Network Mapper (nmap)

Target Specification

Switch	Usage	Description
nmap	nmap 192.168.0.2	Single target IP scan
	nmap 192.168.0.2 192.168.0.3	Specific target IPs scan
	nmap domain.com	Scan target domain
	nmap 192.168.0.1/24	Scan IP address range using CIDR notation
-iL	nmap -iL target_file.txt	Scan targets listed in a file
-iR	nmap -iR 100	Scan 100 random hosts
--exclude	nmap --exclude <target_ip>	Exclude listed targets

Scan Types

Switch	Type	Open	Close	Filtered
-sT	Full TCP connect scan (Request - SYN packets)	SYN + ACK	RST	No response
-sS	Stealth/Half Open scan (Request - single SYN packet)	SYN + ACK	RST	No response
-sU	UDP scan (Request - UDP Packet)	No response	ICMP error	No response
-sN	Null scan ( Request - Null probe packet)	No response	RST	No response
-sF	TCP FIN scan (Request - FIN probe packet)	No response	RST	No response
-sX	Xmas scan (Request - FIN + URG + PSH probe packets)	No response	RST	No response
-sA	ACK scan (Request - ACK packet)	RST		No response (statefule firewall)
-sW	TCP Window scan	RST(port Window value is non-zeror)	RST(port Window value is zero)	ICMP error
-sM	TCP Maimon scan (Request - FIN/ACK packet)	No response	RST	ICMP error
-sA -ttl 100	TTL-based ACK scan (Request - several thousand ACK packets to different TCP ports)	RST(port TTL value < 64)	RST(port TTL value i> 64)
-Sp	Ping scan	-	-	-

Nmap Vulnerability Scripts

• Nmap Scripting Engine (NSE) categories:

  • safe:- Won't affect the target

  • intrusive:- Not safe: likely to affect the target

  • vuln:- Scan for vulnerabilities

  • exploit:- Attempt to exploit a vulnerability

  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

  • brute:- Attempt to bruteforce credentials for running services

  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

• A more exhaustive list can be found here.
• To run a specific script, we would use --script=<script-name> , e.g. --script=http-fileupload-exploiter.

• Multiple scripts can be run simultaneously in this fashion by separating them by a comma. For example: --script=smb-enum-users,smb-enum-shares

• A full list of scripts and their corresponding arguments (along with example use cases) can be found here.
• Nmap stores its scripts on Linux at /usr/share/nmap/scripts. All of the NSE scripts are stored in this directory by default.

• It's also possible to install the scripts manually by downloading the script from Nmap (sudo wget -O /usr/share/nmap/scripts/<script-name>.nse <https://svn.nmap.org/nmap/scripts/><script-name>.nse). This must then be followed up with nmap --script-updatedb, which updates the script.db file to contain the newly downloaded script.

• Use locate *.nse | grep <protocol_name> to search for the applicable scripts

• To execute nmap with scripts use the following flags:

  • -sC flag loads the default scripts: nmap -sC <target> or nmap --script=default <target> or nmap --script default <target>

  • --script flag to load specific scripts found above: nmap --sript http-headers <target>

  • --script-help will provide a brief description of the script: nmap --sript-help http-headers <target>

-sC	nmap 192.168.1.1 -sC	Scan with default NSE scripts. Considered useful for discovery and safe
--script		Activate nmap scripting library
--script=vuln		Activate nmap scripts in the "vuln" category
--script default	nmap 192.168.1.1 --script default	Scan with default NSE scripts. Considered useful for discovery and safe
	nmap 192.168.1.1 --script=banner	Scan with a single script. Example banner
	nmap 192.168.1.1 --script=http*	Scan with a wildcard. Example http
	nmap 192.168.1.1 --script=http,banner	Scan with two scripts. Example http and banner
	nmap 192.168.1.1 --script "not intrusive	Scan default, but remove intrusive scripts
--script-args	nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1	NSE script with arguments

Timing and Performance

-T0		Paranoid (0) Intrusion Detection System evasion
-T1		Sneaky (1) Intrusion Detection System evasion
-T2		Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3		Normal (3) which is default speed
-T4		Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5		Insane (5) speeds scan; assumes you are on an extraordinarily fast network
--host-timeout <time>	1s; 4m; 2h	Give up on target after this long
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>	1s; 4m; 2h	Specifies probe round trip time
--min-hostgroup/max-hostgroup <size<size>	50; 1024	Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>	10; 1	Probe parallelization
--scan-delay/--max-scan-delay <time>	20ms; 2s; 4m; 5h	Adjust delay between probes
--max-retries <tries>	3	Specify the maximum number of port scan probe retransmissions
--min-rate <number>	100	Send packets no slower than <number> per second
--max-rate <number>	100	Send packets no faster than <number> per second

Optimizing Nmap Scans

• Omit Non-Critical Tests:

  • Skip port scan -sn when only determining what hosts are alive; larger IP address range.

  • Limit the number of ports; rate limiting and firewalls drop probe packets without responding. Use -F (most popular 100 ports) -p or --top-ports

  • Skip advanced scans; use -sC and -sV on large networks.

