Imagine you’re a detective investigating a mysterious house. You want to know how many doors and windows are there, which ones are open, and maybe even what’s happening inside. In the world of computers, Nmap is like your detective tool for investigate and understand what’s happening in a computer network.
Nmap, short for Network Mapper, is a powerful open-source tool designed for network exploration and security auditing written in C, C++, Python and Lua. It is widely used by network administrators, security professionals, and ethical hackers to discover hosts, services, and vulnerabilities within a network. Nmap provides a comprehensive set of features for network scanning, ranging from simple host discovery to detailed port and service enumeration. Namp help to identify all the ways to attack a target.
Nmap Use Cases
Nmap is a versatile and powerful tool with various use cases in the realm of cybersecurity, network administration, and system analysis. Here are some common scenarios and use cases where Nmap can be employed:
Network discovery: To find all the devices (host) available on the network.
Port Scanning: To find which ports are open on a device.
Service Version Detection: To determine the specific version of a service running on a port.
OS Detection: To identify the operating system (and OS versions) of .
Firewall Testing: Check firewall and IDS settings and configurations.
Penetration Testing: During ethical hacking engagements to identify and fix vulnerabilities.
Vulnerability assessment: To identify potential weakness in a system.
Security Auditing: Help to improve their security posture by identifying potential vulnerabilities.
Network mapping: Help to visualize the network layout.
Incident Response: To quickly gather information about affected systems
Scripting Engine: Nmap allows users to run custom scripts to automate specific tasks.
Nmap Options summary
You can see this option summary by simply using the command ‘nmap’, ‘man nmap’ and ‘nmap –help’. But it does not contain the advance commands.
Nmap 7.94 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Nmap Commands Cheat Sheet
Here’s a basic to advance Nmap commands cheat sheet to help you with network scanning and discovery: “The target is IP or Host”
Target Specification:
Command
Description
nmap [target]
Scan a single target.
nmap [target1 target2 ….]
Scan multiple targets.
nmap 10.129.2.0/24
Scan network range.
nmap 10.129.2.0-254
Scan network range.
nmap -iL [host.lst]
scan list of IP addresses
Note: It works only if the firewalls of the hosts allow it. Hosts can also ignore the default ICMP echo requests because of their firewall configurations and when nmap does not receive the response, it marks those hosts as inactive.
Host Discovery:
Option
Description
nmap -sn [target]
No port scan. Ping scan (disable port scan).
nmap -PR [target]
ARP scan (local network).
nmap -Pn [target]
No ping (disable ICMP echo request).
nmap -PE [target]
Ping scan using ICMP echo request.
nmap [target] –disable-arp-ping
Disable the ARP pings.
Note: Both Arp request and ICMP echo request are used to identify whether the host is alive or not.
Port scanning basic, There are total 6 states for a scanned port we can obtain:
Status
Description
open
Indicate that the connection to the scanned port established. connection can be TCP, UDP, SCTP.
closed
A closed port is accessible but there is no application listening on it.
filtered
Can’t identify whether the port is open or closed because of no response from target or we get an error code from the target.
unfiltered
This state is only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot identify whether it is open or closed.
open|filtered
It is unable to identify whether the port is open or filtered by firewall due to unusual response. Also when UDP port doesn’t respond.
closed|filtered
Occurs in the IP ID idle scans and indicate that Nmap is unable to determine whether a port is closed or filtered.
Port Scanning Technique:
Option
Description
nmap -sT [target]
Full TCP Scan (TCP connect scan). Default TCP scan.
nmap -sS [target]
used for TCP SYN Scan (Stealth or Half-Open scan)
nmap -sA [target]
TCP ACK Scan (Firewall Detection)
nmap –sU [target]
UDP Scan.
nmap[target] –top-ports=10
scans the top 10 most frequent ports.
nmap -sN [target]
Null scan, TCP request is sent with no flags to the target.
nmap -sf [target]
TCP request sent with fin flag (used to close active connection).
nmap -sX [target]
TCP request sent with a malformed packet and uses one of the (PSH, URG and FIN) flag.
Note:
By default, Nmap scans the top 1000 TCP ports.
Nmap TCP connect scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. Nmap sends an SYN packet to the target, port considered to be open if target responds with an SYN-ASK packet and closed if it responds with an RST packet (RFC 9293).
Null, Fin and Xmas scans are generally used for firewall evasion. Microsoft windows respond with RST (port closed) for these scans.
Port Specification and Scan order:
Option
Description
nmap -p 80 [target]
scan a single port.
nmap -p 80,443 [target]
scan multiple ports.
nmap -p 1-100 [target]
Scan a range of ports.
nmap -p- [target]
Scan all ports.
nmap -F [target]
Fast scanning. Scan limited (top 100) ports.
nmap -r [target]
Don’t scan random port. Scan port in increasing order means lowest value’s port scan first.
Service Version Detection:
Option
Description
nmap -sV [target]
Detect service’s versions.
nmap -A [target]
Aggressive Scan. enables version detection among other things.
Operating System Detection:
Option
Description
nmap -O [target]
Detect the operating system.
Nmap Scripting Engine (NSE):
NSE libraries Category
Description
safe
won’t affect the target.
intrusive
affect the target. Not safe.
vuln
scan for vulnerabilities.
exploit
attempt to exploit a vulnerability.
auth
attempt to bypass authentication on running service.
brute
attempt to bruteforce credentials for running services.
discovery
attempt to query running services for more information abut the network.
Option
Description
nmap -sC [target]
Run Nmap scripts (default scripts).
nmap –script [script_category] [target]
Run a category of nse script.
nmap –script [script_name] [target]
Run a specific script. or run multiple script by separating using a comma.
