nmap
 

Different usage options

  1. Port discovery and specification
  2. Host discovery and specification
  3. Vulnerability scanning
  4. Application and service version detection
  5. Software version detection against the ports
  6. Firewall / IDS Spoofing

Scanning command syntax

nmap [scan types] [options] {172.16.1.1 specification}

Port Specification options

SyntaxExampleDescription
-Pnmap –p 23 172.16.1.1Port scanning port specific port
-Pnmap –p 23-100 172.16.1.1Port scanning port specific port range
-pnmap -pU:110,T:23-25,443 172.16.1.1U-UDP,T-TCP different port types scan
-p-nmap -p- 172.16.1.1Port scan for all ports
-pnmap -smtp,https 172.16.1.1Port scan from specified protocols
-Fnmap –F 172.16.1.1Fast port scan for speed up
-P “*”namp -p “*” ftp 172.16.1.1Port scan using name
-rnmap -r 172.16.1.1Sequential port scan

Host /172.16.1.1 discovery

Switch/SyntaxExampleDescription
-sLnmap 172.16.1.1-5 -sLList 172.16.1.1 without scanning
-snnmap 172.16.1.1/8 -snDisable port scanning
-Pnnmap 172.16.1.1-8 -PnPort scans only and no host discovery
-PSnmap 172.16.1.185 -PS22-25,80TCP SYN discovery on specified port
-PAnmap 172.16.1.185 -PA22-25,80TCP ACK discovery on specified port
-PUnmap 172.16.1.1-8 -PU53UDP discovery on specified port
-PRnmap 172.16.1.1-1/8 -PRARP discovery within local network
-nnmap 172.16.1.1 -nno DNS resolution

Scanning types

Switch/SyntaxExampleDescription
-sSnmap 172.16.1.1 -sSTCP SYN port scan
-sTnmap 172.16.1.1 -sTTCP connect port scan
-sAnmap 172.16.1.1 -sATCP ACK port scan
-sUnmap 172.16.1.1 -sUUDP port scan
-Sfnmap -Sf 172.16.1.1TCP FIN scan
-sXnmap -SX 172.16.1.1XMAS scan
-Spnmap -Sp 172.16.1.1Ping scan
-sUnmap -Su 172.16.1.1UDP scan
-sAnmap -Sa 172.16.1.1TCP ACK scan
-SLnmap -Sl 172.16.1.1list scan

Version detection

Switch/SyntaxExampleDescription
-sVnmap 172.16.1.1 -sVTry to find the version of the service running on port
-sV –version-intensitynmap 172.16.1.1 -sV –version-intensity 6Intensity level range 0 to 9.
-sV –version-allnmap 172.16.1.1 -sV –version-allSet intensity level to 9
-sV –version-lightnmap 172.16.1.1 -sV –version-lightEnable light mode
-Anmap 172.16.1.1 -AEnables OS detection, version detection, script scanning, and traceroute
-Onmap 172.16.1.1 -ORemote OS detection

172.16.1.1 specification

nmap 172.16.1.1single IP scan
nmap 172.16.1.1 172.16.100.1scan specific IPs
nmap 172.16.1.1-254scan a range of IPs
nmap xyz.orgscan a domain
nmap 10.1.1.0/8scan using CIDR notation
nmap -iL scan.txtscan 172.16.1.1s from a file
nmap –exclude 172.16.1.1specified IP s exclude from scan

Use of NMAP scripts NSE

nmap –script= test script 172.16.1.0/24execute thee listed script against target IP address
nmap –script-update-dbadding new scripts
nmap -sV -sCuse of safe default scripts for scan
nmap –script-help=”Test Script”get help for script

Firewall proofing

nmap -f [172.16.1.1]scan fragment packets
nmap –mtu [MTU] [172.16.1.1]specify MTU
nmap -sI [zombie] [172.16.1.1]scan idle zoombie
nmap –source-port [port] [172.16.1.1]manual source port – specify
nmap –data-length [size] [172.16.1.1]randomly append data
nmap –randomize-hosts [172.16.1.1]172.16.1.1 scan order randomization
nmap –badsum [172.16.1.1]bad checksum

NMAP output formats

Default/normal outputnmap -oN scan.txt 172.16.1.1
XMLnmap -oX scanr.xml 172.16.1.1
Grepable formatsnmap -oG grep.txt 172.16.1.1
All formatsnmap -oA 172.16.1.1

Scan options

SyntaxDescription
nmap -sP 172.16.1.1Ping scan only
nmap -PU 172.16.1.1UDP ping scan
nmap -PE 172.16.1.1ICMP echo ping
nmap -PO 172.16.1.1IP protocol ping
nmap -PR 172.16.1.1ARP ping
nmap -Pn 172.16.1.1Scan without pinging
nmap –traceroute 172.16.1.1Traceroute

NMAP Timing options

SyntaxDescription
nmap -T0 172.16.1.1Slowest scan
nmap -T1 172.16.1.1Tricky scan to avoid IDS
nmap -T2 172.16.1.1Timely scan
nmap -T3 172.16.1.1Default scan timer
nmap -T4 172.16.1.1Aggressive scan
nmap -T5 172.16.1.1Very aggressive scan

Miscellaneous commands

nmap -6scan IPV6 targets
nmap –proxies proxy 1 URL, proxy 2 URLRun in targets with proxies
nmap –openShow open ports only

By Abhishek

For learning more about these awesome tools, you can join ethical hacking course in Delhi by Craw Security on the contact details given below:-

First Floor, Plot no. 4, Lane no. 2 Kehar Singh Estate, Saket metro, Saidulajab, New Delhi 110030

Email: [email protected]

Phone: 011-40394315

Leave a Reply

Your email address will not be published. Required fields are marked *