  • Turn off DNS resolution when not needed; use the -n flag

• Optimize Timing Parameters:

  • Use the -T4and --min-rate 1000 switches if detection is not an issue.

  • Nmap Manual: Timing and Performance
  • Nmap Manual: Timing Templates (-T)
  • Nmap Manual: Low-Level Timing Controls
• Separate and Optimize TCP & UDP scans.

• Execute concurrent Nmap Instances.

Port Specification

Switch	Usage	Description
-p	nmap 192.168.1.1 -p <x>	Scan port x
	nmap IP_add -p 21-100	Scan port range between 21 & 100
	nmap IP_add -p U:53, T:21-25, 80	Scan multiple TCP & UDP ports
	nmap IP_add -p http, https	Scan port protocol name
-p-	`nmap IP_add -p-`	Scan all 65K ports
-F	nmap IP_add -F	Fast scan 100 ports
--top-ports	nmap IP_add --top-ports <x>	Scan top x ports

OS & Service Detection

Switch	Usage	Description
-O	nmap IP_add -O	Remote OS detection using TCP/IP stack fingerprinting.
-O --osscan-limit	nmap IP_add -O --osscan-limit	If at least one open & one closed TCP port are not found, it will not try OS detection.
-O --osscan-guess	nmap IP_add -O --osscan-guess	Increases nmap's aggressive guessing.
-O --max-os-tries	nmap IP_add -O --max-os-tries <x>	Set the max number of OS detection tries against target.
-sV	nmap IP_add -sV	Attempt to determine the version of the service running on a port.
-sV --version-intesity	nmap IP_add -sV --version-intesity 8	Intensity level 0 to 9. Higher number increases accuracy probability.
-sV --version-light	nmap IP_add -sV --version-light	Enable light mode; lower accuracy probability, but faster.
-sV --version-all	nmap IP_add -sV --version-all	Enable intensity level 9; higher accuracy probability, but slower.
-A	nmap IP_add -A	"Aggressive" scan mode; activates service version detection, OS detection, traceroute, and common script scanning.

Host Discovery

Switch	Usage	Description
-sn	nmap IP_add -sn	Disable port scanning; host discovery only.
-sL	nmap IP_add -sL	No scan, list targets only
-Pn	nmap IP_add -Pn	Disable host discovery, port scan only.
-PS	nmap IP_add -PS22-25,80	TCP SYN discovery on port x. Port 80 by default.
-PA	nmap IP_add -PA22-25,80	TCP ACK discovery on port x. Port 80 by default.
-PU	nmap IP_add -PU53	UDP discovery on port x. Port 40125 by default.
-PR	nmap IP_add -PR	ARP discovery on local network. Faster than ICMP
-n	nmap IP_add -n	Disable DNS resolution.

Scan output

Switch	Usage	Description
-oA	nmap IP_add -oA scan_result	Output scan results in the 3 major formats
-oN	nmap IP_add -oN normal.file	Save nmap results in the normal.file
-oG	nmap IP_add -oG grep.file	Save nmap results in 'grepable' format
-oX	nmap IP_add -oX file.xml	Save nmap results as an XML file
-oG -	nmap IP_add -oG -	Grepable output to the screen. -oN -& -oX -also usable.
--append-output	nmap IP_add -oN file.txt --append-output	Append scan results to existing file.

Firewall Evasion

• Use the -Pnswitch to disable host discovery (ICMP/ping) and treat the target as being alive, effectively bypassing the ICMP block.

• If on the same LAN, nmap can also use ARPrequests to determine target status, thus use the

• A comprehensive list of nmap switches to assist with firewall evastion can be found here.

  • f:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.

  • An alternative to -f, but providing more control over the size of the packets: --mtu <number>, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.

  • -scan-delay <time>ms:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.

  • -badsum:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.

• Firewalls are usually configured to drop incoming TCP packets (with the SYN flag set) to blocked/filtered ports, thus blocking new connection initiation requests. By sending request packets without the SYNflag, bypassing this kind of firewall is possible. However, modern IDS solutions can detect these scan types, so do not rely on this scan technique.

• Consider using the -sF,-sX, and -sNswitches for firewall detection and evasion. These packets do not include a set SYN flag.

Useful nmap Commands

nmap -sn -PR 192.168.1.0/24	Discover live hosts on network
nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep open	Scan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt	Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt	Append IP to the list of live hosts
ndiff scanl.xml scan2.xml	Compare output from nmap using the ndif
xsltproc nmap.xml -o nmap.html	Convert nmap xml files to html files
grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less	Reverse sorted list of how often ports turn up
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn	Discovery only on ports x, no port scan
nmap 192.168.1.1-1/24 -PR -sn -vv	Arp discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute	Traceroute to random targets, no port scan
nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1	Query the Internal DNS for hosts, list targets only
nmap -Pn --script=http-sitemap-generator scanme.nmap.org	http site map generator
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000	Fast search for random web servers
nmap -Pn --script=dns-brute domain.com	Brute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1	Safe SMB scripts to run
nmap --script whois* domain.com	Whois query
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org	Detect cross site scripting vulnerabilities
nmap -p80 --script http-sql-injection scanme.nmap.org	Check for SQL injections
nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1	Example IDS Evasion command