Target Specification

Switch Example Description

nmap 192.168.1.1 Scan a single IP

nmap 192.168.1.1 192.168.2.1 Scan specific IPs

nmap 192.168.1.1-254 Scan a range

nmap scanme.nmap.org Scan a domain

nmap 192.168.1.0/24 Scan using CIDR notation

-iL nmap -iL targets.txt Scan targets from a file

-iR nmap -iR 100 Scan 100 random hosts

--exclude nmap --exclude 192.168.1.1 Exclude listed hosts

Scan Techniques
Switch Example Description

-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)

-sT nmap 192.168.1.1 -sT TCP connect port scan

(Default without root privilege)

-sU nmap 192.168.1.1 -sU UDP port scan

-sA nmap 192.168.1.1 -sA TCP ACK port scan

-sW nmap 192.168.1.1 -sW TCP Window port scan

-sM nmap 192.168.1.1 -sM TCP Maimon port scan

Host Discovery
Switch Example Description

-sL nmap 192.168.1.1-3 -sL No Scan. List targets only

-sn nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only.

-Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only.
Switch Example Description

-PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x.

Port 80 by default

-PA nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x.

Port 80 by default

-PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x.

Port 40125 by default

-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network

-n nmap 192.168.1.1 -n Never do DNS resolution

Port Specification
Switch Example Description

-p nmap 192.168.1.1 -p 21 Port scan for port x

-p nmap 192.168.1.1 -p 21-100 Port range

-p nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports

-p- nmap 192.168.1.1 -p- Port scan all ports

-p nmap 192.168.1.1 -p http,https Port scan from service name

-F nmap 192.168.1.1 -F Fast port scan (100 ports)

--top-ports nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports

nmap 192.168.1.1 -p-65535 Leaving off initial port in range

-p-65535
makes the scan start at port 1

-p0- nmap 192.168.1.1 -p0- Leaving off end port in range

makes the scan go through to port 65535

Service and Version Detection

Switch Example Description

Attempts to determine the version of the

-sV nmap 192.168.1.1 -sV
service running on port

-sV --version- nmap 192.168.1.1 -sV -- Intensity level 0 to 9. Higher number

intensity version-intensity 8 increases possibility of correctness
Switch Example Description

-sV --version- nmap 192.168.1.1 -sV -- Enable light mode. Lower possibility of
light version-light correctness. Faster

-sV --version-all nmap 192.168.1.1 -sV -- Enable intensity level 9. Higher possibility of
version-all correctness. Slower

-A nmap 192.168.1.1 -A Enables OS detection, version detection,

script scanning, and traceroute

OS Detection
Switch Example Description

Remote OS detection using TCP/IP

-O nmap 192.168.1.1 -O
stack fingerprinting

If at least one open and one closed

-O --osscan- nmap 192.168.1.1 -O --
TCP port are not found it will not try
limit osscan-limit
OS detection against host

-O --osscan- nmap 192.168.1.1 -O -- Makes Nmap guess more aggressively

guess osscan-guess

-O --max-os- nmap 192.168.1.1 -O -- Set the maximum number x of OS

tries max-os-tries 1 detection tries against a target

-A nmap 192.168.1.1 -A Enables OS detection, version detection, script

scanning, and traceroute

Timing and Performance

Switch Example Description

-T0 nmap 192.168.1.1 -T0 Paranoid (0)

Intrusion
Detection
System
evasion
-T1 nmap 192.168.1.1 -T1 Sneaky (1)
Intrusion
Detection
System
evasion
Switch Example Description

-T2 nmap 192.168.1.1 -T2 Polite (2)

slows down
the scan to use
less
bandwidth and
use less target
machine
resources
-T3 nmap 192.168.1.1 -T3 Normal (3)
which is
default speed
-T4 nmap 192.168.1.1 -T4 Aggressive (4)
speeds scans;
assumes
you are on a
reasonably
fast and
reliable
network
-T5 nmap 192.168.1.1 -T5 Insane (5)
speeds scan;
assumes you
are on an
extraordinarily
fast network

Switch Example Description

input

--host-timeout <time> 1s; 4m; 2h Give up on target after this long

--min-rtt-timeout/max-rtt-timeout/initial- 1s; 4m; 2h Specifies probe round trip time

rtt-timeout <time>

--min-hostgroup/max-hostgroup <size<siz 50; 1024 Parallel host scan group

e> sizes

--min-parallelism/max-parallelism <numpr 10; 1 Probe parallelization

obes>

--scan-delay/--max-scan-delay <time> 20ms; 2s; 4m; Adjust delay between probes

Switch Example Description

5h

--max-retries <tries> 3 Specify the maximum number

of port scan probe retransmissions

--min-rate <number> 100 Send packets no slower

than <numberr> per second

--max-rate <number> 100 Send packets no faster

than <number> per second

NSE Scripts
Switch Example Description

-sC nmap 192.168.1.1 -sC Scan with

default NSE
scripts.
Considered
useful for
discovery
and safe

--script nmap 192.168.1.1 --script default Scan with

default default NSE
scripts.
Considered
useful for
discovery
and safe

--script nmap 192.168.1.1 --script=banner Scan with a

single
script.
Example
banner

--script nmap 192.168.1.1 --script=http* Scan with a

wildcard.
Example
http

--script nmap 192.168.1.1 --script=http,banner Scan with

two scripts.
Switch Example Description

Example
http and
banner

--script nmap 192.168.1.1 --script "not intrusive" Scan

default, but
remove
intrusive
scripts

--script-args nmap --script snmp-sysdescr --script-args snmpcommunity=admin NSE script

