nmap (general overview)

General overview of useful commands used in the Network mapper (nmap) tool.

Refer to the sections under NETWORK HACKING for specific use cases.

For non-root users, some of the commands listed below may return an error message regarding root access privilege requirements, simply add sudo before the nmap command, followed by entering your account password to proceed.

sudo nmap ...

Port number to service mapping data

/usr/share/nmap/nmap-services

List Scan

The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names.

-sL flag

$ nmap [host] -sL

# eg. 
# -v for verbose and -n for no DNS resolution
nmap 10.10.0.1-5 -n -v -sL 
Starting Nmap ...( https://nmap.org ) at ...
Nmap scan report for 10.10.0.1
Nmap scan report for 10.10.0.2
Nmap scan report for 10.10.0.3
Nmap scan report for 10.10.0.4
Nmap scan report for 10.10.0.5
Nmap done: 5 IP addresses (0 hosts up) scanned in 0.00 seconds

Scan optimization

The following methods listed below can be used to optimize scan speeds by removing unneccessary steps in the scan process. These steps may be needed at times, and may not be appropriate to be used at all times.

No DNS resolution

$ nmap -n <host>

No Ping scan

$ nmap -Pn <host>

This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified.

Always perform DNS resolution

-R:To query the DNS server even for offline hosts.

$ nmap -R <host>

-A flag

Enable OS detection, version detection, script scanning, and traceroute

$ nmap -A ...

Other useful flags

-F	100 most common ports
-r	scan ports in consecutive order
-T<0-5>	-T0 being the slowest and T5 the fastest
--max-rate 50	rate <= 50 packets/sec
--min-rate 15	rate >= 15 packets/sec
--min-parallelism 100	at least 100 probes in parallel
--max-parallelism 200	at most 200 probes in parallel

Spoofing and decoys

Spoof source address

-S IP_Address

Spoof source MAC address

--spoof-mac MAC address, prefix, or vendor name

Decoys

-D decoy1[,decoy2][,ME][,...]

a) ME represents the attacker's IP

b) RND can be used to generate random addresses

# eg. 
$ nmap <host> -D 10.10.10.20,10.10.10.22,ME
$ nmap <host> -D 10.10.10.22,RND,ME

Fragmentation

-fflag

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

Specify -f again to use 16 bytes per fragment (reducing the number of fragments).

$ nmap <host> -f -f
# OR 
$ nmap <host> -ff

--mtu option

Or you can specify your own offset size with the --mtuoption. Don't also specify -f if you use --mtu. The offset must be a multiple of eight.

TCP header fragmentation theory

The process of reassembling the fragmented packets is based on the Identification (ID) and Fragment Offset fields.

Nmap Scripting Engine (NSE)

--script flag

Scripts can be found in /usr/share/nmap/scripts

Script Category	Description
auth	Authentication related scripts
broadcast	Discover hosts by sending broadcast messages
brute	Performs brute-force password auditing against logins
default	Default scripts, same as -sC
discovery	Retrieve accessible information, such as database tables and DNS names
dos	Detects servers vulnerable to Denial of Service (DoS)
exploit	Attempts to exploit various vulnerable services
external	Checks using a third-party service, such as Geoplugin and Virustotal
fuzzer	Launch fuzzing attacks
intrusive	Intrusive scripts such as brute-force attacks and exploitation
malware	Scans for backdoors
safe	Safe scripts that won’t crash the target
version	Retrieve service versions
vuln	Checks for vulnerabilities or exploit vulnerable services

$ nmap ... -sC
$ nmap ... --script=default # equivalent to -sC

# eg. auth script
$ nmap ... --script=auth 

Example

$ nmap 10.10.10.22 -sS -sC -n
# OR
$ nmap 10.10.10.22 -sS --script=default -n

--script "SCRIPT-NAME"

# includes all the script with ftp word in the script name, eg. ftp-brute
$ nmap ... --script "ftp*"

Nmap Post Port ScansTryHackMe

nmap(1) - Linux man pagelinux.die.net