Introduction to Nmap Nmap (Network Mapper) is a powerful and versatile open-source tool used for network exploration, port scanning, service and version detection, security auditing, and network performance assessment. It caters to a broad spectrum of users, ranging from ethical hackers to network administrators. In this comprehensive guide, we’ll explore the fundamentals of Nmap and provide you with a handy cheat sheet to get started.
Understanding Nmap Nmap operates by sending packets to the target hosts and analyzing their responses. It can discover hosts available on the network, find open ports, identify services running on those ports, and even determine the operating system of the target.
Target Specification Switch Example Description nmap 192.168.1.1 Scan a single IP nmap 192.168.1.1 192.168.2.1 Scan specific IPs nmap 192.168.1.1-254 Scan a range nmap scanme.nmap.org Scan a domain nmap 192.168.1.0/24 Scan using CIDR notation -iL nmap -iL targets.txt Scan targets from a file -iR nmap -iR 100 Scan 100 random hosts –exclude nmap –exclude 192.168.1.1 Exclude listed hosts
Scan Techniques Switch Example Description -sS nmap 192.168.1.1 -sS TCP SYN port scan (Default) -sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege) -sU nmap 192.168.1.1 -sU UDP port scan -sA nmap 192.168.1.1 -sA TCP ACK port scan -sW nmap 192.168.1.1 -sW TCP Window port scan -sM nmap 192.168.1.1 -sM TCP Maimon port scan
Amazon Product
Mastering Python for Ethical Hacking: A Comprehensive Guide to Building Hacking Tools
Let’s embark on this journey together, where you will learn to use Python not just as a programming language, but as a powerful weapon in the fight against cyber threats
-5% $13 on buymeacoffee
Host Discovery Switch Example Description -sL nmap 192.168.1.1-3 -sL No Scan. List targets only -sn nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only. -Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only. -PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x. Port 80 by default. -PA nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x. Port 80 by default. -PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x. Port 40125 by default. -PR nmap 192.168.1.1-1/24 -PR ARP discovery on the local network -n nmap 192.168.1.1 -n Never do DNS resolution
Nmap Port Specification
Switch Example Description -p nmap 192.168.1.1 -p 21 Port scan for a specific port (e.g., port 21) -p nmap 192.168.1.1 -p 21-100 Port range scan (e.g., ports 21 to 100) -p nmap 192.168.1.1 -p U:53,T:21-25,80 Scan multiple TCP and UDP ports -p- nmap 192.168.1.1 -p- Scan all ports (1 to 65535) -p nmap 192.168.1.1 -p http,https Port scan using service names (e.g., http, https) -F nmap 192.168.1.1 -F Fast port scan (scan the 100 most common ports) –top-ports nmap 192.168.1.1 –top-ports 2000 Port scan the top x most common ports -p-65535 nmap 192.168.1.1 -p-65535 Scan all ports starting from port 1 -p0- nmap 192.168.1.1 -p0- Scan all ports up to port 65535
Service and Version Detection Switch Example Description -sV nmap 192.168.1.1 -sV Attempts to determine the version of the service running on each port -sV –version-intensity nmap 192.168.1.1 -sV –version-intensity 8 Specifies the version detection intensity level from 0 to 9, with higher values increasing the possibility of correctness -sV –version-light nmap 192.168.1.1 -sV –version-light Enables light mode for version detection, providing faster results with a lower possibility of correctness -sV –version-all nmap 192.168.1.1 -sV –version-all Enables intensity level 9 for version detection, offering a higher possibility of correctness at the cost of slower scanning -A nmap 192.168.1.1 -A Enables comprehensive scanning, including OS detection, version detection, script scanning, and traceroute
OS Detection Switch Example Description -O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting -O –osscan-limit nmap 192.168.1.1 -O –osscan-limit If at least one open and one closed TCP port are not found, it will not try OS detection against the host, Detecting Operating Systems with Nmap: Uncover OS -O –osscan-guess nmap 192.168.1.1 -O –osscan-guess Makes Nmap guess more aggressively during OS detection -O –max-os-tries nmap 192.168.1.1 -O –max-os-tries 1 Sets the maximum number of OS detection tries (x) against a target -A nmap 192.168.1.1 -A Enables comprehensive scanning, including OS detection, version detection, script scanning, and traceroute
