Home Tech Journals Personal Projects Sysadmin Wiki

NMAP

Usage:

Command line:

sudo nmap <ip> <options>

If you don't run with sudo results will vary.

Syntax:

Extra:

  • -A

    • OS detection, Version detection, script scanning

  • DNS

Find dns server in a network:

sudo nmap -Pn --open <network ID>/<subnet #> -p T:53 -oG <file-name>.txt

Clean output of dns server

cat <file-name>.txt | grep -v Nmap | grep -v / | awk '{print $2}'

Ports:

  • -p

    • Will scan specifed port

    • T: TCP only

    • U: UDP only

    • Can do a range and protocol specification:

      • nmap <ip> -p T:22,U:4000

  • -sP or -sn

    • No port scan

Host Discovery:

  • -Pn

    • no ping / no host discovery

  • -sL

    • use the list of targets instead of dicovery

  • --traceroute

    • Enables traceroute functionality

Timing:

  • T0-T5

    • The lower the slower T5 means you don't care if you set off alarms

    • T0 makes 1 request ~5 minutes

Services:

  • -sV

    • perform the serice detection

Scan Types:

  • -sT

    • TCP Connect

    • Completes 3 way handshake

  • -sU

    • UDP Scan

    • Fast

  • -O

    • Enables OS Detection

Output:

  • -oG -

    • Makes the nmap output 'grepable'

Scripts: https://www.redhat.com/sysadmin/nmap-scripting-engine

  • --script

    • Allows you to specify the scripts

Resources:

https://nmap.org/book/man-host-discovery.html

PreviousMetasploitNextActive/Passive Reconnaissance

Last updated