by 
What is Nmap?
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime…more
| Command | Description |
|---|---|
nmap -sP 10.0.0.0/24 | Ping scans the network, listing machines that respond to ping. |
nmap -p 1-65535 -sV -sS -T4 target | Full TCP port scan using with service version detection – usually my first scan, I find T4 more accurate than T5 and still “pretty quick”. |
nmap -v -sS -A -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services. |
nmap -v -sS -A -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services. |
nmap -v -sV -O -sS -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection. |
nmap -v -p 1-65535 -sV -O -sS -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan. |
nmap -v -p 1-65535 -sV -O -sS -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan. |
Agressive scan timings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
Nmap scan from file
| Command | Description |
|---|---|
nmap -iL ip-addresses.txt | Scans a list of IP addresses, you can add options before / after. |
Nmap Scan all Ports
| Command | Description |
|---|---|
nmap -p- target | Nmap scan all ports, TCP ports. |
Nmap output formats
| Command | Description |
|---|---|
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24 | Outputs “grepable” output to a file, in this example Netbios servers. E.g, The output file could be grepped for “Open”. |
nmap -sS -sV -T5 10.0.1.99 --webxml -oX - | Export nmap output to HTML report. |
Nmap Netbios Examples
| Command | Description |
|---|---|
nmap -sV -v -p 139,445 10.0.0.1/24 | Find all Netbios servers on subnet |
nmap -sU --script nbstat.nse -p 137 target | Nmap display Netbios name |
nmap --script-args=unsafe=1 --script | Nmap check if Netbios servers are vulnerable to MS08-067 |
–script-args=unsafe=1 has the potential to crash servers / services
Becareful when running this command.
Nmap Nikto Scan
| Command | Description |
|---|---|
nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h - | Scans for http servers on port 80 and pipes into Nikto for scanning. |
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h - | Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning. |
Nmap Cheatsheet
Target Specification
Nmap allows hostnames, IP addresses, subnets.
Example blah.highon.coffee, nmap.org/24, 192.168.0.1; 10.0.0-255.1-254
| Command | Description |
|---|---|
-iL | inputfilename: Input from list of hosts/networks |
-iR | num hosts: Choose random targets |
--exclude | host1[,host2][,host3],… : Exclude hosts/networks |
--excludefile | exclude_file: Exclude list from file |
Host Discovery
| Command | Description |
|---|---|
-sL | List Scan – simply list targets to scan |
-sn | Nmap ping scan / sweep – runs a nmap network scan, with port scanning disabled |
-Pn | Treat all hosts as online — skip host discovery |
-PS/PA/PU/PY[portlist] | TCP SYN/ACK, UDP or SCTP discovery to given ports. Allows you to specify a specific port nmap uses to verify a host is up e.g., -PS22 (by default nmap sends to a bunch of common ports, this allows you to be specific) |
-PE/PP/PM | ICMP echo, timestamp, and netmask request discovery probes |
-PO[protocol list] | IP Protocol Ping |
-n/-R | Never do DNS resolution/Always resolve [default: sometimes] |
Scan Techniques
| Command | Description |
|---|---|
-sS | TCP SYN scan Connect scan ACK scan Window scan Maimon scan |
-sU | UDP Scan |
-sN | TCP Null scan FIN scan Xmas scan |
--scanflags | Customize TCP scan flags |
-sI zombie host[:probeport] | Idle scan |
-sY | SCTP INIT scan COOKIE-ECHO scan |
-sO | IP protocol scan |
-b "FTP relay host" | FTP bounce scan |
Port Specification and Scan Order
| Command | Description |
|---|---|
-p | Specify ports, e.g. -p80,443 or -p1-65535 |
-p U:PORT | Scan UDP ports with Nmap, e.g. -p U:53 |
-F | Fast mode, scans fewer ports than the default scan |
-r | Scan ports consecutively – don’t randomize |
--top-ports "number" | Scan “number” most common ports |
--port-ratio "ratio" | Scan ports more common than “ratio” |
Service Version Detection
| Command | Description |
|---|---|
-sV | Probe open ports to determine service/version info |
--version-intensity "level" | Set from 0 (light) to 9 (try all probes) |
--version-light | Limit to most likely probes (intensity 2) |
--version-all | Try every single probe (intensity 9) |
--version-trace | Show detailed version scan activity (for debugging) |
Script Scan
| Command | Description |
|---|---|
-sC | equivalent to –script=default |
--script="Lua scripts" | “Lua scripts” is a comma separated list of directories, script-files or script-categories |
--script-args=n1=v1,[n2=v2,...] | provide arguments to scripts |
-script-args-file=filename | provide NSE script args in a file |
--script-trace | Show all data sent and received |
--script-updatedb | Update script database |
--script-help="Lua scripts" | Show help about scripts |
OS Detection
| Command | Description |
|---|---|
-O | Enable OS Detection |
--osscan-limit | Limit OS detection to promising targets |
