πŸ–₯️
Offensive security concepts
  • Introduction
  • πŸ’ΏVirtualbox network setup
    • What is VirtualBox?
    • NAT
    • NAT network
    • Bridged adapter
    • Internal network
    • pfSense
    • vboxmanage
    • Overview
  • πŸ•΅οΈOSINT
    • What is OSINT?
    • Google dorks
    • Metadata
    • Social media
      • osintagram
  • Tools
    • waybackurls
    • recon-ng
    • sherlock
    • maltego
    • theHarvester
    • photon
  • 😨Social Engineering
    • What is social engineering?
    • 7 tricks of social engineering
    • Email phishing
    • Typosquatting
    • Compiled resources
  • 😈MitM attack
    • What is MitM attack?
    • ARP spoof/poison
    • DNS spoof/poison
    • HTTP MitM attack
    • ICMP redirect attack
    • DHCP spoofing
    • Evil twin attack
    • Experiment (guest network)
    • Compiled resources
  • πŸ”ŒUPnP exploitation
    • What is UPnP?
    • What is SSDP?
    • IGD functions
    • LAN devices
    • Compiled resources
  • Network Reconnaissance & Attacks
    • What is network recon & attacks?
  • 1️⃣Network live host discovery
    • What is network live host discovery?
    • nmap
    • arp-scan
    • masscan
  • 2️⃣Network port scan/services enumeration
    • What is network port scan/services enumeration?
    • nmap
    • netcat
  • 3️⃣Network services vulnerability scanning & exploitation
    • What is network vulnerability scanning/exploitation?
    • 20/21 ~ FTP
    • 22 ~ SSH
    • 25 ~ SMTP
    • 53 ~ DNS
    • 80/443 ~ HTTP/HTTPS
    • 110 ~ POP3
    • 111/2049 ~ RPC/NFS
    • 139/445 ~ SMB
    • 143 ~ IMAP
    • 3389 ~ RDP
  • Vulnerability & exploitation
    • Database
    • Metasploit
    • Msfvenom
  • Misconfigurations
    • .DS_Store
  • Web Application Penetration Testing
    • Introduction
    • Web Content Discovery
      • Directories/URLs gathering
      • Subdomain enumeration
    • File inclusion & Path traversal
    • Insecure Direct Object Reference (IDOR)
    • Upload vulnerabilities
      • File extension cheat-sheet
    • SSRF
    • CSRF
    • XSS
    • SSTI
    • SQL injection
      • Filter evasion techniques
      • Practical challenge examples
        • TryHackMe
          • TryHackMe Burp suite: Repeater room
          • TryHackMe Advanced SQL Injection
  • Authentication/session management
    • OWASP WSTG-SESS-10 ~ JSON Web Token (JWT)
    • OWASP WSTG-ATHZ-05 ~ OAuth weaknesses
  • Webshell
  • Web API pentesting
    • Resources
    • Methodology
    • jq
    • httpx
    • ParamSpider
  • Web app pentesting methodology
  • OWASP
    • OWASP top 10
    • OWASP API top 10
    • Web Security Testing Guide (WSTG)
      • WSTG-ATHZ
        • WSTG-ATHZ-05 ~ OAuth weaknesses
      • WSTG-SESS
        • WSTG-SESS-10 ~ JWT
  • General web knowledge
    • URI standard (RFC 3986)
    • HTTP headers
  • πŸ›£οΈAttacks on routing protocols
    • What are attacks on routing protocols?
    • BGP hijacking
  • πŸ•οΈTo explore
    • MQTT
    • Routersploit
    • DNS rebinding attack
    • LLMNR/mDNS poisoning
  • πŸ‘€Anonymity
    • VPN
    • Proxychains
    • TOR
    • Obfuscation
  • Credentials brute-force/cracking
    • Introduction
    • Windows SAM database
    • Dictionary attack
    • Rainbow attack
      • Hash database
    • Tools
      • Hydra
      • John the ripper
      • Hashcat
      • hash-identifier
  • Post-exploitation
    • Gaining shell
      • netcat
      • socat
      • powershell
      • bash
      • PHP
    • Repository
  • Privilege escalation
    • Linux
      • Repositories
      • Enumeration
      • Vulnerabilities exploit
        • General
        • Kernel exploit
        • Sudo
        • SUID
        • Capabilities
        • Cronjobs
        • $PATH
        • NFS (target-machine)
        • Filesystem sharing
          • NFS (attacker-machine)
    • Windows
      • Password harvesting
      • Vulnerabilities exploit
        • Scheduled tasks
        • AlwaysInstallElevated
        • Service misconfigurations
          • Insecure permissions on service executable
          • Unquoted service path
          • Insecure service permission
        • Abusing privileges
  • Ⓜ️MITRE ATT&CK
    • Introduction
  • 🧰Tools/services
    • Introduction
    • Web application pentesting
      • Web discovery/fuzzing
        • paramspider
        • arjun
        • katana
      • uro
      • Password brute-forcing
      • Burp Suite (Community)
      • scanners
        • ZAP (Zed Attack Proxy)
        • nikto
        • nuclei
    • Information gathering/reconnaissance
    • Network recon & attacks
      • nmap (general overview)
      • scapy
      • bettercap
    • General
      • impacket
    • Wordlists
      • cewl
  • Professional report writing
    • Report template
      • Web applicaton pentesting
        • OWASP report layout
  • Tasks on-the-go
    • Note taking on-the-go
    • Other tips
  • Practice
    • Web Application Pentesting
      • OWASP
        • OWASP Juice Shop
        • OWASP Mutillidae II
        • OWASP Hackademic
      • Vulnhub
        • ...
      • Damn Vulnerable Web Application (DVWA)
    • Metasploitable 2
  • Operational Security (OpSec)
    • Hardening
      • General
      • Oracle VirtualBox
      • Web Browser
      • VPN/Proxy
  • Safe document viewer
    • PDF
    • .docx
  • Write-ups
    • TryHackMe
      • Silver Platter
      • Light
      • Pickle Rick
      • Hammer
        • Enumeration (active recon)
          • /hmr
          • Further directory discovery
          • /phpmyadmin
          • burp suite sitemap
        • Brute forcing 4-digit code
        • Retrieving the flag
      • OWASP Top 10 - 2021 (task 22)
      • sqlmap
    • OverTheWire
      • Untitled
    • OWASP
      • OWASP Juice Shop
      • OWASP WebGoat
  • AI prompt
    • ChatGPT
Powered by GitBook
On this page
  • Port number to service mapping data
  • List Scan
  • Scan optimization
  • -A flag
  • Other useful flags
  • Spoofing and decoys
  • Fragmentation
  • Nmap Scripting Engine (NSE)
  1. Tools/services
  2. Network recon & attacks

