NMAP

Usage:

Command line:

sudo nmap <ip> <options> 

If you don't run with sudo results will vary.

Syntax:

Extra:

• -A

  • OS detection, Version detection, script scanning

• DNS

Find dns server in a network:

sudo nmap -Pn --open <network ID>/<subnet #> -p T:53 -oG <file-name>.txt

Clean output of dns server

cat <file-name>.txt | grep -v Nmap | grep -v / | awk '{print $2}'

Ports:

• -p

  • Will scan specifed port

  • T: TCP only

  • U: UDP only

  • Can do a range and protocol specification:

    • nmap <ip> -p T:22,U:4000

    • 

• -sP or -sn

  • No port scan

Host Discovery:

• -Pn

  • no ping / no host discovery

• -sL

  • use the list of targets instead of dicovery

• --traceroute

  • Enables traceroute functionality

Timing:

• T0-T5

  • The lower the slower T5 means you don't care if you set off alarms

  • T0 makes 1 request ~5 minutes

Services:

• -sV

  • perform the serice detection

Scan Types:

• -sT

  • TCP Connect

  • Completes 3 way handshake

• -sU

  • UDP Scan

  • Fast

• -O

  • Enables OS Detection

Output:

• -oG -

  • Makes the nmap output 'grepable'

Scripts: https://www.redhat.com/sysadmin/nmap-scripting-engine

• --script

  • Allows you to specify the scripts

Resources:

https://nmap.org/book/man-host-discovery.html