# NMAP

### Usage:

#### Command line:

```
sudo nmap <ip> <options> 
```

If you don't run with sudo results will vary.

### Syntax:

#### Extra:

* -A
  * OS detection, Version detection, script scanning
* DNS

Find dns server in a network:

```
sudo nmap -Pn --open <network ID>/<subnet #> -p T:53 -oG <file-name>.txt
```

Clean output of dns server

```
cat <file-name>.txt | grep -v Nmap | grep -v / | awk '{print $2}'
```

#### Ports:

* -p
  * Will scan specifed port
  * T: TCP only
  * U: UDP only
  * Can do a range and protocol specification:
    * nmap \<ip> -p T:22,U:4000
    * <img src="https://lh6.googleusercontent.com/R-mrQWWDknAkiWjVJ1R9ZWpjCJi-bFZZQ_Sa6dsu5AJFGSzz2tmeL_CasCG83x7D59BojMR9Yken2Cb9ltIwFKy8mojRbqWcSpwoay9y3oa5gNQIcOtC9ocOlbZ8E4nLrbx4dgo3OMcatVrcQapggg6nzzVRXBd-Lq3fiF9EkccFPhdSbSVKzxKmbfMWpw" alt="" data-size="original">
* -sP or -sn
  * No port scan

#### Host Discovery:

* -Pn
  * no ping / no host discovery
* -sL
  * use the list of targets instead of dicovery
* \--traceroute
  * Enables traceroute functionality

#### Timing:

* T0-T5
  * The lower the slower T5 means you don't care if you set off alarms
  * T0 makes 1 request \~5 minutes

#### Services:

* -sV
  * perform the serice detection

#### Scan Types:

* -sT
  * TCP Connect
  * Completes 3 way handshake
* -sU
  * UDP Scan
  * Fast
* -O
  * Enables OS Detection

#### Output:

* -oG -
  * Makes the nmap output 'grepable'

#### Scripts: <https://www.redhat.com/sysadmin/nmap-scripting-engine>

* \--script
  * Allows you to specify the scripts

### Resources:

<figure><img src="https://lh4.googleusercontent.com/q9G9w3dSalW22kz5d4MxQk7iTQSTyYxgZTghgseogH7pFq1Ty6S0nrs7xekVHSoNDzhfvSvezNv3aVYfQ-8SpjKXoRSaRzcsGRXQOU5GUWztQ2ekjRaNsFiXfetSeQDQ715t2OMYObpP1OVTmcdnZya3qOUI7ac_LXJwKpkpkCKr9xTsgqXP5UPHYCa7PQ" alt=""><figcaption></figcaption></figure>

<https://nmap.org/book/man-host-discovery.html>&#x20;