Nmap, short for network mapper, is an open source security tool for network exploration, security scanning and auditing. It was originally written by Gordon Lyon AKA Fyodor, firstly published in September 1997 in a Phrack Magazine, with included source code.
It uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are running, OS detection, what type of packet filters/firewalls are in use, and many others.
Nmap has even made appearance in a few movies, including The Matrix Reloaded, where Trinity needing to hack the city power grid, she whips out Nmap, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Of course there are more films, such as The Bourne Ultimatum, Girl With the Dragon Tattoo, Live Free or Die Hard, or even computer game called Hacknet.
Table of Contents
Firstly I'll discuss a few commands, that are essential for me.
1. nmap -sP 192.168.0.1/24
This command, also known as "ping scan", tells Nmap to send an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80 and ICMP timestamp request to all hosts in the specified subnet. Then, Nmap will return a list of IP's that have responded.
This command does not require root, however while used with root account, Nmap will send additional ARP requests.
2. nmap 192.168.0.1/24
Default scan, that will look for open ports. Nmap will try and attempt a TCP SYN connection to 1000 most common ports, as well as an ICMP echo request to determine if a host is up. In addition, DNS lookup will be performed, possibly giving us some useful information. No root required.
3. nmap -T4 -F 192.168.0.100
Fast scan, that will look at 100 most common ports. No root required.
4. nmap -sS -sU -Pn -p- 192.168.0.100
TCP SYN and UDP scan is rather unobtrusive and stealthy. -Pn flag will also skip the ping scan, assuming that all hosts are up (very useful when there is a firewall preventing ICMP replies). In addition -p- will scan all 65535 ports.
5. nmap -v -sS -A -T4 192.168.0.100
This command will run TCP SYN scan, with OS and version detection + traceroute, T4 timing and, in addition, will print verbose output.
|192.168.0.1||Scan a single IPV4|
|AABB:CCDD::FF%eth0||Scan a single IPV6|
|192.168.0.1-15||Scan a range of IP's|
|192.168.0.1/24||Scan a subnet|
|www.hostname.com||Scan a hostname|
|-iL list.txt||Scan targets from text file|
|-p 22 192.168.0.1||Scan a single port|
|-p 1-100 192.168.0.1||Scan a range of ports|
|-F 192.168.0.1||Scan 100 most common ports|
|-p- 192.168.0.1||Scan all 65535 ports|
|-p U:PORT 192.168.0.1||Scan UDP ports, ex U:53,U:110|
|-r 192.168.0.1||Do not randomize ports|
|-pN||Assume all hosts are up|
|-PS/PA/PU/PY[portlist]||TCP SYN/ACK, UDP or SCTP ports probing|
|-PE/PP/PM||ICMP Echo, Timestamp, and Netmask probing|
|-T0||Paranoid Very slow, used for IDS evasion|
|-T1||Sneaky Quite slow, used for IDS evasion|
|-T2||Polite Runs around 10 times slower than normal, used to save bandwidth|
|-T3||Normal A dynamic timing model based on target responsiveness|
|-T4||Aggresive Assumes a fast and reliable network|
|-T5||Insane Fastest option, will likely overwhelm targets or miss open ports|
|Adjust delay between probes|
|--host-timeout TIME||Give up on target after specified time|
|Parallel host scan group sizes|
|Specifies probe round trip time|
|--max-retries TRIES||Caps number of port scan probe retransmissions|
|--min-rate NUMBER||Send packets no slower than NUMBER per second|
|--max-rate NUMBER||Send packets no faster than NUMBER per second|
|-sS||TCP SYN Scan|
|-sN||TCP NULL Scan|
Service Version Detection
|--version-intensity "intensity"||Set intensity from 0 (light) to 9 (try all probes)|
|--version-trace||Show detailed version scan activity|
|-O||Enable OS Detection|
|--osscan-limit||Limit OS detection to only promising targets|
|--osscan-guess||Guess OS more aggressively|
Firewalls IDS Evasion and Spoofing
|-S IP||Spoof IP address|
|--spoof-mac MAC||Spoof MAC address|
|--data-length NUM||Append random data to packets|
|Use given port number|
|-D decoy1,decoy2,ME||Cloak a scan with decoys|
|--badsum||Send packets with a fake TCP/UDP/SCTP checksum|
|--ttl VALUE||Set IP time to live field|
Firstly, let's discuss different categories of scripting in Nmap.
Auth - utilize credentials or bypass authentication on target hosts.
broadcast - discover hosts not includedon command line by broadcasting on local network.
brute - attempt to guess passwords on target systems, for avariety of protocols, including http, SNMP, IAX, MySQL, VNC,etc.
default - scripts run automatically when -sC or-A are used.
discovery - try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.
dos - may cause denial of service conditions in target hosts.
exploit - attempt to exploit target systems.
external - interact with third partysystems not included intarget list.
fuzzer - send unexpected input in network protocol fields.
intrusive - may crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.
malware - look for signs of malware infection on the target hosts.
safe - designed not to impact target in a negative fashion.
version - measure the version of software or protocol spoken by target hosts.
vul - measure whether target systems have a known vulnerability
|-sC||Run default scripts|
|--script="category"||Enter here script category or script-file|
|--script-updatedb||Update script database|
|--script-help="category"||Show help for category|
|-oN||Standard Nmap output|
|-oA NAME||Generate Nmap, greppable, and XML output files using name for files|
|-n||Disable reverse IP address lookups|
|-6||Use IPv6 only|
|-A||Use scan types including OS detection, version detection, script scanning in default category, and traceroute|
|--reason||Display reason Nmap thinks port is open, closed, or filtered|
Last words and references
Firstly, I can recommend this great piece of information Nmap Network Scanning Digital Version, which covers a lot of topics in this amazing tool. In addition I will keep this cheat sheet as update as possible, with new content coming as soon as I'll learn more, so stay updated!
Keep learning and stay safe! ~ W3ndige