Target Specification

Switch Example Description

nmap [Link] Scan a single IP

nmap [Link] [Link] Scan specific IPs

  nmap [Link]-254 Scan a range

  nmap [Link] Scan a domain

  nmap [Link]/24 Scan using CIDR notation

-iL nmap -iL [Link] Scan targets from a file

-iR nmap -iR 100 Scan 100 random hosts

–exclude nmap –exclude [Link] Exclude listed hosts

 Scan Techniques
Switch Example Description
-sS nmap [Link] -sS TCP SYN port scan (Default)

-sT nmap [Link] -sT TCP connect port scan (Default without root privilege)

-sU nmap [Link] -sU UDP port scan

-sA nmap [Link] -sA TCP ACK port scan

-sW nmap [Link] -sW TCP Window port scan

-sM nmap [Link] -sM TCP Maimon port scan

 Host Discovery
Switch Example Description

-sL nmap [Link]-3 -sL No Scan. List targets only

-sn nmap [Link]/24 -sn Disable port scanning. Host discovery only.
-Pn nmap [Link]-5 -Pn Disable host discovery. Port scan only.

TCP SYN discovery on port x.

-PS nmap [Link]-5 -PS22-25,80
Port 80 by default

TCP ACK discovery on port x.

-PA nmap [Link]-5 -PA22-25,80
Port 80 by default

UDP discovery on port x.

-PU nmap [Link]-5 -PU53
Port 40125 by default

-PR nmap [Link]-1/24 -PR ARP discovery on local network

-n nmap [Link] -n Never do DNS resolution

 Port Specification
Switch Example Description

-p nmap [Link] -p 21 Port scan for port x

-p nmap [Link] -p 21-100 Port range

 nmap [Link] -p
-p Port scan multiple TCP and UDP ports
U:53,T:21-25,80

-p- nmap [Link] -p- Port scan all ports

-p nmap [Link] -p http,https Port scan from service name

-F nmap [Link] -F Fast port scan (100 ports)

–top- nmap [Link] –top-ports

Port scan the top x ports
ports 2000

Leaving off initial port in range makes the scan

-p-65535 nmap [Link] -p-65535
start at port 1

Leaving off end port in range

-p0- nmap [Link] -p0-
makes the scan go through to port 65535

 Service and Version Detection

Switch Example Description
 Attempts to determine the version of the
-sV nmap [Link] -sV
service running on port

-sV –version- nmap [Link] -sV – Intensity level 0 to 9. Higher number

intensity version-intensity 8 increases possibility of correctness

-sV –version- nmap [Link] -sV – Enable light mode. Lower possibility of

light version-light correctness. Faster

-sV –version- nmap [Link] -sV – Enable intensity level 9. Higher possibility

all version-all of correctness. Slower

Enables OS detection, version detection,

-A nmap [Link] -A
script scanning, and traceroute

 OS Detection
Switch Example Description

-O nmap [Link] -O Remote OS detection using TCP/IP stack

 fingerprinting

-O –osscan- nmap [Link] -O – If at least one open and one closed TCP port are not

limit osscan-limit found it will not try OS detection against host

-O –osscan- nmap [Link] -O –

Makes Nmap guess more aggressively
guess osscan-guess

-O –max- nmap [Link] -O – Set the maximum number x of OS detection tries

os-tries max-os-tries 1 against a target

Enables OS detection, version detection, script

-A nmap [Link] -A
scanning, and traceroute

 Timing and Performance

Switc
Example Description
h

-T0 nmap [Link]

Paranoid (0) Intrusion Detection System evasion
-T0

nmap [Link]
-T1 Sneaky (1) Intrusion Detection System evasion
-T1
 nmap [Link] Polite (2) slows down the scan to use less bandwidth and use
-T2
-T2 less target machine resources

nmap [Link]
-T3 Normal (3) which is default speed
-T3

nmap [Link] Aggressive (4) speeds scans; assumes you are on a reasonably
-T4
-T4 fast and reliable network

nmap [Link] Insane (5) speeds scan; assumes you are on an extraordinarily
-T5
-T5 fast network

Example
Switch Description
input

–host-timeout <time> 1s; 4m; 2h Give up on target after this long

–min-rtt-timeout/max-rtt-timeout/
1s; 4m; 2h Specifies probe round trip time
initial-rtt-timeout <time>

–min-hostgroup/max-hostgroup <size<
50; 1024 Parallel host scan group sizes
size>

–min-parallelism/max-parallelism <nu
10; 1 Probe parallelization
mprobes>
 20ms; 2s;
–scan-delay/–max-scan-delay <time> Adjust delay between probes
4m; 5h

Specify the maximum number of

–max-retries <tries> 3
port scan probe retransmissions

Send packets no slower

–min-rate <number> 100
than <numberr> per second

Send packets no faster

–max-rate <number> 100
than <number> per second

 NSE Scripts
Switch Example Description

Scan with default NSE scripts.

