nmap (general overview)
General overview of useful commands used in the Network mapper (nmap) tool.
Refer to the sections under NETWORK HACKING for specific use cases.
For non-root users, some of the commands listed below may return an error message regarding root access privilege requirements, simply add sudo before the nmap command, followed by entering your account password to proceed.
Port number to service mapping data
/usr/share/nmap/nmap-services
List Scan
The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names.
-sL flag
Scan optimization
The following methods listed below can be used to optimize scan speeds by removing unneccessary steps in the scan process. These steps may be needed at times, and may not be appropriate to be used at all times.
No DNS resolution
No Ping scan
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with
-Pncauses Nmap to attempt the requested scanning functions against every target IP address specified.
Always perform DNS resolution
-R:To query the DNS server even for offline hosts.
-A flag
Enable OS detection, version detection, script scanning, and traceroute
Other useful flags
-F
100 most common ports
-r
scan ports in consecutive order
-T<0-5>
-T0 being the slowest and T5 the fastest
--max-rate 50
rate <= 50 packets/sec
--min-rate 15
rate >= 15 packets/sec
--min-parallelism 100
at least 100 probes in parallel
--max-parallelism 200
at most 200 probes in parallel
Spoofing and decoys
Spoof source address
-S IP_Address
Spoof source MAC address
--spoof-mac MAC address, prefix, or vendor name
Decoys
-D decoy1[,decoy2][,ME][,...]
a) ME represents the attacker's IP
b) RND can be used to generate random addresses
Fragmentation
-fflag
The -
foption causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
Specify
-fagain to use 16 bytes per fragment (reducing the number of fragments).
--mtu option
Or you can specify your own offset size with the --mtuoption. Don't also specify -f if you use --mtu. The offset must be a multiple of eight.
TCP header fragmentation theory
The process of reassembling the fragmented packets is based on the Identification (ID) and Fragment Offset fields.
Nmap Scripting Engine (NSE)
--script flag
Scripts can be found in /usr/share/nmap/scripts
auth
Authentication related scripts
broadcast
Discover hosts by sending broadcast messages
brute
Performs brute-force password auditing against logins
default
Default scripts, same as -sC
discovery
Retrieve accessible information, such as database tables and DNS names
dos
Detects servers vulnerable to Denial of Service (DoS)
exploit
Attempts to exploit various vulnerable services
external
Checks using a third-party service, such as Geoplugin and Virustotal
fuzzer
Launch fuzzing attacks
intrusive
Intrusive scripts such as brute-force attacks and exploitation
malware
Scans for backdoors
safe
Safe scripts that wonβt crash the target
version
Retrieve service versions
vuln
Checks for vulnerabilities or exploit vulnerable services
Example
--script "SCRIPT-NAME"
Last updated
