# Network Mapper (nmap) ### Target Specification

Switch	Usage	Description
`nmap`	`nmap 192.168.0.2`	Single target IP scan
	`nmap 192.168.0.2 192.168.0.3`	Specific target IPs scan
	`nmap domain.com`	Scan target domain
	`nmap 192.168.0.1/24`	Scan IP address range using CIDR notation
`-iL`	`nmap -iL target_file.txt`	Scan targets listed in a file
`-iR`	`nmap -iR 100`	Scan 100 random hosts
`--exclude`	`nmap --exclude <target_ip>`	Exclude listed targets

### Scan Types

Switch	Type	Open	Close	Filtered
`-sT`	Full TCP connect scan (Request - SYN packets)	`SYN + ACK`	`RST`	No response
`-sS`	Stealth/Half Open scan (Request - single SYN packet)	`SYN + ACK`	`RST`	No response
`-sU`	UDP scan (Request - UDP Packet)	No response	ICMP error	No response
`-sN`	Null scan ( Request - Null probe packet)	No response	`RST`	No response
`-sF`	TCP FIN scan (Request - FIN probe packet)	No response	`RST`	No response
`-sX`	Xmas scan (Request - FIN + URG + PSH probe packets)	No response	`RST`	No response
`-sA`	ACK scan (Request - ACK packet)	`RST`		No response (statefule firewall)
`-sW`	TCP Window scan	`RST`(port Window value is non-zeror)	`RST`(port Window value is zero)	ICMP error
`-sM`	TCP Maimon scan (Request - FIN/ACK packet)	No response	`RST`	ICMP error
`-sA -ttl 100`	TTL-based ACK scan (Request - several thousand ACK packets to different TCP ports)	`RST`(port TTL value < 64)	`RST`(port TTL value i> 64)
`-Sp`	Ping scan	-	-	-

### Nmap Vulnerability Scripts * Nmap Scripting Engine (NSE) categories: * *safe*:- Won't affect the target * *intrusive*:- Not safe: likely to affect the target * *vuln*:- Scan for vulnerabilities * *exploit*:- Attempt to exploit a vulnerability * *auth*:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously) * *brute*:- Attempt to bruteforce credentials for running services * *discovery*:- Attempt to query running services for further information about the network (e.g. query an SNMP server). * A more exhaustive list can be found [here](https://nmap.org/book/nse-usage.html). * To run a specific script, we would use --script=\ , e.g. --script=http-fileupload-exploiter. * Multiple scripts can be run simultaneously in this fashion by separating them by a comma. For example: --script=smb-enum-users,smb-enum-shares * A full list of scripts and their corresponding arguments (along with example use cases) can be found [here](https://nmap.org/nsedoc/). * Nmap stores its scripts on Linux at /usr/share/nmap/scripts. All of the NSE scripts are stored in this directory by default. * It's also possible to install the scripts manually by downloading the script from Nmap (`sudo wget -O /usr/share/nmap/scripts/.nse

.nse`). This must then be followed up with `nmap --script-updatedb`, which updates the `script.db` file to contain the newly downloaded script. * Use locate `*.nse | grep ` to search for the applicable scripts * To execute nmap with scripts use the following flags: * `-sC` flag loads the default scripts: `nmap -sC ` or `nmap --script=default or nmap --script default ` * `--script` flag to load specific scripts found above: `nmap --sript http-headers ` * `--script-help` will provide a brief description of the script: `nmap --sript-help http-headers `

Switch	Usage	Description
`-sC`	`nmap 192.168.1.1 -sC`	Scan with default NSE scripts. Considered useful for discovery and safe
`--script`		Activate nmap scripting library
`--script=vuln`		Activate nmap scripts in the "vuln" category
`--script default`	`nmap 192.168.1.1 --script default`	Scan with default NSE scripts. Considered useful for discovery and safe
	`nmap 192.168.1.1 --script=banner`	Scan with a single script. Example banner
	`nmap 192.168.1.1 --script=http*`	Scan with a wildcard. Example http
	`nmap 192.168.1.1 --script=http,banner`	Scan with two scripts. Example http and banner
	`nmap 192.168.1.1 --script "not intrusive`	Scan default, but remove intrusive scripts
`--script-args`	`nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1`	NSE script with arguments

