From Network Security Wiki

What is NMAP

  • Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
  • Nmap features include:
Host discovery
Port scanning
Version detection
OS detection
Scriptable interaction with the target
  • Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.
  • Typical uses of Nmap:
Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
Identifying open ports on a target host in preparation for auditing.
Network inventory, network mapping, maintenance and asset management.
Auditing the security of a network by identifying new servers.
Generating traffic to hosts on a network, response analysis and response time measurement.
Find and exploit vulnerabilities in a network.

Port Options

-F                       Scan 100 most popular ports
-p20-2000                Port range
-p54,80,443,...          Port List
-pU:53,U:110,T20-445     Mix TCP and UDP
-r                       Scan linearly (do not randomize ports)
--top-ports <n>          Scan n most popular ports
-p-                      Scan ports 1-65535


Script Categories
auth:      Utilize credentials or bypass authentication on target hosts.
broadcast: Discover hosts not included on command line by broadcasting on local network.
brute:     Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc.
default:   Scripts run automatically when -sC or -A are used.
discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.
dos:       May cause denial of service conditions in target hosts.
exploit:   Attempt to exploit target systems.
external:  Interact with third-party systems not included in target list.
fuzzer:    Send unexpected input in network protocol fields.
intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.
malware:   Look for signs of malware infection on the target hosts.
safe:      Designed not to impact target in a negative fashion.
version:   Measure the version of software or protocol spoken by target hosts.
vul:       Measure whether target systems have a known vulnerability.
Scripting Engine
-sC                                                     Run default scripts
--script=<ScriptName>| <ScriptCategory>|<ScriptDir>...  Run individual or groups of scripts
--script-args=<Name1=Value1,...>                        Use the list of script arguments
--script-updatedb                                       Update script database
Famous Scripts
  • A full list of Nmap Scripting Engine scripts is available at:
  • Some particularly useful scripts include:

dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server.

$ nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain> -p53 <hosts>

http-robots.txt: Harvests robots.txt files from discovered web servers.

$ nmap --script http-robots.txt <hosts>

smb-brute: Attempts to determine valid username and password combinations via automated guessing.

$ nmap --script smb-brute.nse -p445<hosts>

smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs.

$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>

Probing Options

-Pn            Don't probe (assume all hosts are up)
-PB            Default probe (TCP 80, 445 & ICMP)
-PS<portlist>  Check whether targets are up by probing TCP ports
-PE            Use ICMP Echo Request
-PP            Use ICMP Timestamp Request
-PM            Use ICMP Netmask Request

Scan Types

-sP             Probe only (host discovery, not port scan)
-sS             SYN Scan
-sT             TCP Connect Scan
-sU             UDP Scan
-sV             Version Scan
-O              OS Detection
--max-os-tries  Set the maximum number of tries against a target
--scanflags     Set custom list of TCP using URGACKPSHRSTSYNFIN in any order

Fine-Grained Timing Options

--min-hostgroup/max-hostgroup <size>                        Parallel host scan group sizes
--min-parallelism/max-parallelism<numprobes>                Probe parallelization

Aggregate Timing Options

-T0   Paranoid: Very slow, used for IDS evasion
-T1   Sneaky: Quite slow, used for IDS evasion
-T2   Polite: Slows down to consume less bandwidth, runs ~10 times slower than default
-T3   Normal: Default, a dynamic timing model based on target responsiveness
-T4   Aggressive: Assumes a fast and reliable network and may overwhelm targets
-T5   Insane: Very aggressive; will likely overwhelm targets or miss open ports

Output Formats

-oN             Standard Nmap output
-oG             Greppable format
-oX             XML format
-oA <basename>  Generate Nmap, Greppable, and XML output files using basename for files

Misc Options

-n              Disable reverse IP address lookups
-6              Use IPv6 only
-A              Use several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute
--reason        Display reason Nmap thinks port is open, closed, or filtered
-v              Increase verbosity level 
-d (1-9)        set debugging level 
v/V             increase/decrease verbosity level
d/D             increase/decrease debugging level
p/P             turn on/off packet tracing
--packet-trace  trace packets

Host discovery

-PS n          tcp syn ping 
-PA n          tcp ack ping 
-PU n          udp ping
-PM            netmask req 
-PP            timestamp req 
-PE            echo req
-sL            list scan 
-PO            protocol ping 
-PN            no ping
-n             no DNS 
-R             DNS resolution for all targets
--traceroute   trace path to host (for topology map)
-sP            ping same as –PP –PM –PS443 –PA80

Port scanning techniques

-sS   tcp syn scan 
-sT   tcp connect scan 
-sU   udp scan
-sY   sctp init scan 
-sZ   sctp cookie echo 
-sO   ip protocol
-sW   tcp window 
-sN   null
–sF   fin
-sX   xmas 
–sA   tcp ack

Firewall/IDS evasion

-f                 fragment packets 
-D d1,d2           cloak scan with decoys
-S ip              spoof source address 
–g source          spoof source port
--randomize-hosts  order 
--spoof-mac        mac change the src mac


  • Nmap command usage
nmap [Scan Types] [Options] {target specification}
  • Quick scan
nmap -T4 -F
  • Fast scan (port80)
nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80
  • Pingscan
nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4
  • Slow comprehensive
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all
  • Quick traceroute:
nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute
  • Scan a System with Hostname and IP Address
nmap server.ubuntu.com
  • Scan Multiple Hosts
nmap 192.168.1.*
  • Getting more details
nmap -v server.ubuntu.com
  • Scan list of Hosts from a File
nmap -iL nmaptest.txt
  • Scan OS & version detection, script scanning and traceroute
nmap -A
  • Enable OS Detection with Nmap
nmap -O
  • Find Host Services version Numbers
nmap -sV
  • Scan remote hosts using TCP Syn (ICMP Blocked)
nmap -PS
  • Scan Remote host for specific ports with TCP Syn
nmap -PS -p 22,80
  • Scan Remote host for specific ports with TCP ACK (ICMP Blocked)
nmap -PA -p 22,80
  • Perform a stealthy Scan
nmap -sS
  • Check most commonly used Ports with TCP Syn
nmap -sT
  • Perform a tcp null scan to fool a firewall
nmap -sN
  • List of all the ciphersuites:
nmap --script ssl-enum-ciphers -p 443


{{#widget:DISQUS |id=networkm |uniqid=Nmap |url=https://aman.awiki.org/wiki/Nmap }}