Farid Ahmadian / General

Nmap Notes

Public Domain


nmap : Network Mapper (http://nmap.org)

Zenmap : Nmap GUI

Scanning :
  host discovery (network mapping)
  operating system detection
  active ports
  services & version detection

Common options

Help :                  nmap -h
Normal scan :           nmap 127.0.0.1
Verbose :               nmap -v 127.0.0.1
No DNS resolve :        nmap -v -n 127.0.0.1
Do DNS resolve :        nmap -v -R 127.0.0.1
Version Scan :          nmap -v -n -sV 127.0.0.1
Port numbers :          nmap -v -n -sV -p1-65535 127.0.0.1 
Skip ping (P0) :        nmap -v -n -sV -p1-65535 -PN 127.0.0.1 
Ping scan :             nmap -v -n -sP 192.168.1.0/24 
Normal output file :    nmap -v -n -sP -oN up-hosts 192.168.1.0/24
Grepable output file :  nmap -v -n -sP -oG up-hosts 192.168.1.0/24
List IPs :              echo $(grep "Host:" up-hosts  | awk '{print$2}') > IPs
Scan IP List :          nmap -v -n -iL IPs > net-scan-info

OS detection, Version detection, Script scanning, Traceroute

nmap -v -n -A -iL IPs > OS-Svc-info

Version detection (/usr/share/nmap/nmap-service-probes)

   nmap -sV 172.16.20.2
      --allports
      --version-intensity    0-9 / default 7
      --version-all          intensity 9
      --version-light        quick - intensity 2
      --version-trace        debug info

OS detection only

nmap -O 127.0.0.1

   --osscan-limit  at least one open port and one closed port
   --osscan-guess  aggressively guess
   --max-os-tries  1      [5 or 2]

Optimization

-T0        Paranoid        5 min
-T1        Sneaky          15 Sec
-T2        Polite          0.4
-T3        Normal          parallel
-T4        Aggresive       10 ms
-T5        insane          5 ms

Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second

Custom TCP scan

nmap  --scanflags SYN  -PN -n -p135 192.168.194.17

--scanflags URGACKPSHRSTSYNFIN :  URG ACK PSH RST SYN FIN

Target Specifcation

nmap 192.168.1.0/24 
nmap 192.168.100.10-25 
nmap myhost.xyz.com

nmap 192.168.3-5,7.1

     192.168.3.1
     192.168.4.1
     192.168.5.1
     192.168.7.1

nmap 192.168.5,10,15-16.10,20

     192.168.5.10
     192.168.5.20
     192.168.10.10
     192.168.10.20
     192.168.15.10
     192.168.15.20
     192.168.16.10
     192.168.16.20

nmap -n -v -sP -PE 192.168.2,1,3-7.-

      192.168.2.0-255
      192.168.1.0-255
      192.168.3.0-255
      192.168.4.0-255
      192.168.5.0-255 
      192.168.6.0-255
      192.168.7.0-255

nmap 0-255.0-255.13.37
   Internet-wide scan for all IP addresses ending in 13.37

nmap -n -v -sP --exclude 192.168.1.11-13,192.168.1.15 192.168.1.7-16

     192.168.1.7
     192.168.1.8
     192.168.1.9
     192.168.1.10
     192.168.1.14
     192.168.1.16

nmap -n -v -sP --excludefile filename.txt 192.168.0.0/16
    (tab, space, or newline delimited)

Port Specification (/usr/share/nmap/nmap-services)

-r: Scan ports consecutively - donīt randomize
      nmap -r -n -v --reason 127.0.0.1

single Port :   nmap -p80 192.168.1.0/24
Port range :    nmap -p130-140 192.168.1.100
start from 1 :  nmap -p-100 192.168.1.100
to 65535     :  nmap -p60000- 192.168.1.100
from 1 to 65535 : nmap -p- 192.168.1.100
different tcp/udp ports :  nmap -sU -sS -p U:53,T:80,134-139 192.168.1.100

port name :
  egrep '^http' /usr/share/nmap/nmap-services
  nmap -p ftp,http* 192.168.1.100