nmap (general overview)

General overview of useful commands used in the Network mapper (nmap) tool.

Refer to the sections under NETWORK HACKING for specific use cases.

For non-root users, some of the commands listed below may return an error message regarding root access privilege requirements, simply add sudo before the nmap command, followed by entering your account password to proceed.

sudo nmap ...

Port number to service mapping data

/usr/share/nmap/nmap-services

List Scan

The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names.

-sL flag

$ nmap [host] -sL

# eg. 
# -v for verbose and -n for no DNS resolution
nmap 10.10.0.1-5 -n -v -sL 
Starting Nmap ...( https://nmap.org ) at ...
Nmap scan report for 10.10.0.1
Nmap scan report for 10.10.0.2
Nmap scan report for 10.10.0.3
Nmap scan report for 10.10.0.4
Nmap scan report for 10.10.0.5
Nmap done: 5 IP addresses (0 hosts up) scanned in 0.00 seconds

Scan optimization

The following methods listed below can be used to optimize scan speeds by removing unneccessary steps in the scan process. These steps may be needed at times, and may not be appropriate to be used at all times.

No DNS resolution

$ nmap -n <host>

No Ping scan

$ nmap -Pn <host>

This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified.

Always perform DNS resolution

-R:To query the DNS server even for offline hosts.

$ nmap -R <host>

-A flag

Enable OS detection, version detection, script scanning, and traceroute

$ nmap -A ...

Other useful flags

-F

100 most common ports

-r

scan ports in consecutive order

-T<0-5>

-T0 being the slowest and T5 the fastest

--max-rate 50

rate <= 50 packets/sec

--min-rate 15

rate >= 15 packets/sec

--min-parallelism 100

at least 100 probes in parallel

--max-parallelism 200

at most 200 probes in parallel

Spoofing and decoys

Spoof source address

-S IP_Address

Spoof source MAC address

--spoof-mac MAC address, prefix, or vendor name

Decoys

-D decoy1[,decoy2][,ME][,...]

a) ME represents the attacker's IP

b) RND can be used to generate random addresses

# eg. 
$ nmap <host> -D 10.10.10.20,10.10.10.22,ME
$ nmap <host> -D 10.10.10.22,RND,ME

Fragmentation

-fflag

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

Specify -f again to use 16 bytes per fragment (reducing the number of fragments).

$ nmap <host> -f -f
# OR 
$ nmap <host> -ff

--mtu option

Or you can specify your own offset size with the --mtuoption. Don't also specify -f if you use --mtu. The offset must be a multiple of eight.

TCP header fragmentation theory

The process of reassembling the fragmented packets is based on the Identification (ID) and Fragment Offset fields.

Nmap Scripting Engine (NSE)

--script flag

Scripts can be found in /usr/share/nmap/scripts

Script Category
Description

auth

Authentication related scripts

broadcast

Discover hosts by sending broadcast messages

brute

Performs brute-force password auditing against logins

default

Default scripts, same as -sC

discovery

Retrieve accessible information, such as database tables and DNS names

dos

Detects servers vulnerable to Denial of Service (DoS)

exploit

Attempts to exploit various vulnerable services

external

Checks using a third-party service, such as Geoplugin and Virustotal

fuzzer

Launch fuzzing attacks

intrusive

Intrusive scripts such as brute-force attacks and exploitation

malware

Scans for backdoors

safe

Safe scripts that won’t crash the target

version

Retrieve service versions

vuln

Checks for vulnerabilities or exploit vulnerable services

$ nmap ... -sC
$ nmap ... --script=default # equivalent to -sC

# eg. auth script
$ nmap ... --script=auth 

Example

$ nmap 10.10.10.22 -sS -sC -n
# OR
$ nmap 10.10.10.22 -sS --script=default -n

--script "SCRIPT-NAME"

# includes all the script with ftp word in the script name, eg. ftp-brute
$ nmap ... --script "ftp*"

PreviousNetwork recon & attacksNextscapy

Last updated 4 months ago

🧰
TryHackMe | Cyber Security TrainingTryHackMe
nmap(1) - Linux man page
Logo
Logo