Public Domain
Zenmap : Nmap GUI
Scanning :
host discovery (network mapping)
operating system detection
active ports
services & version detection
Help : nmap -h
Normal scan : nmap 127.0.0.1
Verbose : nmap -v 127.0.0.1
No DNS resolve : nmap -v -n 127.0.0.1
Do DNS resolve : nmap -v -R 127.0.0.1
Version Scan : nmap -v -n -sV 127.0.0.1
Port numbers : nmap -v -n -sV -p1-65535 127.0.0.1
Skip ping (P0) : nmap -v -n -sV -p1-65535 -PN 127.0.0.1
Ping scan : nmap -v -n -sP 192.168.1.0/24
Normal output file : nmap -v -n -sP -oN up-hosts 192.168.1.0/24
Grepable output file : nmap -v -n -sP -oG up-hosts 192.168.1.0/24
List IPs : echo $(grep "Host:" up-hosts | awk '{print$2}') > IPs
Scan IP List : nmap -v -n -iL IPs > net-scan-info
nmap -v -n -A -iL IPs > OS-Svc-info
nmap -sV 172.16.20.2
--allports
--version-intensity 0-9 / default 7
--version-all intensity 9
--version-light quick - intensity 2
--version-trace debug info
nmap -O 127.0.0.1
--osscan-limit at least one open port and one closed port
--osscan-guess aggressively guess
--max-os-tries 1 [5 or 2]
-T0 Paranoid 5 min
-T1 Sneaky 15 Sec
-T2 Polite 0.4
-T3 Normal parallel
-T4 Aggresive 10 ms
-T5 insane 5 ms
Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
nmap --scanflags SYN -PN -n -p135 192.168.194.17
--scanflags URGACKPSHRSTSYNFIN : URG ACK PSH RST SYN FIN
nmap 192.168.1.0/24
nmap 192.168.100.10-25
nmap myhost.xyz.com
nmap 192.168.3-5,7.1
192.168.3.1
192.168.4.1
192.168.5.1
192.168.7.1
nmap 192.168.5,10,15-16.10,20
192.168.5.10
192.168.5.20
192.168.10.10
192.168.10.20
192.168.15.10
192.168.15.20
192.168.16.10
192.168.16.20
nmap -n -v -sP -PE 192.168.2,1,3-7.-
192.168.2.0-255
192.168.1.0-255
192.168.3.0-255
192.168.4.0-255
192.168.5.0-255
192.168.6.0-255
192.168.7.0-255
nmap 0-255.0-255.13.37
Internet-wide scan for all IP addresses ending in 13.37
nmap -n -v -sP --exclude 192.168.1.11-13,192.168.1.15 192.168.1.7-16
192.168.1.7
192.168.1.8
192.168.1.9
192.168.1.10
192.168.1.14
192.168.1.16
nmap -n -v -sP --excludefile filename.txt 192.168.0.0/16
(tab, space, or newline delimited)
-r: Scan ports consecutively - donīt randomize
nmap -r -n -v --reason 127.0.0.1
single Port : nmap -p80 192.168.1.0/24
Port range : nmap -p130-140 192.168.1.100
start from 1 : nmap -p-100 192.168.1.100
to 65535 : nmap -p60000- 192.168.1.100
from 1 to 65535 : nmap -p- 192.168.1.100
different tcp/udp ports : nmap -sU -sS -p U:53,T:80,134-139 192.168.1.100
port name :
egrep '^http' /usr/share/nmap/nmap-services
nmap -p ftp,http* 192.168.1.100
port range from file :
nmap -p[6000-6100] 192.168.100.0/24
Fast scan / fewer ports :
nmap -F 192.168.1.100
custome nmap-services :
nmap --servicedb /root/my-services 172.16.20.2
IP Protocol scan :
nmap -sO 172.16.20.2
ICMP echo request :(8->0) nmap -n -v -sP -PE 192.168.194.18
ICMP timestamp request :(13-14) nmap -n -v -sP -PP 192.168.194.18
ICMP address mask request:(17-18) nmap -n -v -sP -PM 192.168.194.18
ARP ping : nmap -n -v -sP -PR 172.16.20.2
Disable ARP ping : nmap -n -v -sP --send-ip 172.16.20.2
TCP SYN ping :(SYN/ACK-RST) nmap -n -v -sP -PS80 --reason 192.168.194.18
TCP ACK ping :(RST) nmap -n -v -sP -PA80 --reason 192.168.194.18