### Timing and Performance

Switch	Usage	Description
`-T0`		Paranoid (0) Intrusion Detection System evasion
`-T1`		Sneaky (1) Intrusion Detection System evasion
`-T2`		Polite (2) slows down the scan to use less bandwidth and use less target machine resources
`-T3`		Normal (3) which is default speed
`-T4`		Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
`-T5`		Insane (5) speeds scan; assumes you are on an extraordinarily fast network
`--host-timeout <time>`	1s; 4m; 2h	Give up on target after this long
`--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>`	1s; 4m; 2h	Specifies probe round trip time
`--min-hostgroup/max-hostgroup <size<size>`	50; 1024	Parallel host scan group sizes
`--min-parallelism/max-parallelism <numprobes>`	10; 1	Probe parallelization
`--scan-delay/--max-scan-delay <time>`	20ms; 2s; 4m; 5h	Adjust delay between probes
`--max-retries <tries>`	3	Specify the maximum number of port scan probe retransmissions
`--min-rate <number>`	100	Send packets no slower than <number> per second
`--max-rate <number>`	100	Send packets no faster than <number> per second

### Optimizing Nmap Scans * Omit Non-Critical Tests: * Skip port scan `-sn` when only determining what hosts are alive; larger IP address range. * Limit the number of ports; rate limiting and firewalls drop probe packets without responding. Use `-F` (most popular 100 ports) `-p` or `--top-ports` * Skip advanced scans; use `-sC` and `-sV` on large networks. * Turn off DNS resolution when not needed; use the `-n` flag * Optimize Timing Parameters: * Use the `-T4`and `--min-rate 1000` switches if detection is not an issue. * Nmap Manual: [Timing and Performance](#timing-and-performance) * Nmap Manual: [Timing Templates (-T)](https://nmap.org/book/performance-timing-templates.html) * Nmap Manual: [Low-Level Timing Controls](https://nmap.org/book/performance-low-level.html) * Separate and Optimize TCP & UDP scans. * Execute concurrent Nmap Instances. ### Port Specification

Switch	Usage	Description
`-p`	`nmap 192.168.1.1 -p <x>`	Scan port x
	`nmap IP_add -p 21-100`	Scan port range between 21 & 100
	`nmap IP_add -p U:53, T:21-25, 80`	Scan multiple TCP & UDP ports
	`nmap IP_add -p http, https`	Scan port protocol name
`-p-`	`nmap IP_add -p-`	Scan all 65K ports
`-F`	`nmap IP_add -F`	Fast scan 100 ports
`--top-ports`	`nmap IP_add --top-ports <x>`	Scan top x ports

