Nmap
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
CTF
Nmap
nmap -p- -oA nmap_fast $(target)
nmap -p- -sV -sC -oA nmap_full $(target)
-Pn - no ICMP (no ping) Examples
Network discovery
Command | Description |
nmap -PEPM -sP -vvvv -n 10.0.2.0/24 | Perform host discovery using ICMPv4 echo, timestamp and subnet mask request |
nmap -PEPM -sP -n 10.0.2.0/24 | Perform host discovery using ICMPv4 echo, timestamp and subnet mask request |
Target
Command | Description |
nmap 10.0.0.1 | Scan a single IP |
nmap scanme.nmap.org | Scan a host |
nmap 10.0.0.1-20 | Scan a range of IPs |
nmap 10.0.0.0/24 | Scan a subnet |
nmap -iL list-of-ips.txt | Scan targets from a text file |
Port
Command | Description |
nmap --open scanme.nmap.org | Show open ports |
nmap -p 22 10.0.0.1 | Scan a single port |
nmap -p 1-100 10.0.0.1 | Scan a range of ports |
nmap -F 10.0.0.1 | Scan 100 most common ports (Fast) |
nmap -p- 10.0.0.1 | Scan all 65535 ports |
Scan type
Command | Description |
nmap -sS 10.0.0.1 | Scan using TCP SYN scan (default) |
nmap -sT 10.0.0.1 | Scan using TCP connect scan |
nmap -sA 10.0.0.1 | Scan using TCP ACK scan |
nmap -sW 10.0.0.1 | Scan using TCP Windows scan |
nmap -sM 10.0.0.1 | Scan using TCP Maimom scan |
nmap -sN 10.0.0.1 | TCP Null scan |
nmap -sF 10.0.0.1 | FIN scan |
nmap -sX 10.0.0.1 | Xmas scan |
UDP
Command | Description |
nmap -sU -p 123,161,162 10.0.0.1 | Scan UDP ports |
Scripts
Category | Description |
auth | These scripts perform authentication bypasses and anonymous querying of services; brute-force password |
broadcast | Use LAN broadcasting to identify hosts |
brute | Brute-force password grinding scripts run against exposed network services supporting authentication |
default | Default NSE scripts run using -sC or -A flags, this category includes intrusive scripts and so should be run only with permission |
discovery | Active discovery of information from the target environment, through querying open source and performing information gathering tests against exposed network services |
dos | Denial of service scripts that might impact availability |
exploit | Script that exploit particular vulnerabilities |
external | Script that send data to a third-party API or resources (i.e., WHOIS) |
fuzzer | Script that send randomized data to service |
intrusive | Those scripts can induce a crash, affect availability, or create content |
malware | Identify malware using network indicators |
safe | Script that aren't designed to crash service or impact performance |
vuln | Script that flag particular vulnerability |
Scripts
Command | Description |
nmap --script-help=ssl-heartbleed | Get help for script |
nmap -sV -p 443 --script=ssl-heartbleed.nse 10.0.0.1 | Scan using a specific NSE script |
nmap -sV --script=smb* 10.0.0.1 | Scan with a set of scripts |
nmap --script=http-title 10.0.0.1 | Gather page title from HTTP services |
nmap --script=http-headers 10.0.0.1 | Get HTTP headers of web services |
nmap --script=http-enum 10.0.0.1 | Find web apps from know paths |
nmap --script=asn-query,whois,ip-geolocation-maxmind 10.0.0.1 | Find information about IP address |
Save results
Command | Description |
nmap -oN output.txt scanme.nmap.org | Save result as TXT |
nmap -oX output.txt scanme.nmap.org | Save result as XML |
Other
Command | Description |
nmap -sV --version-intensity 5 scanme.nmap.org | More aggressive service detection |
nmap -sV --version-intensity 0 scanme.nmap.org | Lighter banner grabbing detection |
| |
nmap -Pn -p- 10.0.0.1 | Treat all hosts as online -- skip host discovery |
nmap -A scanme.nmap.org | Detect OS and Services |
nmap -sV scanme.nmap.org | Standard service detection |
nmap -sV -sC scanme.nmap.org | Scan using default safe scripts |
Script location
find / -name *.nse 2>/dev/null