single port
nmap -p 1-100 10.0.0.1 Scan a range of ports
nmap -F 10.0.0.1 Scan 100 most common ports (Fast)
nmap -p- 10.0.0.1 Scan all 65535 ports

Scan type

Command Description
nmap -sS 10.0.0.1 Scan using TCP SYN scan (default)
nmap -sT 10.0.0.1 Scan using TCP connect scan
nmap -sA 10.0.0.1 Scan using TCP ACK scan
nmap -sW 10.0.0.1 Scan using TCP Windows scan
nmap -sM 10.0.0.1 Scan using TCP Maimom scan
nmap -sN 10.0.0.1 TCP Null scan
nmap -sF 10.0.0.1 FIN scan
nmap -sX 10.0.0.1 Xmas scan

UDP

Command Description
nmap -sU -p 123,161,162 10.0.0.1 Scan UDP ports

Scripts

Category Description
auth These scripts perform authentication bypasses and anonymous querying of services; brute-force password
broadcast Use LAN broadcasting to identify hosts
brute Brute-force password grinding scripts run against exposed network services supporting authentication
default Default NSE scripts run using -sC or -A flags, this category includes intrusive scripts and so should be run only with permission
discovery Active discovery of information from the target environment, through querying open source and performing information gathering tests against exposed network services
dos Denial of service scripts that might impact availability
exploit Script that exploit particular vulnerabilities
external Script that send data to a third-party API or resources (i.e., WHOIS)
fuzzer Script that send randomized data to service
intrusive Those scripts can induce a crash, affect availability, or create content
malware Identify malware using network indicators
safe Script that aren't designed to crash service or impact performance
vuln Script that flag particular vulnerability

Script location

find /  -name *.nse 2>/dev/null

Scripts

http

Command Description
sudo nmap --script=http-title $IP Gather page title from HTTP services
sudo nmap --script=http-headers $IP Get HTTP headers of web services
sudo nmap --script=http-enum $IP Find web apps from know paths
sudo nmap -p 80 --script=http-title,http-headers,http-cookie-flags,http-git,http-methods,http-robots.txt $IP

other

Command Description
nmap --script-help=ssl-heartbleed Get help for script
nmap -sV -p 443 --script=ssl-heartbleed.nse 10.0.0.1 Scan using a specific NSE script
nmap -sV --script=smb* 10.0.0.1 Scan with a set of scripts
nmap --script=asn-query,whois,ip-geolocation-maxmind 10.0.0.1 Find information about IP address

Save results

Command Description
nmap scanme.nmap.org > output.txt Save result as TXT
nmap scanme.nmap.org | tee output.txt Show & Save result as TXT
nmap -oN output.txt scanme.nmap.org Save result as TXT
nmap -oX output.txt scanme.nmap.org Save result as XML

Other

Command Description
nmap -sV --version-intensity 5 scanme.nmap.org More aggressive service detection
nmap -sV --version-intensity 0 scanme.nmap.org Lighter banner grabbing detection
nmap -Pn -p- 10.0.0.1 Treat all hosts as online -- skip host discovery
nmap -A scanme.nmap.org Detect OS and Services
nmap -sV scanme.nmap.org Standard service detection
nmap -sV -sC scanme.nmap.org Scan using default safe scripts