--osscan-guess | Guess OS more aggressively |
Timing and Performance
Options which take TIME are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
| Command | Description |
|---|---|
-T 0-5 | Set timing template – higher is faster (less accurate) |
--min-hostgroup SIZE | Parallel host scan group sizes |
--min-parallelism NUMPROBES | Probe parallelization |
--min-rtt-timeout TIME | Specifies probe round trip time |
--max-retries TRIES | Caps number of port scan probe retransmissions |
--host-timeout TIME | Give up on target after this long |
--scan-delay TIME | Adjust delay between probes |
--min-rate NUMBER | Send packets no slower than NUMBER per second |
--max-rate NUMBER | Send packets no faster than NUMBER per second |
Firewalls IDS Evasion and Spoofing
| Command | Description |
|---|---|
-f; --mtu VALUE | Fragment packets (optionally w/given MTU) |
-D decoy1,decoy2,ME | Cloak a scan with decoys |
-S IP-ADDRESS | Spoof source address |
-e IFACE | Use specified interface |
-g PORTNUM | Use given port number |
--proxies url1,[url2],... | Relay connections through HTTP / SOCKS4 proxies |
--data-length NUM | Append random data to sent packets |
--ip-options OPTIONS | Send packets with specified ip options |
--ttl VALUE | Set IP time to live field |
--spoof-mac ADDR/PREFIX/VENDOR | Spoof NMAP MAC address |
--badsum | Send packets with a bogus TCP/UDP/SCTP checksum |
Nmap Output Options
| Command | Description |
|---|---|
-oN | Output Normal |
-oX | Output to XML |
-oS | Script Kiddie / 1337 speak… sigh |
-oG | Output greppable – easy to grep nmap output |
-oA BASENAME | Output in the three major formats at once |
-v | Increase verbosity level use -vv or more for greater effect |
-d | Increase debugging level use -dd or more for greater effect |
--reason | Display the reason a port is in a particular state |
--open | Only show open or possibly open ports |
--packet-trace | Show all packets sent / received |
--iflist | Print host interfaces and routes for debugging |
--log-errors | Log errors/warnings to the normal-format output file |
--append-output | Append to rather than clobber specified output files |
--resume FILENAME | Resume an aborted scan |
--stylesheet PATH/URL | XSL stylesheet to transform XML output to HTML |
--webxml | Reference stylesheet from Nmap.Org for more portable XML |
--no-stylesheet | Prevent associating of XSL stylesheet w/XML output |
Misc Nmap Options
| Command | Description |
|---|---|
-6 | Enable IPv6 scanning |
-A | Enable OS detection, version detection, script scanning, and traceroute |
--datedir DIRNAME | Specify custom Nmap data file location |
--send-eth | Send using raw ethernet frames or IP packets |
--privileged | Assume that the user is fully privileged |
--unprivileged | Assume the user lacks raw socket privileges |
-V | Show nmap version number |
-h | Show nmap help screen |
Nmap Scan Optimisation
Nmap Rate
To speed up your scan increase the rate, be aware that setting a high rate value will result in a less accurate scan.
--max-rate
--min-rate
Parallelism
The maximum or minimum amount of parallel tasks.
TIP: If you have an basic IDS / portscan detection blocking your scans you could lower the –min-parallelism in an attempt to reduce the number of concurrent connections
--min-parallelism
--max-parallelism
Host Group Sizes
The number of hosts scanned at the same time, Note: if you are writing output to a file e.g., -oA you will need to wait for the host group to complete scanning before the nmap output will be written to the file. Therefore if you get a lagging host you will may end up waiting a while for the output file, which brings us on to… host timeout.
--min-hostgroup
--max-hostgroup
Host Timeout
Nmap allows you to specify the timeout, which is the length of time it waits before giving up on the target. Be careful setting this super low, as you may end up with inaccurate results.
The following example would giveup after 50 seconds.
--host-timeout 50
Scan Delay
An extremely useful option to defeat basic port scan detection (SOHO devices and some IDS) that essentially monitor and block X amount of connects per second (syn flood etc).
--scan-delay 5s
For example if you know you can get away with 2 req/sec without getting blacklisted then you could use:
--scan-delay 1.2
added 200ms for a buffer
Disable DNS Lookups
Assuming you do not want domain names being looked up, use the -n flag to dissable resolution and speed up the scan.
Nmap Black List Detection?
- It ussally takes and extemely long time to complete
- Droppped probes nmap will increase the timeout, but it’s likely you are already black listed
- To confirm, recheck a port that you know was open before
As far as I know there is no way of detecting for black listing within nmap natively.
Optimising Portscans for Targets
Once you have identified a target firewall / IDS you can look up the default settings for the portscan black list by reading the manual and use the nmap command switches above to obtain the best performance without getting black listed.
