Skip to content

Nmap

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.

CTF

Nmap

nmap -p- -oA nmap_fast $(target)
nmap -p- -sV -sC -oA nmap_full $(target)
-Pn - no ICMP (no ping)

Examples

Network discovery

Command Description
nmap -PEPM -sP -vvvv -n 10.0.2.0/24 Perform host discovery using ICMPv4 echo, timestamp and subnet mask request
nmap -PEPM -sP -n 10.0.2.0/24 Perform host discovery using ICMPv4 echo, timestamp and subnet mask request

Target

Command Description
nmap 10.0.0.1 Scan a single IP
nmap scanme.nmap.org Scan a host
nmap 10.0.0.1-20 Scan a range of IPs
nmap 10.0.0.0/24 Scan a subnet
nmap -iL list-of-ips.txt Scan targets from a text file

Port

Command Description
nmap --open scanme.nmap.org Show open ports
nmap -p 22 10.0.0.1 Scan a single port
nmap -p 1-100 10.0.0.1 Scan a range of ports
nmap -F 10.0.0.1 Scan 100 most common ports (Fast)
nmap -p- 10.0.0.1 Scan all 65535 ports

Scan type

Command Description
nmap -sS 10.0.0.1 Scan using TCP SYN scan (default)
nmap -sT 10.0.0.1 Scan using TCP connect scan
nmap -sA 10.0.0.1 Scan using TCP ACK scan
nmap -sW 10.0.0.1 Scan using TCP Windows scan
nmap -sM 10.0.0.1 Scan using TCP Maimom scan
nmap -sN 10.0.0.1 TCP Null scan
nmap -sF 10.0.0.1 FIN scan
nmap -sX 10.0.0.1 Xmas scan

UDP

Command Description
nmap -sU -p 123,161,162 10.0.0.1 Scan UDP ports

Scripts

Category Description
auth These scripts perform authentication bypasses and anonymous querying of services; brute-force password
broadcast Use LAN broadcasting to identify hosts
brute Brute-force password grinding scripts run against exposed network services supporting authentication
default Default NSE scripts run using -sC or -A flags, this category includes intrusive scripts and so should be run only with permission
discovery Active discovery of information from the target environment, through querying open source and performing information gathering tests against exposed network services
dos Denial of service scripts that might impact availability
exploit Script that exploit particular vulnerabilities
external Script that send data to a third-party API or resources (i.e., WHOIS)
fuzzer Script that send randomized data to service
intrusive Those scripts can induce a crash, affect availability, or create content
malware Identify malware using network indicators
safe Script that aren't designed to crash service or impact performance
vuln Script that flag particular vulnerability

Scripts

Command Description
nmap --script-help=ssl-heartbleed Get help for script
nmap -sV -p 443 --script=ssl-heartbleed.nse 10.0.0.1 Scan using a specific NSE script
nmap -sV --script=smb* 10.0.0.1 Scan with a set of scripts
nmap --script=http-title 10.0.0.1 Gather page title from HTTP services
nmap --script=http-headers 10.0.0.1 Get HTTP headers of web services
nmap --script=http-enum 10.0.0.1 Find web apps from know paths
nmap --script=asn-query,whois,ip-geolocation-maxmind 10.0.0.1 Find information about IP address

Save results

Command Description
nmap -oN output.txt scanme.nmap.org Save result as TXT
nmap -oX output.txt scanme.nmap.org Save result as XML

Other

Command Description
nmap -sV --version-intensity 5 scanme.nmap.org More aggressive service detection
nmap -sV --version-intensity 0 scanme.nmap.org Lighter banner grabbing detection
nmap -Pn -p- 10.0.0.1 Treat all hosts as online -- skip host discovery
nmap -A scanme.nmap.org Detect OS and Services
nmap -sV scanme.nmap.org Standard service detection
nmap -sV -sC scanme.nmap.org Scan using default safe scripts

Script location

find /  -name *.nse 2>/dev/null