Switch Example Description -T0 nmap 192.168.1.1 -T0 Paranoid (0) Intrusion Detection System evasion -T1 nmap 192.168.1.1 -T1 Sneaky (1) Intrusion Detection System evasion -T2 nmap 192.168.1.1 -T2 Polite (2) slows down the scan to use less bandwidth and target machine resources -T3 nmap 192.168.1.1 -T3 Normal (3), which is the default speed for scans -T4 nmap 192.168.1.1 -T4 Aggressive (4) speeds up scans; assumes you are on a reasonably fast and reliable network -T5 nmap 192.168.1.1 -T5 Insane (5) speeds up scans; assumes you are on an extraordinarily fast network
Amazon Product
Beginning Your Journey in Programming and Cybersecurity
This book is more than just a technical manual; it’s a journey into the heart of the digital age. Designed for beginners and intermediate enthusiasts
-10% $5 on buymeacoffee
Switch Example input Description –host-timeout <time> 1s; 4m; 2h Give up on a target after a specified time –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> 1s; 4m; 2h Specifies probe round trip time –min-hostgroup/max-hostgroup <size> 50; 1024 Parallel host scan group sizes –min-parallelism/max-parallelism <numprobes> 10; 1 Probe parallelization –scan-delay/–max-scan-delay <time> 20ms; 2s; 4m; 5h Adjusts delay between probes –max-retries <tries> 3 Specifies the maximum number of port scan probe retransmissions –min-rate <number> 100 Sends packets no slower than the specified rate per second –max-rate <number> 100 Sends packets no faster than the specified rate per second
NSE Scripts Switch Example Description -sC nmap 192.168.1.1 -sC Scan with default NSE scripts. Considered useful for discovery and safe –script default nmap 192.168.1.1 –script default Scan with default NSE scripts. Considered useful for discovery and safe –script nmap 192.168.1.1 –script=banner Scan with a single script. Example: banner –script nmap 192.168.1.1 –script=http* Scan with a wildcard. Example: http –script nmap 192.168.1.1 –script=http,banner Scan with two scripts. Example: http and banner –script nmap 192.168.1.1 –script “not intrusive” Scan with default scripts but remove intrusive ones –script-args nmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.1.1 NSE script with arguments
Useful NSE Script Examples Command Description nmap -Pn --script=http-sitemap-generator scanme.nmap.orgRun the HTTP site map generator script to create a sitemap for a website. nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000Conduct a fast search for random web servers on port 80, retrieving banners and titles for discovered web services. nmap -Pn --script=dns-brute domain.comUse DNS brute-force to guess DNS hostnames , attempting to discover subdomains of the specified domain. nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1Run a set of safe SMB (Server Message Block) scripts to gather information about Windows systems on the network, including shares and vulnerabilities. nmap --script whois* domain.comPerform a WHOIS query for the specified domain, providing information about domain registration. nmap -p80 --script http-unsafe-output-escaping scanme.nmap.orgDetect cross-site scripting (XSS) vulnerabilities on web servers running on port 80. nmap -p80 --script http-sql-injection scanme.nmap.orgCheck for SQL injection vulnerabilities in web applications hosted on port 80.
Firewall/IDS Evasion and Spoofing Switch Example Description -fnmap 192.168.1.1 -fRequested scan (including ping scans) use tiny fragmented IP packets, which can be harder for packet filters to detect. --mtunmap 192.168.1.1 --mtu 32Set your own maximum transmission unit (MTU) offset size for packet fragmentation. -Dnmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1Send scans from spoofed IP addresses. This can help hide your identity during scans. -Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAn explanation of the -D switch, allowing you to send scans from multiple decoy IP addresses. -Snmap -S www.microsoft.com www.facebook.comScan a target (e.g., Facebook) from a different source (e.g., Microsoft). Use with caution, as this involves IP address spoofing. Additional options like -e eth0 -Pn may be required. -gnmap -g 53 192.168.1.1Use a given source port number (e.g., source port 53). --proxiesnmap --proxies http://192.168.1.1:8080,http://192.168.1.2:8080 192.168.1.1Relay connections through HTTP/SOCKS4 proxies. Useful for hiding your true source IP address. --data-lengthnmap --data-length 200 192.168.1.1Append random data to sent packets, which can help obfuscate traffic and evade certain filters.
