Nmap

= What is NMAP =


 * Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.

Host discovery Port scanning Version detection OS detection Scriptable interaction with the target
 * Nmap features include:

Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it. Identifying open ports on a target host in preparation for auditing. Network inventory, network mapping, maintenance and asset management. Auditing the security of a network by identifying new servers. Generating traffic to hosts on a network, response analysis and response time measurement. Find and exploit vulnerabilities in a network.
 * Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.
 * Typical uses of Nmap:

= Port Options = -F                      Scan 100 most popular ports -p20-2000               Port range -p54,80,443,... Port List -pU:53,U:110,T20-445    Mix TCP and UDP -r                      Scan linearly (do not randomize ports) --top-ports          Scan n most popular ports -p-                     Scan ports 1-65535

= Scripting =

auth:     Utilize credentials or bypass authentication on target hosts. broadcast: Discover hosts not included on command line by broadcasting on local network. brute:    Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc. default:   Scripts run automatically when -sC or -A are used. discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more. dos:      May cause denial of service conditions in target hosts. exploit:  Attempt to exploit target systems. external: Interact with third-party systems not included in target list. fuzzer:   Send unexpected input in network protocol fields. intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion. malware:  Look for signs of malware infection on the target hosts. safe:     Designed not to impact target in a negative fashion. version:  Measure the version of software or protocol spoken by target hosts. vul:      Measure whether target systems have a known vulnerability.
 * Script Categories

-sC                                                    Run default scripts --script=| |... Run individual or groups of scripts --script-args=                       Use the list of script arguments --script-updatedb                                      Update script database
 * Scripting Engine

https://nmap.org/nsedoc/
 * Famous Scripts:
 * A full list of Nmap Scripting Engine scripts is available at:


 * Some particularly useful scripts include:

dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server. $ nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain= -p53

http-robots.txt: Harvests robots.txt files from discovered web servers. $ nmap --script http-robots.txt

smb-brute: Attempts to determine valid username and password combinations via automated guessing. $ nmap --script smb-brute.nse -p445

smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs. $ nmap --script smb-psexec.nse –script-args=smbuser= ,smbpass= [,config= ] -p445

= Probing Options = -Pn           Don't probe (assume all hosts are up) -PB           Default probe (TCP 80, 445 & ICMP) -PS Check whether targets are up by probing TCP ports -PE           Use ICMP Echo Request -PP           Use ICMP Timestamp Request -PM           Use ICMP Netmask Request

= Scan Types =

-sP            Probe only (host discovery, not port scan) -sS            SYN Scan -sT            TCP Connect Scan -sU            UDP Scan -sV            Version Scan -O             OS Detection --max-os-tries Set the maximum number of tries against a target --scanflags    Set custom list of TCP using URGACKPSHRSTSYNFIN in any order

= Fine-Grained Timing Options = --min-hostgroup/max-hostgroup                       Parallel host scan group sizes --min-parallelism/max-parallelism               Probe parallelization --min-rtt-timeout/max-rtttimeout/initial-rtt-timeout      Specifies probe round trip time. --max-retries                                      Caps number of port scan probe retransmissions. --host-timeout                                      Give up on target after this long --scan-delay/--max-scan-delay                       Adjust delay between probes --min-rate                                        Send packets no slower than per second --max-rate                                        Send packets no faster than per second

= Aggregate Timing Options = -T0  Paranoid: Very slow, used for IDS evasion -T1  Sneaky: Quite slow, used for IDS evasion -T2  Polite: Slows down to consume less bandwidth, runs ~10 times slower than default -T3  Normal: Default, a dynamic timing model based on target responsiveness -T4  Aggressive: Assumes a fast and reliable network and may overwhelm targets -T5  Insane: Very aggressive; will likely overwhelm targets or miss open ports

= Output Formats = -oN            Standard Nmap output -oG            Greppable format -oX            XML format -oA Generate Nmap, Greppable, and XML output files using basename for files

= Misc Options = -n             Disable reverse IP address lookups -6             Use IPv6 only -A             Use several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute --reason       Display reason Nmap thinks port is open, closed, or filtered -v             Increase verbosity level -d (1-9)       set debugging level v/V            increase/decrease verbosity level d/D            increase/decrease debugging level p/P            turn on/off packet tracing --packet-trace trace packets

= Host discovery = -PS n         tcp syn ping -PA n         tcp ack ping -PU n         udp ping -PM           netmask req -PP           timestamp req -PE           echo req -sL           list scan -PO           protocol ping -PN           no ping -n            no DNS -R            DNS resolution for all targets --traceroute  trace path to host (for topology map) -sP           ping same as –PP –PM –PS443 –PA80

= Port scanning techniques = -sS  tcp syn scan -sT  tcp connect scan -sU  udp scan -sY  sctp init scan -sZ  sctp cookie echo -sO  ip protocol -sW  tcp window -sN  null –sF  fin -sX  xmas –sA  tcp ack

= Firewall/IDS evasion = -f                fragment packets -D d1,d2          cloak scan with decoys -S ip             spoof source address –g source         spoof source port --randomize-hosts order --spoof-mac       mac change the src mac

= Examples = nmap [Scan Types] [Options] {target specification}
 * Nmap command usage

nmap -T4 -F 192.168.1.1
 * Quick scan

nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80 192.168.1.1
 * Fast scan (port80)

nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4 192.168.1.1
 * Pingscan

nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all 192.168.1.1
 * Slow comprehensive

nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute 192.168.1.1
 * Quick traceroute:

nmap server.ubuntu.com nmap 192.168.1.101
 * Scan a System with Hostname and IP Address

nmap 192.168.1.* nmap 192.168.1.101 192.168.1.102 192.168.1.103 nmap 192.168.1.101,102,103
 * Scan Multiple Hosts

nmap -v server.ubuntu.com
 * Getting more details

nmap -iL nmaptest.txt
 * Scan list of Hosts from a File

nmap -A 192.168.1.1
 * Scan OS & version detection, script scanning and traceroute

nmap -O 192.168.1.1
 * Enable OS Detection with Nmap

nmap -sV 192.168.1.1
 * Find Host Services version Numbers

nmap -PS 192.168.1.1
 * Scan remote hosts using TCP Syn (ICMP Blocked)

nmap -PS -p 22,80 192.168.1.1
 * Scan Remote host for specific ports with TCP Syn

nmap -PA -p 22,80 192.168.1.1
 * Scan Remote host for specific ports with TCP ACK (ICMP Blocked)

nmap -sS 192.168.1.1
 * Perform a stealthy Scan

nmap -sT 192.168.1.1
 * Check most commonly used Ports with TCP Syn

nmap -sN 192.168.1.1
 * Perform a tcp null scan to fool a firewall

nmap --script ssl-enum-ciphers -p 443 192.168.1.1
 * List of all the ciphersuites:


 * References