UDP ping (close/31338/ICMP udp port unreachable) nmap -n -v -sP -PU --reason 192.168.194.18
Discovery : nmap -n -v -sP -PS -PA -PU 192.168.194.18
IP ping : nmap -n -v -sP -PO1 192.168.194.18
1 ICMP
2 IGMP
4 IP-IP
No ping : -PN (-P0) Diable Host Discovery
List targets : (DNS) nmap -sL 4.2.2.1-6
--dns-servers <srv1[,srv2],...>
--system-dns
nmap -n -v -sP -PN -PS 192.168.2.0/24
Open / Closed / Filtered / Unfiltered / Open|filtered / Closed|filtered
TCP SYN : (SYN/ACK - RST) nmap -sS 127.0.0.1
TCP connection scan : nmap -sT 127.0.0.1
UDP scan : (open|filtered) nmap -sU 127.0.0.1
IP protocol scan : nmap -sO 127.0.0.1
TCP SYN / all ports nmap -p1-65535 -sS 127.0.0.1
TCP SYN / version scan / all ports nmap -v -sV -p1-65535 -sS 127.0.0.1
TCP SYN / display the reason a port state
nmap -n -v --reason -sS 172.16.20.2
nmap -n -v --traceroute -sS -sP 172.16.20.2
Any packet not containing a SYN, RST, or ACK flag, will result in a returned RST if the port is closed and no response if the port is open (reported as open|filtered).
TCP Null : (RST:Close ; "":Open|Filter) nmap -p80 -n -v -sN 172.16.20.2
TCP FIN : (RST:Close ; F:Open|Filtered) nmap -p80 -n -v -sF 172.16.20.2
TCP Xmas : (RST:Close ; FPU:open|Filter) nmap -p80 -n -v -sX 172.16.20.2
Firewall scan :
TCP ACK:(RST:Unfiltered ; "" or ICMP ERR:Filter) nmap -p80 -n -v -sA 172.16.20.2
TCP Idle Scan (-sI):
http://nmap.org/book/idlescan.html
Idle scan : nmap -p80 -n -v --send-ip -PN -sI 172.16.20.3 172.16.20.2
* TCP SYN SCAN : SYN/ACK = Open RST = Close
* unsolicited SYN/ACK : RST
* unsolicited RST : ignored
* IP packet : fragment identification number (IP ID) :
how many packets have been sent since the last probe.
Open Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN)
Target -> Zombie (SYN/ACK)
Zombie -> Target (RST IPID=31338)
Scanner -> Zombie (SYN/ACK IPID=31339)
Close Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN)
Target -> Zombie (RST/Ignore)
Scanner -> Zombie (SYN/ACK IPID=31338)
Filter Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN/No response)
Scanner -> Zombie (SYN/ACK IPID=31338)
Another stealthy scan method is the FTP bounce scan (-b). The FTP bounce scan uses the FTP proxy feature on an FTP server to scan a target from the FTP server instead of your system. The FTP proxy feature allows you to log into an FTP server and request a ?le to be sent to another system. By sending ?les to a target system and port you can determine whether a port is open or closed. Most FTP servers no longer support this functionality, but some are still available. The FTP bounce scan can be used to bypass ?rewalls by scanning from an organization?s FTP server, which may be on an internal network, or allowed to the internal network by the ?rewall rules.
Nmap Network Scanning
A tcpdump Tutorial and Primer
A TCP Tutorial
TRANSMISSION CONTROL PROTOCOL / RFC 793
SecTools.Org: Top 125 Network Security Tools
ike-scan: IPSec VPN scanning, fingerprinting and testing tool
Tcpdump : Capturing TCP packets with particular flag combinations
http://www.amap.no/
BY: Pejman Moghadam
TAG: nmap
DATE: 2013-01-15 12:08:54