Nmap Targeting
Scan a single IP | nmap 192.168.1.1 |
Scan a hostname | nmap www.domain.com |
Scan an IP range | nmap 192.168.1.1-100 |
Scan a subnet | nmap 192.168.1.0/24 |
Scan from a predefined list | nmap -iL list.txt |
Ports
Scan a single port | nmap -p 22 192.168.1.1 |
Scan a range of ports | nmap -p 1-20 192.168.1.1 |
Scan multiple ports | nmap -p 22,80,443 192.168.1.1 |
Scan Mixed TCP/UDP ports | nmap -p U:53,T:22 192.168.1.1 |
Scan 100 common ports | nmap -F 192.168.1.1 |
Scan top # ports | nmap –top-ports 300 192.168.1.1 |
Scan ports linearly | nmap -r -p 1-1000 192.168.1.1 |
Scan all ports | nmap -p- 192.168.1.1 |
Scan types
TCP Connect Scan | nmap -sT 192.168.1.1 |
TCP SYN scan (Silent scan) | nmap -sS 192.168.1.1 |
UDP scan | nmap -sU -p 137,139 192.168.1.1 |
No ping scan | nmap -Pn 192.168.1.1 |
Host Discovery (no ports) | nmap -sn 192.168.1.1 |
Version Scan | nmap -sV 192.168.1.1 |
OS Detection | nmap -o 192.168.1.1 |
OS and Service Discovery
OS and Services | nmap -A 192.168.1.1 |
Standard service discovery | nmap -sV 192.168.1.1 |
Aggressive service discovery | nmap -sV –version-intensity 5 192.168.1.1 |
Light banner grabbing | nmap -sV –version-intensity 0 192.168.1.1 |
Aggregate Timing
Paranoid: Very slow | nmap -t0 192.168.1.1 |
Sneaky: Quite slow | nmap -t1 192.168.1.1 |
Polite: Slows down | nmap -t2 192.168.1.1 |
Normal: Default | nmap -t3 192.168.1.1 |
Aggressive: Fast and reliable | nmap -t4 192.168.1.1 |
Insane: Very aggressive | nmap -t5 192.168.1.1 |
Output Formats
Standard Nmap output | nmap -oN output.txt 192.168.1.1 |
XML format | nmap -oX output.txt 192.168.1.1 |
Greppable format | nmap -oG output.txt 192.168.1.1 |
All formats output | nmap -oA output.txt 192.168.1.1 |
NSE Scripts
Default scripts | nmap -sV -sC 192.168.1.1 |
Script help | nmap –script-help=ssl-heartbleed |
NSE script scan | nmap -sV –script=ssl-heartbleed -p 443 192.168.1.1 |
Scan with scripts sets | nmap -sV –script=smb* 192.168.1.1 |
column1 | nmap –script-help=scriptname |
HTTP Service Discovery
Get page title | nmap –script=http-title 192.168.1.0/24 |
Get HTTP header | nmap –script=http-headers 192.168.1.0/24 |
Find web apps | nmap –script=http-enum 192.168.1.0/24 |
Fine-Grained Timing
Parallel host scan group sizes | –min-hostgroup/max-hostgroup <size> |
Probe parallelization | –min-parallelism/max-parallelism <numprobes> |
Specifies probe round trip time | –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> |
Caps number of port scan probe retransmissions |
–max-retries <tries> |
Give up on target after time | –host-timeout <time> |
Adjust delay between probes | –scan-delay/–max-scan-delay <time> |
Send packets no slower | –min-rate <number> |
column1 | –max-rate <number> |