-sC nmap [Link] -sC Considered useful for discovery

and safe

–script nmap [Link] –script default Scan with default NSE scripts.

default Considered useful for discovery

 and safe

Scan with a single script.

–script nmap [Link] –script=banner
Example banner

Scan with a wildcard. Example

–script nmap [Link] –script=http*
http

Scan with two scripts. Example

–script nmap [Link] –script=http,banner
http and banner

Scan default, but remove

–script nmap [Link] –script “not intrusive”
intrusive scripts

–script- nmap –script snmp-sysdescr –script-args

NSE script with arguments
args snmpcommunity=admin [Link]

Useful NSE Script Examples

Command Description

nmap -Pn –script=http-sitemap-generator [Link] http site map generator

nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title - Fast search for random web

iR 1000 servers

Brute forces DNS

nmap -Pn –script=dns-brute [Link] hostnames guessing

subdomains

nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-

mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv Safe SMB scripts to run

[Link]

nmap –script whois* [Link] Whois query

nmap -p80 –script http-unsafe-output-escaping Detect cross site scripting

[Link] vulnerabilities

nmap -p80 –script http-sql-injection [Link] Check for SQL injections

 Firewall / IDS Evasion and Spoofing

Switch Example Description
 Requested scan

(including ping scans)

-f nmap [Link] -f use tiny fragmented IP

packets. Harder for

packet filters

Set your own offset

–mtu nmap [Link] –mtu 32
size

nmap -D
Send scans from
-D [Link],[Link],[Link],[Link]
spoofed IPs
[Link]

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy- Above example

-D
ip3,decoy-ip4 remote-host-ip explained

Scan Facebook from

-S nmap -S [Link] [Link] Microsoft (-e eth0 -Pn

may be required)

-g nmap -g 53 [Link] Use given source port

 number

Relay connections

– nmap –proxies [Link] through

proxies [Link] [Link] HTTP/SOCKS4

proxies

–data- Appends random data

nmap –data-length 200 [Link]
length to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D

[Link],[Link],[Link],[Link] [Link]

 Output
Switch Example Description

nmap [Link] -oN

-oN Normal output to the file [Link]
[Link]

-oX nmap [Link] -oX [Link] XML output to the file [Link]

-oG nmap [Link] -oG [Link] Grepable output to the file [Link]
-oA nmap [Link] -oA results Output in the three major formats at once

Grepable output to screen. -oN -, -oX –

-oG – nmap [Link] -oG –
also usable

–append- nmap [Link] -oN [Link]

Append a scan to a previous scan file
output –append-output

Increase the verbosity level (use -vv or

-v nmap [Link] -v
more for greater effect)

Increase debugging level (use -dd or more

-d nmap [Link] -d
for greater effect)

Display the reason a port is in a particular

–reason nmap [Link] –reason
state, same output as -vv

–open nmap [Link] –open Only show open (or possibly open) ports

–packet- nmap [Link] -T4 –packet- Show all packets sent and received
trace trace

–iflist nmap –iflist Shows the host interfaces and routes

–resume nmap –resume [Link] Resume a scan

Helpful Nmap Output examples

Command Description

nmap -p80 -sV -oG – –open [Link]/24 | Scan for web servers and grep to show

grep open which IPs are running web servers

nmap -iR 10 -n -oX [Link] | grep “Nmap” |

Generate a list of the IPs of live hosts
cut -d ” ” -f5 > [Link]

nmap -iR 10 -n -oX [Link] | grep “Nmap” |

Append IP to the list of live hosts
cut -d ” ” -f5 >> [Link]

ndiff [Link] [Link] Compare output from nmap using the ndif

xsltproc [Link] -o [Link] Convert nmap xml files to html files

grep ” open ” [Link] | sed -r ‘s/ +/ /g’ | Reverse sorted list of how often ports turn

sort | uniq -c | sort -rn | less up

 Miscellaneous Options
Switch Example Description

-6 nmap -6 [Link] Enable IPv6 scanning

-h nmap -h nmap help screen

 Other Useful Nmap Commands

Command Description

nmap -iR 10 -PS22-25,80,113,1050,35000 -v

Discovery only on ports x, no port scan
-sn

Arp discovery only on local network, no

nmap [Link]-1/24 -PR -sn -vv
port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan

nmap [Link]-50 -sL –dns-server Query the Internal DNS for hosts, list

[Link] targets only