Table of Content
Basic Nmap commands
Basic nmap scan
- Command:
nmap <target> - Description: Performs a basic scan of the specified target.
- Example:
nmap 192.168.1.1
Scan of a specific port
- Command:
nmap -p <port> <target> - Description: Scans a specific port on the specified destination.
- Example:
nmap -p 80 192.168.1.1
Scan of port range
- Command:
nmap -p <start port>-<end port> <target> - Description: Scans all ports in the specified range.
- Example:
nmap -p 80-100 192.168.1.1
Scan of all 65535 Ports
- Command:
nmap -p- <target> - Description: Scans all available ports (0-65535) on the target.
- Example:
nmap -p- 192.168.1.1
Advances scanning techniques
TCP SYN Scan
- Command:
nmap -sS <target> - Description: Performs a quick and inconspicuous scan, also known as a “half-open” scan.
- Example:
nmap -sS 192.168.1.1
TCP Connect Scan
- Command:
nmap -sT <target> - Description: Performs a complete TCP handshake. Useful if the user does not have privileged rights.
- Example:
nmap -sT 192.168.1.1
UDP Scan
- Command:
nmap -sU <target> - Description: Scans the UDP ports of the target.
- Example:
nmap -sU 192.168.1.1
ACK Scan
- Command:
nmap -sA <target> - Description: Detects whether a firewall is active and how it is configured.
- Example:
nmap -sA 192.168.1.1
Window Scan
- Command:
nmap -sW <target> - Description: Recognizes firewall rules and identifies open ports through window size analysis.
- Example:
nmap -sW 192.168.1.1
FIN Scan
- Command:
nmap -sF <target> - Description: Sends FIN packets to the target host. Effective for bypassing simple firewalls.
- Example:
nmap -sF 192.168.1.1
Identification and Detection
OS Detection
- Command:
nmap -O <target> - Description: Detects the operating system of the target host.
- Example:
nmap -O 192.168.1.1
Version detection
- Command:
nmap -sV <target> - Description: Detects the versions of the services running on the target host.
- Example:
nmap -sV 192.168.1.1
Aggressive Scan
- Command:
nmap -A <target> - Description: Performs a comprehensive scan including operating system detection, version detection, script scanning and traceroute.
- Example:
nmap -A 192.168.1.1
Traceroute
- Command:
nmap --traceroute <target> - Description: Determines the path from your computer to the target host.
- Example:
nmap --traceroute 192.168.1.1
Network Exploration
Ping Scan
- Command:
nmap -sn <network> - Description: Checks which hosts are active in the network without scanning ports.
- Example:
nmap -sn 192.168.1.0/24
List Scan
- Command:
nmap -sL <network> - Description: Lists all hosts in a network without scanning them.
- Example:
nmap -sL 192.168.1.0/24
Scan multiple targets
- Command:
nmap <target 1> <target 2> ... - Description: Scans multiple targets in a single command.
- Example:
nmap 192.168.1.1 192.168.1.2 192.168.1.3
Scan list of targets
- Command:
nmap -iL <path to file> - Description: Scans all destinations listed in a file.
- Example:
nmap -iL targets.txt
Stealth techniques and bypassing firewalls
Fragmented packet scan
- Command:
nmap -f <target> - Description: Sends fragmented packets to bypass firewalls.
- Example:
nmap -f 192.168.1.1
IP address transformation
- Command:
nmap -D <stealth IP> <target> - Description: Uses decoys to disguise the actual IP of the scanner.
- Example:
nmap -D RND:10 192.168.1.1
Spoofing of source IP
- Command:
nmap -S <fake IP> <target> - Description: Specifies a fake source IP to disguise the scan.
- Example:
nmap -S 192.168.1.100 192.168.1.1
Output and Reporting
Normal Output
- Command:
nmap -oN <filename> <target> - Description: Saves the scan results in normal format in a file.
- Example:
nmap -oN scan_results.txt 192.168.1.1
XML Output
- Command:
nmap -oX <filename> <target> - Description: Saves the scan results in XML format.
- Example:
nmap -oX scan_results.xml 192.168.1.1
Grep-able Output
- Command:
nmap -oG <filename> <target> - Description: Saves the scan results in a grep-friendly format.
- Example:
nmap -oG scan_results.gnmap 192.168.1.1
All Output Formats
- Command:
nmap -oA <filename> <target> - Description: Saves the scan results in all available formats (normal, XML, grabbable).
- Example:
nmap -oA scan_results 192.168.1.1
Scripting and Expandability
Script Scanning
- Command:
nmap -sC <target> - Description: Executes the standard Nmap scripts (NSE).
- Example:
nmap -sC 192.168.1.1
Execute specific scripts
- Command:
nmap --script <script name> <target> - Description: Executes a specific Nmap script.
- Example:
nmap --script http-title 192.168.1.1 - List: https://nmap.org/nsedoc/scripts/
Execute script categories
- Command:
nmap --script <category> <target> - Description: Executes all scripts of a certain category (e.g. –script vuln for vulnerability scripts).
- Example:
nmap --script vuln 192.168.1.1 - Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln
Timing and Performance
Timing Template
- Command:
nmap -T<0-5> <target> - Description: Sets the speed of the scan, with -T0 being the slowest and -T5 the fastest.
- Example:
nmap -T4 192.168.1.1
Maximum simultaneous scans
- Command:
nmap --max-parallelism <amount> <target> - Description: Specifies the maximum number of simultaneous scans to control the network load.
- Example:
nmap --max-parallelism 10 192.168.1.1
Maximum parallel scans
- Command:
nmap --min-hostgroup <amount> <target> - Description: Determines the minimum number of hosts that are scanned simultaneously.
- Example:
nmap --min-hostgroup 50 192.168.1.1
Further nmap Options
IPv6 Scan
- Command:
nmap -6 <target> - Description: Performs a scan on an IPv6 destination.
- Example:
nmap -6 2001:db8::ff00:42:8329
Silent Execution
- Command:
nmap -v0 <target> - Description: Performs the scan without output on the screen.
- Example:
nmap -v0 192.168.1.1
Repeat Scans
- Command:
nmap --scan-delay <time> <target> - Description: Adds a delay between scans to bypass IDS/IPS.
- Example:
nmap --scan-delay 5s 192.168.1.1
Nmap is an extremely powerful tool and the commands listed here are only a fraction of the options available. Each command can be further customized and combined to meet specific requirements and scenarios.
#HappyHacking
