Nmap
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
CTF
Nmap
nmap -p- -oA nmap_fast $(target)
nmap -p- -sV -sC -oA nmap_full $(target)
Examples
Network discovery
| Command | Description |
| nmap -PEPM -sP -vvvv -n 10.0.2.0/24 | Perform host discovery using ICMPv4 echo, timestamp and subnet mask request |
| nmap -PEPM -sP -n 10.0.2.0/24 | Perform host discovery using ICMPv4 echo, timestamp and subnet mask request |
Target
| Command | Description |
| nmap 10.0.0.1 | Scan a single IP |
| nmap scanme.nmap.org | Scan a host |
| nmap 10.0.0.1-20 | Scan a range of IPs |
| nmap 10.0.0.0/24 | Scan a subnet |
| nmap -iL list-of-ips.txt | Scan targets from a text file |
Port
| Command | Description |
| nmap --open scanme.nmap.org | Show open ports |
| nmap -p 22 10.0.0.1 | Scan a single port |
| nmap -p 1-100 10.0.0.1 | Scan a range of ports |
| nmap -F 10.0.0.1 | Scan 100 most common ports (Fast) |
| nmap -p- 10.0.0.1 | Scan all 65535 ports |
Scan type
| Command | Description |
| nmap -sS 10.0.0.1 | Scan using TCP SYN scan (default) |
| nmap -sT 10.0.0.1 | Scan using TCP connect scan |
| nmap -sA 10.0.0.1 | Scan using TCP ACK scan |
| nmap -sW 10.0.0.1 | Scan using TCP Windows scan |
| nmap -sM 10.0.0.1 | Scan using TCP Maimom scan |
| nmap -sN 10.0.0.1 | TCP Null scan |
| nmap -sF 10.0.0.1 | FIN scan |
| nmap -sX 10.0.0.1 | Xmas scan |
UDP
| Command | Description |
| nmap -sU -p 123,161,162 10.0.0.1 | Scan UDP ports |
Scripts
| Category | Description |
| auth | These scripts perform authentication bypasses and anonymous querying of services; brute-force password |
| broadcast | Use LAN broadcasting to identify hosts |
| brute | Brute-force password grinding scripts run against exposed network services supporting authentication |
| default | Default NSE scripts run using -sC or -A flags, this category includes intrusive scripts and so should be run only with permission |
| discovery | Active discovery of information from the target environment, through querying open source and performing information gathering tests against exposed network services |
| dos | Denial of service scripts that might impact availability |
| exploit | Script that exploit particular vulnerabilities |
| external | Script that send data to a third-party API or resources (i.e., WHOIS) |
| fuzzer | Script that send randomized data to service |
| intrusive | Those scripts can induce a crash, affect availability, or create content |
| malware | Identify malware using network indicators |
| safe | Script that aren't designed to crash service or impact performance |
| vuln | Script that flag particular vulnerability |
Scripts
| Command | Description |
| nmap --script-help=ssl-heartbleed | Get help for script |
| nmap -sV -p 443 --script=ssl-heartbleed.nse 10.0.0.1 | Scan using a specific NSE script |
| nmap -sV --script=smb* 10.0.0.1 | Scan with a set of scripts |
| nmap --script=http-title 10.0.0.1 | Gather page title from HTTP services |
| nmap --script=http-headers 10.0.0.1 | Get HTTP headers of web services |
| nmap --script=http-enum 10.0.0.1 | Find web apps from know paths |
| nmap --script=asn-query,whois,ip-geolocation-maxmind 10.0.0.1 | Find information about IP address |
Save results
| Command | Description |
| nmap -oN output.txt scanme.nmap.org | Save result as TXT |
| nmap -oX output.txt scanme.nmap.org | Save result as XML |
Other
| Command | Description |
| nmap -sV --version-intensity 5 scanme.nmap.org | More aggressive service detection |
| nmap -sV --version-intensity 0 scanme.nmap.org | Lighter banner grabbing detection |
| |
| nmap -Pn -p- 10.0.0.1 | Treat all hosts as online -- skip host discovery |
| nmap -A scanme.nmap.org | Detect OS and Services |
| nmap -sV scanme.nmap.org | Standard service detection |
| nmap -sV -sC scanme.nmap.org | Scan using default safe scripts |
Script location
find / -name *.nse 2>/dev/null