legal contact

common nmap uses

Kind of "must know" for nmap

Basic Scan Types [-sT, -sS]

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS].

These two types are explained in detail below.

TCP connect() Scan [-sT]

Runs a 3 way handshake (complete TCP setup) of the port defined.

nmap -sT

SYN Stealth Scan [-sS]

Sends only a TCP-SYN. If no "unreachable" is reported back, the port is considered as being open.

FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]

The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.

Ping Scan [-sP]

This method sends an ICMP ECHO REQUEST and wait's for ICMP ECHO REPLY

UDP Scan [-sU]

This sends 0-byte UDP packets to each target port on the victim. Receipt of an ICMP Port Unreachable message signifies the port is closed, othwise it is considdered open.

IP Protocol Scans [-sO]

Nmap sends a raw IP packet without any additional protocol header. The IP Protocol Scans attempt to determine the IP protocols stack supported on the target.

Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number.

ACK Scan [-sA]

Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls, this scan type sends ACK packets to a host. If an RST comes back, the port is classified "unfiltered"

Input the targets as list [-iL]

nmap -iL /tmp/test.txt


Putting the above together to achieve our goals.

Full Scan:

nmap -p1-5000 -T4 -sS

Use a Decoy when Scanning Ports to Avoid getting Caught by the SysAdmin

This will show the Decoy IP Address Instead of Your IP in Targets Security Logs. Decoy IP Address Needs to be Alive.

Check the Targets Security Log (/var/log/secure) to make Sure it Worked.

nmap -sS -D

Scan the Same Network for All the Services in /etc/services (All of the Reserved Ports) via Very Fast TCP Scan:

nmap -F

Port Scan:

nmap target

nmap -v -sT

ncat -v -l -p 111

for i in {21..29}; do nc -v -n -z -w 1 192.168.0.$i 443; done

Ping Scan (or Ping Sweep) of a Subnet:

nmap -sP
for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep 'from'; done

Get List of Servers with a Specific Port Open through a TCP Connect Scan (is Slower and has More Overhead than a SYN Scan):

nmap -sT -p 80 -oG – 192.168.1.* | grep open

List of reverse DNS records for a subnet:

nmap -R -sL | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘

Find Duplicate Address in a Subnet

for i in $(seq 1 254); do echo "arping -q -D -I eth0 -c 2 192.168.1.${i}"; [ $? -ne 0 ] && echo "192.168.1.${i} duplicate"; done

Find All of the Active IP Addresses in a Subnet (by using Ping Scan):

nmap -sP 192.168.0.*
nmap -sP -R |grep up
nmap -sP -PR 192.168.0.*
nmap -sP > lanscan.txt
nmap -sP; arp -n  | grep "192.168.1.[0-9]* *ether"
ping -c2 >/dev/null; arp -a
arp-scan -l
arp-scan -I eth0
nmap -v -sP
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
for ip in $(seq 1 254); do nslookup 192.168.1.$ip; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done

OR on Windows:

for /L %i in (1,1,254) do ping -n 1 10.254.254.%i | find /i "Reply">> c:\ipaddresses.txt

OR Faster:

nmap -sP | grep -oE '([[:digit:]]{1,3}.){3}[[:digit:]]{1,3}'

Find All of the Active Hosts in the the Adjacent class C's 193.14.12, .13, .14, .15, ... , .30:

nmap -P '193.14.[12-30].*'

OR, If you don't want to have to quote it to avoid shell interpretation:

nmap -P 193.14.12-30.0-255

Find All Unused IP Addresses in a Subnet:

nmap -sP -R |grep down


nmap -T4 -sP && egrep "00:00:00:00:00:00" /proc/net/arp


fping -g 2>/dev/null
fping -g 2>/dev/null | grep 'is unreachable' | cut -d ' ' -f 1 | sort -t '.' -k 4 -n

How Many Linux And Windows Devices Are On Your Network?

nmap -F -O | grep "Running: " > /tmp/os; echo "$(cat /tmp/os | grep Linux | wc -l) Linux device(s)"; echo "$(cat /tmp/os | grep Windows | wc -l) Window(s) devices"

OS Detection Scan:

nmap -O -v -oversiondetect.txt

OS Detection and Ports Probe Scan against an IPCop Firewall on Ports 222 and 1775 (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):

nmap -v -O -PN -p222, 1775 -sV -oIPCopOS.txt

Find Rogue AP on a Subnet:

nmap -A -p1-85,113,443,8080-8100 -T4 --min-hostgroup 50 --max-rtt-timeout 2000 --initial-rtt-timeout 300 --max-retries 3 --host-timeout 20m --max-scan-delay 1000 -oA wapscan

Find the Conficker Virus on a Subnet (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1

SNMP Win32 Users Scan:

nmap -sV -sC

Scan 4096 IP Addresses for Any Web Servers (without pinging them) and Save Output in grepable and XML formats (using the -Pn Option to Skip Pinging the Targets):

nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

Scan the Specified Subnet for NetBIOS Informations:

nbtscan -v -m 2

Get Current Host Public IP:

alias myip='curl -s | grep "Current IP Address"'

Complete TCP Handshake on a spcified Host-Port:

nc -zvw 1 host port

IDS Evasion Attack:

nmap -sS -PN -p80,443 -T1

Confuse IDS / IPS by sending requests with decoy's or different IP address:

nmap -sS -D234.34.34.45,ME, -p 80

Get SMB Server Time:

nmap --script=smb-os-discovery.nse -p 139,445 | grep "System time" | sort -r

Find additional information here.