Nmap

Network Mapper

Performance Tuning

• Timing tables go from 0 to 5, being 3 the default.

nmap -T4 192.168.1.1

• --min-parallelism allows to manually control the concurrency of the scan:

nmap -sS -T4 --min-parallelism 20 --max-retries 1 -p 80,443,22,3389 192.168.1.1

• Rate Limiting (--min-rate/--max-rate) gives you a better control over packets/second:

nmap -sS --min-rate 500 192.168.1.1

• --max-rtt-timeout adjusts how long Nmap waits for responses before retrying:

Optimized for LANs

nmap -sS --max-rtt-timeout 200ms 192.168.1.1

TCP Scans

Connect Scan

nmap -sT -sV -p- 192.168.1.1

ACK Scan

nmap -sA 192.168.1.1

Window Scan

nmap -sW 192.168.1.1

Maimon Scan

nmap -sM 192.168.1.1

Host Discovery

Ping Sweep

nmap -sn 192.168.1.0/24

Disable Host Discovery

nmap -Pn 192.168.1.0/24

List targets Only

nmap 192.168.1.1-3 -sL

From Target File

nmap -iL targets.txt

Range Scan

nmap 192.168.1.1-254

TCP SYN Ping

nmap 192.168.1.1-5 -PS22-25,80

TCP ACK Ping

nmap 192.168.1.1-5 -PA22-25,80

ARP Ping

nmap 192.168.1.1-1/24 -PR

Ping Host (ICMP, ACK, ARP)

nmap -PE -PA80 -PR 192.168.1.0/24

Host Scan with traceroute

nmap -iR 10 -sn -traceroute

Script for Discovery

nmap --script discovery 192.168.1.1

DNS Scans

Standard Scan

nmap --dns-servers 8.8.8.8 192.168.1.1

Disable DNS Resolution

nmap 192.168.1.1 -n

Resolve Hostnames in a Range

nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1

Service and OS Detection

Service Version Detection

nmap -sV 192.168.1.1

OS Detection

nmap -O 192.168.1.1

Limits OS Detection

nmap 192.168.1.1 -O -osscan-limit

Aggressive Scan

nmap -A 192.168.1.1

Target Specific Ports

sudo nmap -sCV -oA nmap -p 'PORTS' [IP]

UDP Scans

Basic Scan

nmap -sU 192.168.1.1

Specific Ports

nmap -p 53,123,161 -sU -sC 192.168.1.1

All Ports

nmap -p- -sU 192.168.1.1

Service Detection

nmap -sU -sV 192.168.1.1

Script Scanning

nmap -sU --script=udp* 192.168.1.1

Host discovery for UDP

UDP Ping first

nmap -PU53,161,123 192.168.1.1-254 -oN udp_live_hosts.txt  

Then scan live hosts

nmap -sS -sV -p- -iL udp_live_hosts.txt -oA full_scan --max-retries 1  

Stealthy Scans

Example

nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

SYN Scan

nmap -sS 192.168.1.1

FIN Scan

nmap -sF 192.168.1.1

Xmas

nmap -sX 192.168.1.1

Scan with Decoys

nmap -D RND:10 192.168.1.1

Fragments Packets

nmap -f 192.168.1.1

Zombie Scan

nmap -sI <zombie_host> 192.168.1.1

Spoofed Source Address

nmap -S 10.10.10.10 192.168.1.1

Set Offset Size

nmap 192.168.1.1 -mtu 32

Specific Source Port

nmap -g 53 192.168.1.1

Use proxies

nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1

Append Random Data

nmap -data-length 200 192.168.1.1

Non-intrusive Scripts

nmap 192.168.1.1 -script "not intrusive"

Scripting Engine - NSE

List Scripts

locate scripts/citrix

Look At The Categories

locate .nse | xargs grep "categories" | grep -oP '".*?"' | sort -u

Look at any Specific category

locate .nse | xargs grep -l 'categories =.*"discovery"'

Default Scripts

nmap -sC 192.168.1.1

Specific Script

nmap --script smb-vuln* 192.168.1.1

Version and Vulnerabilities

nmap -sV -p<PORT> --script vuln <IP>

Outputs

Normal Output

nmap -oN output.txt 192.168.1.1

XML Output

nmap -oX output.xml 192.168.1.1

All formats

nmap -oA output_prefix 192.168.1.1

Grepable Output

nmap -oG output.txt 192.168.1.1

Filtering

Regex, Parse, Direct

cat nmap.txt | grep -oP '([\d]+)/open' | awk -F/ '{print $1}' | tr '\n' ','

Removes Duplicates

cat nmap.txt | grep open | grep -v '#' | cut -d"/" -f1 | sort | uniq | sed -z 's/\n/,/g;s/,$/\n/'

Filtering Function

function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	echo -e "\t[*] IP Address: $ip_address"  >> extractPorts.tmp
	echo -e "\t[*] Open ports: $ports\n"  >> extractPorts.tmp
	echo $ports | tr -d '\n' | xclip -sel clip
	echo -e "[*] Ports copied to clipboard\n"  >> extractPorts.tmp
	cat extractPorts.tmp; rm extractPorts.tmp
}

Reverse sorted list

grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less

Generate a IPs live hosts list

nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt

Append IPs

nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt

Web Scripts

Scan for config files

nmap -n -p<PORT> --script http-config-backup <IP>

Site map generator

nmap -Pn -script=http-sitemap-generator scanme.nmap.org

Stealthy Scan

nmap -n -Pn -vv -O -sV --script=http-enum,http-headers,http-methods,http-title,http-vuln* 192.168.1.1

fast scan

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000

Shellshock Vulnerability Check

sudo nmap --script http-shellshock --script-args uri=<URL_ARCHIVO_SH> -p80 <IP>

Other Techniques

TCP and UDP

nmap 192.168.1.1 -p U:53,T:21-25,80

IPv6

nmap -6 2607:f0d0:1002:51::4