192.168.1.1 with
arguments
Useful NSE Script Examples

Command Description

nmap -Pn --script=http-sitemap-generator scanme.nmap.org http site map generator

nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR Fast search for random web
1000 servers

nmap -Pn --script=dns-brute domain.com Brute forces DNS hostnames

guessing subdomains

nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb- Safe SMB scripts to run
mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv
192.168.1.1

nmap --script whois* domain.com Whois query

nmap -p80 --script http-unsafe-output-escaping Detect cross site scripting

scanme.nmap.org vulnerabilities

nmap -p80 --script http-sql-injection scanme.nmap.org Check for SQL injections

Firewall / IDS Evasion and Spoofing

Switch Example Description

-f nmap 192.168.1.1 -f Requested scan (including ping scans)

use tiny fragmented IP packets. Harder
for packet filters
Switch Example Description

--mtu nmap 192.168.1.1 --mtu 32 Set your own offset size

-D nmap -D 192.168.1.101,192.168.1.102, Send scans from spoofed IPs

192.168.1.103,192.168.1.23 192.168.1.1

-D nmap -D decoy-ip1,decoy-ip2,your-own- Above example explained

ip,decoy-ip3,decoy-ip4 remote-host-ip

-S nmap -S www.microsoft.com Scan Facebook from Microsoft (-e

www.facebook.com eth0 -Pn may be required)

-g nmap -g 53 192.168.1.1 Use given source port number

--proxies nmap --proxies http://192.168.1.1:8080, Relay connections through

http://192.168.1.2:8080 192.168.1.1 HTTP/SOCKS4 proxies

--data- nmap --data-length 200 192.168.1.1 Appends random data to sent packets
length
Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D

192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Output
Switch Example Description

-oN nmap 192.168.1.1 -oN normal.file Normal output to the file

normal.file

-oX nmap 192.168.1.1 -oX xml.file XML output to the file

xml.file

-oG nmap 192.168.1.1 -oG grep.file Grepable output to the file

grep.file

-oA nmap 192.168.1.1 -oA results Output in the three major

formats at once

-oG - nmap 192.168.1.1 -oG - Grepable output to screen. -

oN -, -oX - also usable

--append- nmap 192.168.1.1 -oN file.file --append-output Append a scan to a previous

output scan file
Switch Example Description

-v nmap 192.168.1.1 -v Increase the verbosity level

(use -vv or more for greater
effect)

-d nmap 192.168.1.1 -d Increase debugging level (use

-dd or more for greater
effect)

--reason nmap 192.168.1.1 --reason Display the reason a port is

in a particular state, same
output as -vv

--open nmap 192.168.1.1 --open Only show open (or possibly

open) ports

--packet-trace nmap 192.168.1.1 -T4 --packet-trace Show all packets sent and
received

--iflist nmap --iflist Shows the host interfaces and

routes

--resume nmap --resume results.file Resume a scan

Helpful Nmap Output examples

Command Description

nmap -p80 -sV -oG - --open 192.168.1.1/24 | Scan for web servers and grep to show which
grep open IPs are running web servers

nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut Generate a list of the IPs of live hosts
-d " " -f5 > live-hosts.txt

nmap -iR 10 -n -oX out2.xml | grep "Nmap" | Append IP to the list of live hosts
cut -d " " -f5 >> live-hosts.txt

ndiff scanl.xml scan2.xml Compare output from nmap using the ndif

xsltproc nmap.xml -o nmap.html Convert nmap xml files to html files

grep " open " results.nmap | sed -r 's/ +/ /g' | sort Reverse sorted list of how often ports turn up
| uniq -c | sort -rn | less

Miscellaneous Options
 Switch Example Description

-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning

-h nmap -h nmap help screen

Other Useful Nmap Commands

Command Description

nmap -iR 10 -PS22-25,80,113,1050,35000 -v - Discovery only on ports x, no port scan

sn

nmap 192.168.1.1-1/24 -PR -sn -vv Arp discovery only on local network, no port
scan

nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan

nmap 192.168.1.1-50 -sL --dns-server Query the Internal DNS for hosts, list targets
192.168.1.1 only

nmap -Pn -sS -T5 -p- -oA nmap_basic_all 192.168.235.132

-Pn The
-Pn flag prevents host discovery pings and just
assumes the host is up. In this case, I know the host is up
because i’m hosting it locally.
-sS The -sS flag is for a SYN scan.
-T5 The next flag, -T5, tells nmap to scan REALLY fast.
The last flag, -oA, tells nmap to output all formats and
-oA
name them “nmap_basic_all” with the proper extension

The first exploit is on port 21, vsftpd 2.3.4. This is one of my

favorite because it’s so easy to exploit.