----------LIVE-HOST-DISCOVERY----------
12:37 PM 11/3/2025 |
---------------------------------------
Enumerating targets
• nmap -sl == a SIMPLE LISTING of every ip it scans
• nmap -sn == NO follow on PORT SCAN
• nmap -F == Fast, decrees from top 1000 ports to top 100
• nmap -r == use a random order instead of numerical
ARP Enumeration
•{nmap -PR $IP/24} OR {arp-scan $IP/24} == ARPSCAN instead of a pingscan (by default)
ICMP Enumeration
• nmap -PE $IP/24 == uses ICMP ECHO request
• nmap -PP $IP/24 == uses ICMP TIMESTAMP requests
• nmap -PM $IP/24 == uses ICMP MASK QUERIES requests
TCP and UDP Enumeration
• nmap -PS$PORT $IP == TCP SYN Ping
• nmap -PA$PORT $IP == TCP ACK Ping
• nmap -PU $IP == UDP Ping
• massscan $IP -p == specifying a port/ports
Reverse-DNS Lookup
• nmap -n == NO DNS lookup (NEVER use DNS)
• nmap -R == query dns even for offline hosts (ALWAYS use DNS)
• nmap --dns-servers == specifying the which DNS server
----------Basic-Port-Scans----------
1:34 PM 11/3/2025 |
------------------------------------
How many port states does Nmap consider?
A: 6
NMAP Port states
• Open: a service is listening
• Closed: no service is listening, but is not blocked by a firewall
• Filtered: blocked by a firewall, unknown if the port it open or closed(BLOCKED)
• Unfiltered: undetermined, all tho the port is not blocked (Encountered when using nmap -sA
• Open|Filtered: cannot determine whether the port is open or filtered.
• Closed|Filtered: cannot decide whether a port is closed or filtered.
TCP Flags
• URG: Urgent flag
• ACK: Acknowledgment flag
• PSH: Push flag
• RST: Reset flag
• SYN: Sync flag
• FIN: Finished flag
TCP Connect Scan
• nmap -sT $IP == syn,synack,ack,rst
TCP Syn Scan
• nmap -sS $IP == syn,synack,rst (Default scan when running nmap as root)
UDP Scan
• nmap -sU $IP == OPEN=UDP packet,NO RESPONSE | CLOSED=UDP packet,ICMP Type3,Code3
Fine-Tuning Scope and Performance
• nmap -p == specifying port/ports
• nmap -T<0-5> == scan timing 0=slow 5=fastest
• nmap --top-ports <1-9999> == change how many of the top ports it checks
• nmap --max-rate 10 == will not send more then 10 packets per second (also --min-rate 10)
• nmap --min-parallelism 64 == will run at least 64 probes in parallel
----------Advanced-Port-Scans---------
3:03 PM 11/3/2025 |
--------------------------------------
TCP Null, FIN, Xmas
• nmap -sN == NULL scan, sends a packet with no flags, (all six bits are set to 0)
If no response then the port is open. If a RST,ACK is sent back then the port is closed.
• nmap -sF == FIN scan, sends a packet with the FIN flag,
If no response then the port is open. If a RST,ACK is sent back then the port is closed.
• nmap -sX == XMAS scan, sends a packet with the FIN,PSH,URG flags
If no response then the port is open. If a RST,ACK is sent back then the port is closed.
These scans are used when scanning a target behind a STATELESS FIREWALL (non-stateful)
(stateless firewalls check packets for connection attempts with the SYN flag sets
TCP Maimon Scan
• nmap -sM == Maimon scan (rarely used, open and closed ports give the same response on modern systems)
TCP ACK, Window, and Custom Scan
• nmap -sA == ACK scan, sends packet with the ACK flag (USE FULL FOR WHEN THE HOST IS BEHIND A FIREWALL)
this scan will show you which ports are/are not filtered
• nmap -sW == Window scan, similar but better than the ACK scan
• nmap --scanflags <RSTSYNFIN,or other flags> == Custom scan, you are able to set individual flags
Spoofing and Decoys
• nmap -e NET_INTERFACE -Pn -S SPOOFED_IP $IP == SPOOFING the source IP,
-e specifies the interface, you must also disable ping scan using -P, and -S for spoofing
The attacker needs to monitor the network traffic to analyze the replies.
• nmap --spoof-mac SPOOFED_MAC $IP == MAC SPOOFING, only when on the same subnet.
• nmap -D DECOYIP1,DECOYIP2,RND,RND,ME $IP == Using Decoys,
(DECOYIP1=a specified IP, RND= generates a random IP, ME=you)
Fragmented Packets
• A traditional firewall inspects packets at least at the IP level and the transport layer header
• A intrusion detection system (IDS) inspects packets for behavioral patterns or content signatures.
An IDS also looks at the data contents in the transport layer for malicious patterns.
This could make you use fragmented packets.
• nmap -f == fragmenting packets, (-ff will split data into 16 byte-fragments, instead of 8)
• nmap --mtu # == another way to change the default value
Idle/Zombie scan
• nmap -sI ZOMBIE_IP $IP == IDLE scan, the ZOMBIE_IP must be and "idle" host.
Getting more Details
• nmap --reason == provides more details it's conclusions
• nmap <-v,-vv,-vvv> == the different levels of verboseness
• nmap <-d,-dd> == debugging details
EXTRA
• nmap --source-port PORT_NUM == specify the source port #
• nmap --data-length NUM == append random data to reach the given length
----------Post-Port-Scans----------
4:38 PM 11/3/2025 |
-----------------------------------
Service Detection
• nmap -sV == Service detection
• nmap -sV --version-intensity <0-9> == 0=lightest, 9=hardest
(--version-light =2, --version-all =9)
OS Detection and Traceroute
• nmap -O == OS Detection
• nmap -O --osscan-guess == Guess OS more aggressively
• nmap --traceroute == traceroute (or tracert in Windows)
Nmap Scripting Engine (NSE)
• located in "/usr/share/nmap/scripts"
• also support for scripts in Lua
• nmap --script=SCRIPT_NAME == choose a script from the *.nse location
• nmap --script "SCRIPT_NAME" == same as above
• nmap -sC == run the basic scripts
Saving the Output
• Three main formats (.nmap, .gnmap, .xml)
• nmap -oN FILE_NAME == Normal = .nmap
• nmap -oG FILE_NAME == Grepable = .gnmap
• nmap -oX FILE_NAME == XML = .xml
Categories: Guide
0 Comments