Base nmap Syntax:
nmap [ScanType] [Options] {targets}
If no port range is specified, Nmap scans the 1,000 most popular ports.
-p <port1>-<port2>: Scans a port range-p <port1>,<port2>,...: Scans a port list-pU:53,U:110,T20-445: Mix TCP and UDP-r: Scans linearly (does not randomize ports)--top-ports <n>: Scan n most popular ports-p-65535: Leaving off the initial port in range makes Nmap scan start at port 1-p-: Leaving off the end port in range makes Nmap scan all ports-F: (Fast (limited port) scan)
- Open: This indicates that an application is listening for connections on this port.
- Closed: This indicates that the probes were received but there is no application listening on this port.
- Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
- Unfiltered: This indicates that the probes were received but a state could not be established.
- Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
- Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.
-sn: Probe only (host discovery, not port scan)-sS: SYN Scan-sT: TCP Connect Scan-sU: UDP Scan-sV: Version Scan-O: Used for OS Detection/fingerprinting--scanflags: Sets custom list of TCP usingURG ACK PSH RST SYN FINin any order
-Pn: Don't probe (assume all hosts are up)-PB: Default probe (TCP 80, 445 & ICMP)-PS<portlist>: Checks if ssytems are online by probing TCP ports-PE: Using ICMP Echo Request-PP: Using ICMP Timestamp Request-PM: Using ICMP Netmask Request
-T0(Paranoid): Very slow, used for IDS evasion-T1(Sneaky): Quite slow, used for IDS evasion-T2(Polite): Slows down to consume less bandwidth, runs ~10 times slower than default-T3(Normal): Default, a dynamic timing model based on target responsiveness-T4(Aggressive): Assumes a fast and reliable network and may overwhelm targets-T5(Insane): Very aggressive; will likely overwhelm targets or miss open ports
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes--min-parallelism/max-parallelism <numprobes>: Probes parallelization--min-rtt-timeout/max-rtttimeout/initial-rtt-timeout <time>: Specifies probe round trip time.--max-retries <tries>: Caps number of port scan probe retransmissions.--host-timeout <time>: Gives up on target after this long--scan-delay/--max-scan-delay <time>: Adjusts delay between probes--min-rate <number>: Send packets no slower than<number>per second--max-rate <number>: Send packets no faster than<number>per second
The command nmap -D RND:10,target_ip uses Nmap's decoy scanning feature, with -D specifying decoys. RND:10 instructs Nmap to generate 10 random decoy IP addresses in addition to your real IP. This technique is specifically used for "IDS/IPS evasion".
When you use this command, Nmap sends probes to the target from both your real IP and the set of decoy IPs. To the target’s IDS, it appears as if multiple different hosts (yourself and the decoys) are simultaneously scanning it, making it difficult to determine which IP is the actual source of the scan. Modern IDS solutions may flag all the scanning IPs, or SYN-flood protections might trigger if the number of decoys is high. Additionally, the success of this technique can depend on the IDS/IPS/security tool configuration and whether spoofed packets can traverse the network to the target.
The full list of Nmap Scripting Engine scripts: http://nmap.org/nsedoc/
nmap -sC runs default scripts...
Running individual or groups of scripts:
nmap --script=<ScriptName>| <ScriptCategory>|<ScriptDir>
Using the list of script arguments:
nmap --script-args=<Name1=Value1,...>
Updating the script database:
nmap --script-updatedb
Some particularly useful scripts include:
- dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server.
$ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts>
- http-robots.txt: Harvests robots.txt files from discovered web servers.
$ nmap --script http-robots.txt <hosts>
- smb-brute: Attempts to determine valid username and password combinations via automated guessing.
$ nmap --script smb-brute.nse -p445 <hosts>
- smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs.
$ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>
The most common Nmap scripting engine categories:
- auth: Utilize credentials or bypass authentication on target hosts.
- broadcast: Discover hosts not included on command line by broadcasting on local network.
- brute: Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc.
- default: Scripts run automatically when -sC or -A are used.
- discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.
- dos: May cause denial of service conditions in target hosts.
- exploit: Attempt to exploit target systems.
- external: Interact with third-party systems not included in target list.
- fuzzer: Send unexpected input in network protocol fields.
- intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.
- malware: Look for signs of malware infection on the target hosts.
- safe: Designed not to impact target in a negative fashion.
- version: Measure the version of software or protocols on the target hosts.
- vul: Measure whether target systems have a known vulnerability.
-oN: Standard Nmap output-oG: Greppable format-oX: XML format-oA: Generate Nmap, Greppable, and XML output files using basename for files
-n: Disables reverse IP address lookups-6: Uses IPv6 only-A: Uses several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute--reason: Displays the reason Nmap thinks that the port is open, closed, or filtered