port range from file : 
  nmap -p[6000-6100] 192.168.100.0/24

Fast scan / fewer ports :
  nmap -F 192.168.1.100 

custome nmap-services :
  nmap --servicedb /root/my-services 172.16.20.2

IP Protocol scan :
  nmap -sO 172.16.20.2

Host discovery

ICMP echo request :(8->0)              nmap -n -v -sP -PE 192.168.194.18
ICMP timestamp request :(13-14)        nmap -n -v -sP -PP 192.168.194.18
ICMP address mask request:(17-18)      nmap -n -v -sP -PM 192.168.194.18
ARP ping :                             nmap -n -v -sP -PR 172.16.20.2
Disable ARP ping :                     nmap -n -v -sP --send-ip 172.16.20.2
TCP SYN ping :(SYN/ACK-RST)            nmap -n -v -sP -PS80 --reason 192.168.194.18
TCP ACK ping :(RST)                    nmap -n -v -sP -PA80 --reason 192.168.194.18
UDP ping (close/31338/ICMP udp port unreachable) nmap -n -v -sP -PU --reason 192.168.194.18 
Discovery :                            nmap -n -v -sP -PS -PA -PU 192.168.194.18
IP ping :                              nmap -n -v -sP -PO1 192.168.194.18 
  1 ICMP
  2 IGMP
  4 IP-IP
No ping : -PN (-P0)  Diable Host Discovery
List targets : (DNS)                   nmap -sL 4.2.2.1-6
--dns-servers <srv1[,srv2],...>
--system-dns

Discovery using TCP SYN 80 without ping

nmap -n -v -sP -PN -PS 192.168.2.0/24

Basic Port Scanning

Open / Closed / Filtered / Unfiltered / Open|filtered / Closed|filtered

TCP SYN : (SYN/ACK - RST)              nmap -sS 127.0.0.1
TCP connection scan :                  nmap -sT 127.0.0.1
UDP scan : (open|filtered)             nmap -sU 127.0.0.1
IP protocol scan :                     nmap -sO 127.0.0.1


TCP SYN / all ports                    nmap -p1-65535 -sS 127.0.0.1
TCP SYN / version scan / all ports     nmap -v -sV -p1-65535 -sS 127.0.0.1


TCP SYN / display the reason a port state 
                                       nmap -n -v --reason -sS 172.16.20.2

Traceroute

nmap -n -v --traceroute -sS -sP 172.16.20.2

Advanced Port Scanning

Any packet not containing a SYN, RST, or ACK flag, will result in a returned RST if the port is closed and no response if the port is open (reported as open|filtered).

TCP Null  : (RST:Close ; "":Open|Filter)         nmap -p80 -n -v -sN 172.16.20.2
TCP FIN   : (RST:Close ; F:Open|Filtered)        nmap -p80 -n -v -sF 172.16.20.2
TCP Xmas  : (RST:Close ; FPU:open|Filter)        nmap -p80 -n -v -sX 172.16.20.2

Firewall scan :

TCP ACK:(RST:Unfiltered ; "" or ICMP ERR:Filter) nmap -p80 -n -v -sA 172.16.20.2

TCP Idle Scan (-sI):
http://nmap.org/book/idlescan.html

Idle scan : nmap -p80 -n -v --send-ip -PN -sI 172.16.20.3 172.16.20.2 

* TCP SYN SCAN : SYN/ACK = Open RST = Close
* unsolicited SYN/ACK : RST
* unsolicited RST : ignored
* IP packet : fragment identification number (IP ID) : 
    how many packets have been sent since the last probe.

Open Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN)
Target -> Zombie (SYN/ACK)
Zombie -> Target (RST IPID=31338)
Scanner -> Zombie (SYN/ACK IPID=31339)

Close Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN)
Target -> Zombie (RST/Ignore)
Scanner -> Zombie (SYN/ACK IPID=31338)

Filter Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN/No response)
Scanner -> Zombie (SYN/ACK IPID=31338)

Another stealthy scan method is the FTP bounce scan (-b). The FTP bounce scan uses the FTP proxy feature on an FTP server to scan a target from the FTP server instead of your system. The FTP proxy feature allows you to log into an FTP server and request a ?le to be sent to another system. By sending ?les to a target system and port you can determine whether a port is open or closed. Most FTP servers no longer support this functionality, but some are still available. The FTP bounce scan can be used to bypass ?rewalls by scanning from an organization?s FTP server, which may be on an internal network, or allowed to the internal network by the ?rewall rules.


Bookmarks

Nmap Network Scanning
A tcpdump Tutorial and Primer
A TCP Tutorial
TRANSMISSION CONTROL PROTOCOL / RFC 793
SecTools.Org: Top 125 Network Security Tools
ike-scan: IPSec VPN scanning, fingerprinting and testing tool
Tcpdump : Capturing TCP packets with particular flag combinations
http://www.amap.no/


BY: Pejman Moghadam
TAG: nmap
DATE: 2013-01-15 12:08:54


Farid Ahmadian / General [ TXT ]

With many thanks and best wishes for dear Pejman Moghadam, someone who taught me alot in linux and life :)