Ace Your Exams with Our Notes and Mock Tests!

Nmap command

---

---

Nmap is a network scanning tool—an open source Linux command-line tool—used for network exploration, host discovery, and security auditing. Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what‘s connected, what services each host is operating, and so on. It allows a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP.

Users recommend using Nmap for network inspection and monitoring, as it efficiently scans networks and saves scan results. They also suggest using Nmap for controlling network usage and logging. In addition, Nmap is recommended for performing DOS tests and aggressive port scans.

Some of this tool’s best features are that it’s open-source, free, multi-platform and receives constant updates each year. It also has a big plus: it’s one of the most complete host and network and port scanners available. It includes a large set of options to enhance your scanning and mapping tasks, and brings with it an incredible community and comprehensive documentation to help you understand this tool from the very start. Nmap can be used to:

• Create a complete computer network map.
• Find remote IP addresses of any hosts.
• Get the OS system and software details.
• Detect open ports on local and remote systems.
• Audit server security standards.
• Find vulnerabilities on remote and local hosts.

Host discovery and identification

Host discovery , sometimes referred to as ping scanning, is a common task among system administrators and pentesters alike. Unlike its more traditional counterparts, Nmap can offer a wide arrangement of ping sweep options using scanning techniques and protocols simply not available in other tools.

Basic scanning	nmap <target>
Launch a ping scan (subnet)	nmap -sn <target> Ex: nmap -sn 192.168.1.0/24
Scan a list of targets	nmap -iL [targets.txt]
Ping scan with traceroute	nmap -sn --traceroute acme.org example.org
TCP SYN ping	nmap -PS <target>
UDP ping	nmap -PU <target>
Scan IPv6 target	nmap -6 <target>
Specify NSE script	nmap -sn --script dns-brute example.org
Manually assign DNS servers	nmap --dns-servers <servers> <target>
ARP discovery	nmap -PR <target> Ex: nmap -PR 192.168.1.0/24
UDP discovery on specified port	nmap -PU53 <target>
No DNS resolution	nmap -n <target>
Select network interface	nmap -e <interface> <target>
Skip host discovery	nmap -Pn <target>

Version detection

Version detection is directly related to OS fingerprinting, or the active identification of a target‘s running platform and corresponding applications. Knowing the exact version of a specific software or service running on the endpoint can prove extremely valuable in identifying potential vulnerabilities and even unsuspected or unauthorized changes.

Service detection	nmap -sV <target> Ex: nmap -sV scanme.nmap.org
OS detection	nmap -O <target>
Attempt OS guessing	nmap -O --osscan-guess <target>
Increasing version detection	nmap -sV --version-intensity <0-9> <target>
Troubleshoot version scans	nmap -sV --version-trace <target>
Aggressive detection mode	nmap -A <target>
Verbose mode	nmap -O -v <target>

Network and port scanning

By combining some of the above switches and techniques, we are able to obtain better visibility into hosts potentially protected by defense mechanisms such as firewalls or intrusion prevention systems. System administrators can also benefit from this type of subversion ability by understanding how and where to apply any required filtering rules or hardening standards. In addition, spoofing certain network conditions, like an origin IP or MAC address via Nmap, can be helpful in detecting unauthorized uses of system resources and certain attacks on availability.

TCP SYN ping scan	nmap -sn -PS <target> or nmap -sS
Scanning multiple ports	nmap -sn -PS80,100-1000 <target>
TCP ACK ping scan	nmap -sn -PA <target> or nmap -sA
UDP ping scan	nmap -sn -PU <target>
ICMP ping scan	nmap -sn -PE <target>
SCTP INIT ping scan	nmap -sn -PY <target> or nmap -sY
IP protocol ping scan (tracing)	nmap -sn -PO --packet-trace <target>
Scan random number of hosts	nmap -iR [number]
Broadcast ping scan	nmap --script broadcast-ping --packet-trace
Xmas scan (Sets the FIN, PSH, and URG flags)	nmap -sX <target>
UDP scan (with verbosity)	nmap -sU -v <target>
Scan a firewall (split TCP header into tiny fragments)	nmap -f <target>
Cloak a scan with decoys	nmap -D <decoy1>[,<decoy2>] <target>Ex: nmap -D 192.168.1.101,192.168.1.102 <target>
Spoof source IP address	nmap -S <IP_Address> <target>
Spoof MAC address)	nmap --spoof-mac [MAD_ADDRESS] <target>
Scan using a random MAC address	nmap -v -sT -PN --spoof-mac 0 <target>

Timing and performance

Performance is at the heart of everything Nmap does right. Therefore, optimizing scanning via specific timing configurations and parameters can drastically improve both performance and accuracy should network congestion, slow host responses, and/or similar probable scenarios hinder your results.

