common nmap uses
Kind of "must know" for nmap
Basic Scan Types [-sT, -sS]
The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS].
These two types are explained in detail below.
TCP connect() Scan [-sT]
Runs a 3 way handshake (complete TCP setup) of the port defined.
nmap -sT xxx.xxx.xxx.xxx
SYN Stealth Scan [-sS]
Sends only a TCP-SYN. If no "unreachable" is reported back, the port is considered as being open.
FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.
Ping Scan [-sP]
This method sends an ICMP ECHO REQUEST and wait's for ICMP ECHO REPLY
UDP Scan [-sU]
This sends 0-byte UDP packets to each target port on the victim. Receipt of an ICMP Port Unreachable message signifies the port is closed, othwise it is considdered open.
IP Protocol Scans [-sO]
Nmap sends a raw IP packet without any additional protocol header. The IP Protocol Scans attempt to determine the IP protocols stack supported on the target.
Version Detection [-sV]
Version Detection collects information about the specific service running on an open port, including the product name and version number.
ACK Scan [-sA]
Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls, this scan type sends ACK packets to a host. If an RST comes back, the port is classified "unfiltered"
Input the targets as list [-iL]
nmap -iL /tmp/test.txt
Putting the above together to achieve our goals.
Full Scan:
nmap -p1-5000 -T4 -sS 92.246.34.60
Use a Decoy when Scanning Ports to Avoid getting Caught by the SysAdmin
This will show the Decoy IP Address Instead of Your IP in Targets Security Logs. Decoy IP Address Needs to be Alive.
Check the Targets Security Log (/var/log/secure) to make Sure it Worked.
nmap -sS 192.168.0.10 -D 192.168.0.2
Scan the Same Network for All the Services in /etc/services (All of the Reserved Ports) via Very Fast TCP Scan:
nmap -F warez.com/24
Port Scan:
nmap target
nmap -v -sT 192.168.0.0/24
ncat -v -l -p 111
for i in {21..29}; do nc -v -n -z -w 1 192.168.0.$i 443; done Ping Scan (or Ping Sweep) of a Subnet:
nmap -sP 10.50.100.1-255
for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep 'from'; done Get List of Servers with a Specific Port Open through a TCP Connect Scan (is Slower and has More Overhead than a SYN Scan):
nmap -sT -p 80 -oG – 192.168.1.* | grep open
List of reverse DNS records for a subnet:
nmap -R -sL 209.85.229.99/27 | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘ Find Duplicate Address in a Subnet
for i in $(seq 1 254); do echo "arping -q -D -I eth0 -c 2 192.168.1.${i}"; [ $? -ne 0 ] && echo "192.168.1.${i} duplicate"; done Find All of the Active IP Addresses in a Subnet (by using Ping Scan):
nmap -sP 192.168.0.*
nmap -sP -R 192.168.1.0/24 |grep up
nmap -sP -PR 192.168.0.*
nmap -sP 10.1.1.0/24 > lanscan.txt
nmap -sP 192.168.1.0/24; arp -n | grep "192.168.1.[0-9]* *ether"
ping -c2 192.168.1.255 >/dev/null; arp -a
arp-scan -l
arp-scan -I eth0 192.168.1.0/24
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
for ip in $(seq 1 254); do nslookup 192.168.1.$ip; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
OR on Windows:
for /L %i in (1,1,254) do ping -n 1 10.254.254.%i | find /i "Reply">> c:\ipaddresses.txt
OR Faster:
nmap -sP 192.168.0.0/24 | grep -oE '([[:digit:]]{1,3}.){3}[[:digit:]]{1,3}' Find All of the Active Hosts in the the Adjacent class C's 193.14.12, .13, .14, .15, ... , .30:
nmap -P '193.14.[12-30].*'
OR, If you don't want to have to quote it to avoid shell interpretation:
nmap -P 193.14.12-30.0-255
Find All Unused IP Addresses in a Subnet:
nmap -sP -R 192.168.1.0/24 |grep down
OR:
nmap -T4 -sP 192.168.2.0/24 && egrep "00:00:00:00:00:00" /proc/net/arp
OR:
fping -g 192.168.0.2 192.168.0.254 2>/dev/null
fping -g 192.168.0.2 192.168.0.254 2>/dev/null | grep 'is unreachable' | cut -d ' ' -f 1 | sort -t '.' -k 4 -n
How Many Linux And Windows Devices Are On Your Network?
nmap -F -O 192.168.0.1-255 | grep "Running: " > /tmp/os; echo "$(cat /tmp/os | grep Linux | wc -l) Linux device(s)"; echo "$(cat /tmp/os | grep Windows | wc -l) Window(s) devices"
OS Detection Scan:
nmap -O -v -oversiondetect.txt 192.168.2.101
OS Detection and Ports Probe Scan against an IPCop Firewall on Ports 222 and 1775 (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -v -O -PN -p222, 1775 -sV -oIPCopOS.txt 121.xxx.xxx.xxx
Find Rogue AP on a Subnet:
nmap -A -p1-85,113,443,8080-8100 -T4 --min-hostgroup 50 --max-rtt-timeout 2000 --initial-rtt-timeout 300 --max-retries 3 --host-timeout 20m --max-scan-delay 1000 -oA wapscan 10.0.0.0/8
Find the Conficker Virus on a Subnet (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.0.1-254
SNMP Win32 Users Scan:
nmap -sV -sC 192.168.101.0/24
Scan 4096 IP Addresses for Any Web Servers (without pinging them) and Save Output in grepable and XML formats (using the -Pn Option to Skip Pinging the Targets):
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20
Scan the Specified Subnet for NetBIOS Informations:
nbtscan -v -m 2 192.168.1.1/24
Get Current Host Public IP:
alias myip='curl -s http://checkrealip.com/ | grep "Current IP Address"'
Complete TCP Handshake on a spcified Host-Port:
nc -zvw 1 host port
IDS Evasion Attack:
nmap -sS -PN -p80,443 -T1 131.107.1.254
Confuse IDS / IPS by sending requests with decoy's or different IP address:
nmap -sS -D234.34.34.45,ME,234.23.34.23 -p 80 www.xyz.com
Get SMB Server Time:
nmap --script=smb-os-discovery.nse xxx.xxx.xxx.xxx/24 -p 139,445 | grep "System time" | sort -r
Find additional information here.