Nmap Notes 
==========

Public Domain
********************************************************************************
### nmap : Network Mapper (http://nmap.org)

    Zenmap : Nmap GUI

    Scanning :
      host discovery (network mapping)
      operating system detection
      active ports
      services & version detection 

********************************************************************************
### Common options 

    Help :                  nmap -h
    Normal scan :           nmap 127.0.0.1
    Verbose :               nmap -v 127.0.0.1
    No DNS resolve :        nmap -v -n 127.0.0.1
    Do DNS resolve :        nmap -v -R 127.0.0.1
    Version Scan :          nmap -v -n -sV 127.0.0.1
    Port numbers :          nmap -v -n -sV -p1-65535 127.0.0.1 
    Skip ping (P0) :        nmap -v -n -sV -p1-65535 -PN 127.0.0.1 
    Ping scan :             nmap -v -n -sP 192.168.1.0/24 
    Normal output file :    nmap -v -n -sP -oN up-hosts 192.168.1.0/24
    Grepable output file :  nmap -v -n -sP -oG up-hosts 192.168.1.0/24
    List IPs :              echo $(grep "Host:" up-hosts  | awk '{print$2}') > IPs
    Scan IP List :          nmap -v -n -iL IPs > net-scan-info

********************************************************************************
### OS detection, Version detection, Script scanning,  Traceroute

    nmap -v -n -A -iL IPs > OS-Svc-info 

********************************************************************************
### Version detection (/usr/share/nmap/nmap-service-probes)

       nmap -sV 172.16.20.2
          --allports
          --version-intensity    0-9 / default 7
          --version-all          intensity 9
          --version-light        quick - intensity 2
          --version-trace        debug info 

********************************************************************************
### OS detection only

    nmap -O 127.0.0.1

       --osscan-limit  at least one open port and one closed port
       --osscan-guess  aggressively guess
       --max-os-tries  1      [5 or 2]


********************************************************************************
### Optimization

    -T0        Paranoid        5 min
    -T1        Sneaky          15 Sec
    -T2        Polite          0.4
    -T3        Normal          parallel
    -T4        Aggresive       10 ms
    -T5        insane          5 ms
    
Options which take <time> are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

    --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
    --max-retries <tries>: Caps number of port scan probe retransmissions.
    --host-timeout <time>: Give up on target after this long
    --scan-delay/--max-scan-delay <time>: Adjust delay between probes
    --min-rate <number>: Send packets no slower than <number> per second
    --max-rate <number>: Send packets no faster than <number> per second
********************************************************************************
### Custom TCP scan

    nmap  --scanflags SYN  -PN -n -p135 192.168.194.17

    --scanflags URGACKPSHRSTSYNFIN :  URG ACK PSH RST SYN FIN

********************************************************************************
### Target Specifcation

    nmap 192.168.1.0/24 
    nmap 192.168.100.10-25 
    nmap myhost.xyz.com

    nmap 192.168.3-5,7.1

         192.168.3.1
         192.168.4.1
         192.168.5.1
         192.168.7.1

    nmap 192.168.5,10,15-16.10,20

         192.168.5.10
         192.168.5.20
         192.168.10.10
         192.168.10.20
         192.168.15.10
         192.168.15.20
         192.168.16.10
         192.168.16.20

    nmap -n -v -sP -PE 192.168.2,1,3-7.-

          192.168.2.0-255
          192.168.1.0-255
          192.168.3.0-255
          192.168.4.0-255
          192.168.5.0-255 
          192.168.6.0-255
          192.168.7.0-255

    nmap 0-255.0-255.13.37
       Internet-wide scan for all IP addresses ending in 13.37

    nmap -n -v -sP --exclude 192.168.1.11-13,192.168.1.15 192.168.1.7-16

         192.168.1.7
         192.168.1.8
         192.168.1.9
         192.168.1.10
         192.168.1.14
         192.168.1.16

    nmap -n -v -sP --excludefile filename.txt 192.168.0.0/16
        (tab, space, or newline delimited)

********************************************************************************
### Port Specification (/usr/share/nmap/nmap-services)

    -r: Scan ports consecutively - donīt randomize
          nmap -r -n -v --reason 127.0.0.1

    single Port :   nmap -p80 192.168.1.0/24
    Port range :    nmap -p130-140 192.168.1.100
    start from 1 :  nmap -p-100 192.168.1.100
    to 65535     :  nmap -p60000- 192.168.1.100
    from 1 to 65535 : nmap -p- 192.168.1.100
    different tcp/udp ports :  nmap -sU -sS -p U:53,T:80,134-139 192.168.1.100

    port name :
      egrep '^http' /usr/share/nmap/nmap-services
      nmap -p ftp,http* 192.168.1.100

