Nmap is one of the most important and frequently used tool by hackers as well as system administrators. Although the offical documentation does a good job at explaining, this acts more like a cheat sheet for all the options as well as a few tips for effective nmaping.
Default Scan :
To check if the host is alive use the
-snflag (Ping requests)
-Pnflag can be used to scan the host without veryfying if it is alive. It helps in cases where the system administrator has disabled reply to Ping requests.
However it does create a problem, while scanning large block of networks with the
-Pnswitch activated, it is going to spend a large amout of time on each host which is undesirable.
We can use the
--host-timeoutfollowed by time in minutes.
--host-timeout 1m. In this case nmap will give up on the host if it being alive is not confimed in the speicied time. Hence it is not recommended to set the value to a very small quantity like 1m.
-PS port-number-hereswitch makes the scan a TCP SYN Scan,
-sTswitch initaites the TCP CONNECT SCAN
-sSswitch initaites the SYN STEALTH SCAN
-sUswitch initiates a UDP SCAN
To use the Nmap scripts use the
-sCswitch which will autmatially run relevant NSE scripts according to the ports found open.
To run a specific script use the
--scriptfollowed by the script name.
Service Version Scan
nmap target-ip-here -sV
Operating System Version Detection
nmap target-ip-here -O
To take the list of target ip from a file use the
-iLoption followed by the full path of the file
Saving nmap scan output:
To save in normal format (almost same as what is printed on the screen ):
nmap target-ip-here -oN output-file-name-here
To save in a grepable format:
nmap target-ip-here -oG output-file-name-here
To save in the XML format :
nmap target-ip-here -oX output-file-name-here
To save in all the above three mentioned formats:
nmap target-ip-here -oA output-file-name-here
Scan a port : use
To scan all ports use
To scan a range of ports
The reason flag
--reasonmakes nmap print the logic behind clasifying the port as open , close or filtered.
-sLflag gets reverse DNS lookups
The scans can be made more verbose using the
-vvv with the verbosity increasing with increasing number of V. To make nmap less verbose than it usually is , we can use the
Timing is the key
To control with the timing of the nmap scans use the
-Tfollowed by a number between 1 and 5 where 5 is the fastest.
nmap target-ip-here -T5
The default speed is set to 3. Running the scan at the highest speed has its own merits and demerits .
Nmap has support for packet tracing which can be enable for the scan using
When scanning a range of IPs , nmap automatically clusters them in block so that it scans those hosts in parallel and when the block is done it prints the result and moves on to the next block.If we are scanning a large group then we have to wait for the whole block to finish before seeing any output.In this case a smaller block is preferred.This can be controlled using the
For host discovery and ping sweeps the host group specifications are oveeridden by nmap with a very large number.
The parallelism can be increased or decreased using the
--max-parallelism switches. This controls the number of probes being sent simultaneously.
These values are auto optimised by nmap for efficient performance..
The probing rate itself can be controlled using the
--scan-delay switch defines the time interval between two probes on a single host. The
--max-scan-delay in conjucntion can be used to ensure that the rate doesn't fall below the specified minimum.
We can also have direct control over the number of packets sent by Nmap. They can be adjusted using the
--max-rate . They can be used in conjunction to act as a range in which Nmap is supposed to pump out packets
nmap target-ip-here --min-rate 50 --max-rate 100 will give nmap a range between 50 to 100 packets per second.
Special scans (to be continued)
Subscribe to Iniquitous Psyche
Get the latest posts delivered right to your inbox