Rate limiting	nmap --scan-delay <time>
Adjust delay between probes	nmap --scan-delay <time>; --max-scan-delay <time>
Paranoid timing template	nmap -T0 <target>
Sneaky – ID evasion (also T0)	nmap -T1 <target>
Polite – Slower than normal scan	nmap -T2 <target>
Normal – Default speed	nmap -T3 <target>
Aggressive – Recommended mode	nmap -T4 -n -Pn -p- <target>
Insane – Very fast networks	nmap -T5 <target>
Host timeouts – Give up on hosts	nmap -sV -A -p- --host-timeout 5m <target>

Nmap Scripting Engine (NSE)

Introduced during Google‘s 2007 Summer of Code, the scripting platform collectively known as NSE has extended Nmap‘s capabilities and granularity well beyond the scope of service and host detection. In fact, fourteen defined categories (at the time of this writing) underscore the vital role the Nmap community has played in embossing such an unprecedented amount of flexibility when it comes to scanning. These include names like auth, discovery, exploit or fuzzer, and command-line arguments that are flexible and easy to learn.

Safe category – Default	nmap -sC <host> Ex: nmap -sC scanme.nmap.org
Execute (multiple) scripts by name	nmap --script default,safe
Select script by category	nmap --script exploit <target>
Execute NSE script file	nmap --script /path/to/script.nse <target>
Exclude a specific category	nmap -sV --script "not exploit" <target>
Include two different categories	nmap --script "broadcast and discovery" <target>
Combining wildcards	nmap --script "http-*” <target>
Set arguments	nmap -sV --script http-title --script-args http.useragent="Mozilla 1337"<target>
Load arguments from a file	nmap --script "discovery" --script-args-file nmap-args.txt<target>

Scanning web servers

It is safe to assume that, despite the advent of cipher suites such as SSL/TLS to secure communications at large, a good portion of the visible internet remains cryptographically weak. Thus, it is not unreasonable to assume that HTTP-only endpoints can potentially become a trove of information, even if the level of exposure is not imminent. To this effect, Nmap is uniquely positioned to help us automate configuration checks that seek vulnerable web applications or even harvest default credentials. Here are some of the most common recipes:

List supported HTTP methods	nmap -p80,443 --script http-methods --script-args httpmethods.test-all=true <target>
Discover interesting paths/folders	nmap --script http-enum -sV <target>
Brute-forcing HTTP basic auth	nmap -p80 --script http-brute <target>
Provide own user/password list	nmap -sV --script http-brute --script-args userdb=~/usernames.txt,passdb=~/passwords.txt <target>
Brute-forcing common web platforms (e.g., WordPress)	nmap -sV --script http-wordpress-brute <target>
Detect a web application firewall	nmap -sV --script http-waf-detect,http-waf-fingerprint<target>
Detect XST vulnerabilities (via HTTP TRACE method)	nmap -sV --script http-methods,http-trace --script-argshttp-methods.retest <target>
Detect XSS vulnerabilities	nmap -sV --script http-unsafe-output-escaping <target>
Detect SQL injection vulnerabilities	nmap -sV --script http-sql-injection <target>
Finding default credentials	nmap -sV --script http-default-accounts <target>
Finding exposed Git repos	nmap -sV --script http-git <target>

Scanning mail servers

Just as visible and obvious as web platforms have become, email constitutes an integral part of any modern organization. Its exponential trajectory since the onset of the internet has turned email, and its derivatives, into a multifaceted product that touches almost every single aspect of the enterprise, integrating users, services, and technologies in a manner only conceived not too long ago. This widespread use, however, comes at a price. Email presents its own set of cyber risks and vulnerabilities, a situation compounded by misconfigurations and overall poor understanding of intricate ecosystems such as the cloud. Here are some Nmap capabilities when it comes to it.

