Nmap
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
nmap
sudo apt remove nmap
sudo apt autoclean nmap
sudo apt autoremove name
sudo apt install nmap
sudo nmap -p- -Pn -vv $IP
# cat ports.txt | cut -d "/" -f 1 | tr '\n' ','
sudo nmap -p {PORTS} -Pn -sC -sV -vv $IP
Network discovery
| Command | Description |
| nmap -PEPM -sP -vvvv -n 10.0.2.0/24 | Perform host discovery using ICMPv4 echo, timestamp and subnet mask request |
| nmap -PEPM -sP -n 10.0.2.0/24 | Perform host discovery using ICMPv4 echo, timestamp and subnet mask request |
Target
| Command | Description |
| nmap 10.0.0.1 | Scan a single IP |
| nmap scanme.nmap.org | Scan a host |
| nmap 10.0.0.1-20 | Scan a range of IPs |
| nmap 10.0.0.0/24 | Scan a subnet |
| nmap -iL list-of-ips.txt | Scan targets from a text file |
Port
| Command | Description |
| nmap 10.0.0.1 | Scan TOP 1K port |
| nmap -p 22 10.0.0.1 | Scan a single port |
| nmap -p 1-100 10.0.0.1 | Scan a range of ports |
| nmap -F 10.0.0.1 | Scan 100 most common ports (Fast) |
| nmap -p- 10.0.0.1 | Scan all 65535 ports |
Scan type
| Command | Description |
| nmap -sS 10.0.0.1 | Scan using TCP SYN scan (default) |
| nmap -sT 10.0.0.1 | Scan using TCP connect scan |
| nmap -sA 10.0.0.1 | Scan using TCP ACK scan |
| nmap -sW 10.0.0.1 | Scan using TCP Windows scan |
| nmap -sM 10.0.0.1 | Scan using TCP Maimom scan |
| nmap -sN 10.0.0.1 | TCP Null scan |
| nmap -sF 10.0.0.1 | FIN scan |
| nmap -sX 10.0.0.1 | Xmas scan |
UDP
| Command | Description |
| nmap -sU -p 123,161,162 10.0.0.1 | Scan UDP ports |
Scripts
| Category | Description |
| auth | These scripts perform authentication bypasses and anonymous querying of services; brute-force password |
| broadcast | Use LAN broadcasting to identify hosts |
| brute | Brute-force password grinding scripts run against exposed network services supporting authentication |
| default | Default NSE scripts run using -sC or -A flags, this category includes intrusive scripts and so should be run only with permission |
| discovery | Active discovery of information from the target environment, through querying open source and performing information gathering tests against exposed network services |
| dos | Denial of service scripts that might impact availability |
| exploit | Script that exploit particular vulnerabilities |
| external | Script that send data to a third-party API or resources (i.e., WHOIS) |
| fuzzer | Script that send randomized data to service |
| intrusive | Those scripts can induce a crash, affect availability, or create content |
| malware | Identify malware using network indicators |
| safe | Script that aren't designed to crash service or impact performance |
| vuln | Script that flag particular vulnerability |
Script location
find / -name *.nse 2>/dev/null
Scripts
http | Command | Description | |---------------------------------------------------|--------------------------------------------------| | sudo nmap --script=http-title $IP | Gather page title from HTTP services | | sudo nmap --script=http-headers $IP | Get HTTP headers of web services | | sudo nmap --script=http-enum $IP | Find web apps from know paths | | sudo nmap -p 80 --script=http-title,http-headers,http-cookie-flags,http-git,http-methods,http-robots.txt $IP| |
other | Command | Description | |---------------------------------------------------------------|--------------------------------------------------| | nmap --script-help=ssl-heartbleed | Get help for script | | nmap -sV -p 443 --script=ssl-heartbleed.nse 10.0.0.1 | Scan using a specific NSE script | | nmap -sV --script=smb* 10.0.0.1 | Scan with a set of scripts | | nmap --script=asn-query,whois,ip-geolocation-maxmind 10.0.0.1 | Find information about IP address |
Save results
| Command | Description |
| nmap scanme.nmap.org > output.txt | Save Save result as TXT |
| nmap scanme.nmap.org | tee output.txt |
| nmap -oN output.txt scanme.nmap.org | Save result as TXT |
| nmap -oX output.txt scanme.nmap.org | Save result as XML |
Other
| Command | Description |
| nmap -sV --version-intensity 5 scanme.nmap.org | More aggressive service detection |
| nmap -sV --version-intensity 0 scanme.nmap.org | Lighter banner grabbing detection |
| |
| nmap -Pn -p- 10.0.0.1 | Treat all hosts as online -- skip host discovery |
| nmap -A scanme.nmap.org | Detect OS and Services |
| nmap -sV scanme.nmap.org | Standard service detection |
| nmap -sV -sC scanme.nmap.org | Scan using default safe scripts |