Amazon Product
Cyber Security Specialist Coffee Mug
Black -Cyber Security Expert – Cyber Security Specialist Gift IT Network Engineer Computer Engineer Nerd
-10% $17.99 on Amazon
Output and Display Options Switch Example Description -oNnmap 192.168.1.1 -oN normal.fileSave normal output to the file normal.file. -oXnmap 192.168.1.1 -oX xml.fileSave XML output to the file xml.file. -oGnmap 192.168.1.1 -oG grep.fileSave grepable output to the file grep.file. -oAnmap 192.168.1.1 -oA resultsOutput in all major formats (normal, xml, and grepable) at once, with the base name results. -oG -nmap 192.168.1.1 -oG -Send grepable output to the screen. -oN - and -oX - are also usable for this purpose. --append-outputnmap 192.168.1.1 -oN file.file --append-outputAppend the results of a scan to a previous scan file. -vnmap 192.168.1.1 -vIncrease the verbosity level (use -vv or more for greater detail). -dnmap 192.168.1.1 -dIncrease the debugging level (use -dd or more for greater detail). --reasonnmap 192.168.1.1 --reasonDisplay the reason a port is in a particular state, providing the same output as -vv. --opennmap 192.168.1.1 --openOnly show open (or possibly open) ports in the output. --packet-tracenmap 192.168.1.1 -T4 --packet-traceShow all packets sent and received during the scan for debugging purposes. --iflistnmap --iflistDisplay information about host interfaces and routes. --resumenmap --resume results.fileResume a scan using the information from a previous scan stored in results.file.
Helpful Nmap Output Examples Command Description nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep openScan for web servers and use grep to show which IPs are running web servers. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txtGenerate a list of the IP addresses of live hosts. nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txtAppend IP addresses to the list of live hosts. ndiff scan1.xml scan2.xmlCompare output from Nmap scans using the ndiff tool. xsltproc nmap.xml -o nmap.htmlConvert Nmap XML files to HTML format. grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | lessGenerate a reverse-sorted list showing how often ports turn up as open in the Nmap results.
Miscellaneous Options Switch Example Description -6nmap -6 2607:f0d0:1002:51::4Enable IPv6 scanning. -hnmap -hDisplay the Nmap help screen.
Other Useful Nmap Commands Command Description nmap -iR 10 -PS22-25,80,113,1050,35000 -v -snDiscovery only on specified ports, no port scan. nmap 192.168.1.1-1/24 -PR -sn -vvARP discovery only on the local network, no port scan.nmap -iR 10 -sn -traceroutePerform a traceroute to random targets, no port scan. nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1Query the internal DNS server for hosts and list targets only.
thank you for this great resource: stationx Conclusion This Nmap cheat sheet provides you with essential commands to start using Nmap effectively. However, Nmap offers a plethora of advanced and complex scanning options for various scenarios. To delve deeper into Nmap’s capabilities, consider exploring the official documentation.
Remember to use Nmap responsibly and ethically, respecting legal boundaries and permissions when scanning networks or systems.
Nmap is a valuable tool in the world of network security and administration. By mastering its usage, you can enhance your ability to assess network vulnerabilities, identify security risks, and maintain robust network infrastructure.
VIDEO
You May Be Interested In
Hi! I want to say that this article is amazing, great written and come with almost all significant infos. I would like to look more posts like this .
I think the information was a bit insufficient, what exactly is nmap and how does it work?
Nmap (Network Mapper) is a powerful open source tool that has functions such as network discovery, port scanning, service and version detection.
Nmap sends packets to target systems and analyzes the responses of these packets to determine open ports on the network, running services, and even the operating system.
You can look here for details: Nmap: Exploring the Power of Network
or the official website of nmap: nmap.org