### OS & Service Detection | Switch | Usage | Description | | ------------------------ | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | `-O` | `nmap IP_add -O` | Remote OS detection using TCP/IP stack fingerprinting. | | `-O --osscan-limit` | `nmap IP_add -O --osscan-limit` | If at least one open & one closed TCP port are not found, it will not try OS detection. | | `-O --osscan-guess` | `nmap IP_add -O --osscan-guess` | Increases nmap's aggressive guessing. | | `-O --max-os-tries` | `nmap IP_add -O --max-os-tries ` | Set the max number of OS detection tries against target. | | `-sV` | `nmap IP_add -sV` | Attempt to determine the version of the service running on a port. | | `-sV --version-intesity` | `nmap IP_add -sV --version-intesity 8` | Intensity level 0 to 9. Higher number increases accuracy probability. | | `-sV --version-light` | `nmap IP_add -sV --version-light` | Enable light mode; lower accuracy probability, but faster. | | `-sV --version-all` | `nmap IP_add -sV --version-all` | Enable intensity level 9; higher accuracy probability, but slower. | | `-A` | `nmap IP_add -A` | "Aggressive" scan mode; activates service version detection, OS detection, traceroute, and common script scanning. | ### Host Discovery | Switch | Usage | Description | | ------ | ------------------------- | ------------------------------------------------ | | `-sn` | `nmap IP_add -sn` | Disable port scanning; host discovery only. | | `-sL` | `nmap IP_add -sL` | No scan, list targets only | | `-Pn` | `nmap IP_add -Pn` | Disable host discovery, port scan only. | | `-PS` | `nmap IP_add -PS22-25,80` | TCP SYN discovery on port x. Port 80 by default. | | `-PA` | `nmap IP_add -PA22-25,80` | TCP ACK discovery on port x. Port 80 by default. | | `-PU` | `nmap IP_add -PU53` | UDP discovery on port x. Port 40125 by default. | | `-PR` | `nmap IP_add -PR` | ARP discovery on local network. Faster than ICMP | | `-n` | `nmap IP_add -n` | Disable DNS resolution. | ### Scan output | Switch | Usage | Description | | ----------------- | ------------------------------------------ | ----------------------------------------------------------- | | `-oA` | `nmap IP_add -oA scan_result` | Output scan results in the 3 major formats | | `-oN` | `nmap IP_add -oN normal.file` | Save nmap results in the normal.file | | `-oG` | `nmap IP_add -oG grep.file` | Save nmap results in 'grepable' format | | `-oX` | `nmap IP_add -oX file.xml` | Save nmap results as an XML file | | `-oG -` | `nmap IP_add -oG -` | Grepable output to the screen. `-oN -`& `-oX -`also usable. | | `--append-output` | `nmap IP_add -oN file.txt --append-output` | Append scan results to existing file. | ### Firewall Evasion * Use the `-Pn`switch to disable host discovery (ICMP/ping) and treat the target as being alive, effectively bypassing the ICMP block. * If on the same LAN, nmap can also use `ARP`requests to determine target status, thus use the * A comprehensive list of nmap switches to assist with firewall evastion can be found [here](https://nmap.org/book/man-bypass-firewalls-ids.html). * `f`:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS. * An alternative to `-f`, but providing more control over the size of the packets: `--mtu `, accepts a maximum transmission unit size to use for the packets sent. This *must* be a multiple of 8. * `-scan-delay ms`:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place. * `-badsum`:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS. * Firewalls are usually configured to drop incoming TCP packets (with the `SYN` flag set) to blocked/filtered ports, thus blocking new connection initiation requests. By sending request packets without the `SYN`flag, bypassing this kind of firewall is possible. However, modern IDS solutions can detect these scan types, so do not rely on this scan technique. * Consider using the `-sF`,`-sX`, and `-sN`switches for firewall detection and evasion. These packets do not include a set `SYN` flag. ### Useful nmap Commands

Command	Description
`nmap -sn -PR 192.168.1.0/24`	Discover live hosts on network
`nmap -p80 -sV -oG - --open 192.168.1.1/24 \| grep open`	Scan for web servers and grep to show which IPs are running web servers
`nmap -iR 10 -n -oX out.xml \| grep "Nmap" \| cut -d " " -f5 > live-hosts.txt`	Generate a list of the IPs of live hosts
`nmap -iR 10 -n -oX out2.xml \| grep "Nmap" \| cut -d " " -f5 >> live-hosts.txt`	Append IP to the list of live hosts
`ndiff scanl.xml scan2.xml`	Compare output from nmap using the ndif
`xsltproc nmap.xml -o nmap.html`	Convert nmap xml files to html files
`grep " open " results.nmap \| sed -r 's/ +/ /g' \| sort \| uniq -c \| sort -rn \| less`	Reverse sorted list of how often ports turn up
`nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn`	Discovery only on ports x, no port scan
`nmap 192.168.1.1-1/24 -PR -sn -vv`	Arp discovery only on local network, no port scan
`nmap -iR 10 -sn -traceroute`	Traceroute to random targets, no port scan
`nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1`	Query the Internal DNS for hosts, list targets only
`nmap -Pn --script=http-sitemap-generator scanme.nmap.org`	http site map generator
`nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000`	Fast search for random web servers
`nmap -Pn --script=dns-brute domain.com`	Brute forces DNS hostnames guessing subdomains
`nmap -n -Pn -vv -O -sV --script smb-enum,smb-ls,smb-mbenum,smb-os-discovery,smb-s,smb-vuln,smbv2 -vv 192.168.1.1`	Safe SMB scripts to run
`nmap --script whois* domain.com`	Whois query
`nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org`	Detect cross site scripting vulnerabilities
`nmap -p80 --script http-sql-injection scanme.nmap.org`	Check for SQL injections
`nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1`	Example IDS Evasion command

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybersecc-ptblackb3ard.gitbook.io/cybersecc-ptblackb3ard/cyber-security/offensive-security/scanning-and-enumeration/network-enumeration/network-mapper-nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.