Brute-force SMTP	nmap -p25 --script smtp-brute <target>
Brute-force IMAP	nmap -p143 --script imap-brute <target>
Brute-force POP3	nmap -p110 --script pop3-brute <target>
Enumerate users	nmap -p 25 --script=smtp-enum-users <target>
SMTP running on alternate port(s)	nmap -sV --script smtp-strangeport <target>
Discovering open relays	nmap -sV --script smtp-open-relay -v <target>
Find available SMTP commands	nmap -p 25 --script=smtp-commands <target>

Scanning databases

If tampered with, databases can expose a plethora of sensitive information. In fact, almost every major cybersecurity incident or data leak in recent years has presupposed some sort of database compromise. The key factor here is the unprecedented degree to which trust is established across the dizzying array of both static and mobile platforms, and how these technologies introduce (or not) strict gatekeeping strategies around third-party implementations.

· Consequently, Nmap has added support for systematically scanning numerous database technologies, allowing you to stitch together a handful of useful techniques.

Identify MS SQL servers	nmap -p1433 --script ms-sql-info <target>
Brute-force MS SQL passwords	nmap -p1433 --script ms-sql-brute <target>
Dump password hashes (MS SQL)	nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes<target>
List databases (MySQL)	nmap -p3306 --script mysql-databases --script-args mysqluser=[user],mysqlpass=[password] <target>
Brute-force MySQL passwords	nmap -p3306 --script mysql-brute <target>
Root/Anonymous accounts with empty passwords	nmap -p3306 --script mysql-empty-password <target>
Brute-force Oracle SIDs	nmap -sV --script oracle-sid-brute <target>
Identify MongoDB servers	nmap -p27017 --script mongodb-info <target>
Listing CouchDB databases	nmap -p5984 --script couchdb-databases <target>
Identify Cassandra databases	nmap -p9160 --script cassandra-brute <target>
Brute-force Redis passwords	nmap -p6379 --script redis-brute <target>

ICS/SCADA systems

An industrial control system (ICS) is a general term used to describe a conglomerate of control components that preside over hardware and software aspects of large infrastructure sectors such as power or other discrete manufacturing industries (e.g., automotive). Control in ICS infrastructure can be fully automated or may include a human in the loop (NIST)—this also includes the insertion of additional IT capabilities to supplement aging analog devices and similar mechanical alternatives.

ICSs are extremely vulnerable and carry an enormous risk, so using options like -sT (full connection TCP probe) to limit the intensity of scans is always advisable. If you‘re someone in charge of managing or protecting an ICS network, the below commands may prove quite useful.

Detect standard (open) ports	nmap -Pn -sT --scan-delay 1s --max-parallelism 1-p80,102,443,502,1089, 1091,2222,4000,4840, 20000,34962,34964, 34980,44818,47808, 55000,55003 <target>
Control system ports (BACnet/IP)	nmap -Pn -sU -p47808 --script bacnet-info <target>
Ethernet/IP	nmap -Pn -sU -p44818 --script enip-info <target>
Discover a Modbus device	nmap -Pn -sT -p502 --script modbus-discover <target>
Discover a Niagara Fox device	nmap -Pn -sT -p1911,4911 --script fox-info <target>
Discover a PCWorx device	nmap -Pn -sT -p1962 --script pcworx-info <target>

Generating reports

Lastly, saving scans into a report-like format is certainly an advantage considering the somewhat sinuous nature of scanning results; quite often, these can become difficult to understand even if you‘re attentive or know exactly what you‘re looking for. To this effect, Nmap can easily pair any host or port scanning technique, set the verbosity level, or generate debugging messages, with the output of your choice to facilitate further consumption and analysis. Here are a handful of examples in no particular order.

Normal output to filename	nmap -oN [filename] <target>
Send results to XML format	nmap -oN [filename] -oX <filename.xml> <target>
Output to all formats (Normal, XML & grep)	nmap -oA [filename] <target>
Increase verbosity and debugging levels	nmap -v3 -d2 -oN [filename] <target>
Display host and port state reasons	nmap --reason <target>
Print periodic timing stats	nmap -Pn <target> --stats-every 10s
Trace packets and data sent and received	nmap -T4 --packet-trace <target>
Show open ports only	nmap --open <target>
List interfaces and routes	nmap --iflist

It‘s hard to fathom a more complete scanning tool than Nmap. After so many years of operational prowess, thousands of papers and supporting literature, countless workshops, and proofs of concept, the tool remains as relevant as it‘s ever been.