    port range from file : 
      nmap -p[6000-6100] 192.168.100.0/24

    Fast scan / fewer ports :
      nmap -F 192.168.1.100 

    custome nmap-services :
      nmap --servicedb /root/my-services 172.16.20.2

    IP Protocol scan :
      nmap -sO 172.16.20.2

********************************************************************************
### Host discovery

    ICMP echo request :(8->0)              nmap -n -v -sP -PE 192.168.194.18
    ICMP timestamp request :(13-14)        nmap -n -v -sP -PP 192.168.194.18
    ICMP address mask request:(17-18)      nmap -n -v -sP -PM 192.168.194.18
    ARP ping :                             nmap -n -v -sP -PR 172.16.20.2
    Disable ARP ping :                     nmap -n -v -sP --send-ip 172.16.20.2
    TCP SYN ping :(SYN/ACK-RST)            nmap -n -v -sP -PS80 --reason 192.168.194.18
    TCP ACK ping :(RST)                    nmap -n -v -sP -PA80 --reason 192.168.194.18
    UDP ping (close/31338/ICMP udp port unreachable) nmap -n -v -sP -PU --reason 192.168.194.18 
    Discovery :                            nmap -n -v -sP -PS -PA -PU 192.168.194.18
    IP ping :                              nmap -n -v -sP -PO1 192.168.194.18 
      1 ICMP
      2 IGMP
      4 IP-IP
    No ping : -PN (-P0)  Diable Host Discovery
    List targets : (DNS)                   nmap -sL 4.2.2.1-6
    --dns-servers <srv1[,srv2],...>
    --system-dns

********************************************************************************
### Discovery using TCP SYN 80 without ping 

    nmap -n -v -sP -PN -PS 192.168.2.0/24

********************************************************************************
### Basic Port Scanning 

    Open / Closed / Filtered / Unfiltered / Open|filtered / Closed|filtered
    
    TCP SYN : (SYN/ACK - RST)              nmap -sS 127.0.0.1
    TCP connection scan :                  nmap -sT 127.0.0.1
    UDP scan : (open|filtered)             nmap -sU 127.0.0.1
    IP protocol scan :                     nmap -sO 127.0.0.1


    TCP SYN / all ports                    nmap -p1-65535 -sS 127.0.0.1
    TCP SYN / version scan / all ports     nmap -v -sV -p1-65535 -sS 127.0.0.1


    TCP SYN / display the reason a port state 
                                           nmap -n -v --reason -sS 172.16.20.2

********************************************************************************
###  Traceroute 

    nmap -n -v --traceroute -sS -sP 172.16.20.2

********************************************************************************
### Advanced Port Scanning 
    
    
Any packet not containing a SYN, RST, or ACK flag, will result in a returned RST
if the port is closed and no response if the port is open (reported as open|filtered).
    
    TCP Null  : (RST:Close ; "":Open|Filter)         nmap -p80 -n -v -sN 172.16.20.2
    TCP FIN   : (RST:Close ; F:Open|Filtered)        nmap -p80 -n -v -sF 172.16.20.2
    TCP Xmas  : (RST:Close ; FPU:open|Filter)        nmap -p80 -n -v -sX 172.16.20.2
    
Firewall scan :  

    TCP ACK:(RST:Unfiltered ; "" or ICMP ERR:Filter) nmap -p80 -n -v -sA 172.16.20.2

TCP Idle Scan (-sI):    
[http://nmap.org/book/idlescan.html](http://nmap.org/book/idlescan.html)

    Idle scan : nmap -p80 -n -v --send-ip -PN -sI 172.16.20.3 172.16.20.2 
    
    * TCP SYN SCAN : SYN/ACK = Open RST = Close
    * unsolicited SYN/ACK : RST
    * unsolicited RST : ignored
    * IP packet : fragment identification number (IP ID) : 
        how many packets have been sent since the last probe.
    
    Open Port on target :
    Scanner -> Zombie (SYN/ACK IPID=31337)
    Scanner (Zombie) -> Target (SYN)
    Target -> Zombie (SYN/ACK)
    Zombie -> Target (RST IPID=31338)
    Scanner -> Zombie (SYN/ACK IPID=31339)
    
    Close Port on target :
    Scanner -> Zombie (SYN/ACK IPID=31337)
    Scanner (Zombie) -> Target (SYN)
    Target -> Zombie (RST/Ignore)
    Scanner -> Zombie (SYN/ACK IPID=31338)
    
    Filter Port on target :
    Scanner -> Zombie (SYN/ACK IPID=31337)
    Scanner (Zombie) -> Target (SYN/No response)
    Scanner -> Zombie (SYN/ACK IPID=31338)

Another stealthy scan method is the FTP bounce scan (-b). The FTP bounce scan
uses the FTP proxy feature on an FTP server to scan a target from the FTP server instead
of your system. The FTP proxy feature allows you to log into an FTP server and request
a ?le to be sent to another system. By sending ?les to a target system and port you can
determine whether a port is open or closed. Most FTP servers no longer support this
functionality, but some are still available. The FTP bounce scan can be used to bypass
?rewalls by scanning from an organization?s FTP server, which may be on an internal
network, or allowed to the internal network by the ?rewall rules.

********************************************************************************
### Bookmarks
 
[Nmap Network Scanning](http://nmap.org/book/toc.html)  
[A tcpdump Tutorial and Primer](http://danielmiessler.com/study/tcpdump/)  
[A TCP Tutorial](http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html)  
[TRANSMISSION CONTROL PROTOCOL /  RFC 793](http://tools.ietf.org/html/rfc793)  
[SecTools.Org: Top 125 Network Security Tools](http://sectools.org/)  
[ike-scan: IPSec VPN scanning, fingerprinting and testing tool](http://www.nta-monitor.com/tools-resources/security-tools/ike-scan)  
[Tcpdump : Capturing TCP packets with particular flag combinations](http://www.linuxquestions.org/questions/linux-networking-3/tcpdump-capturing-tcp-packets-with-particular-flag-combinations-669979/)  
[http://www.amap.no/](http://www.amap.no/)  

********************************************************************************
_BY: Pejman Moghadam_  
_TAG: nmap_  
_DATE: 2013-01-15 12:08:54_