Pejman Moghadam / General

Nmap Notes

Public Domain

nmap : Network Mapper (

Zenmap : Nmap GUI

Scanning :
  host discovery (network mapping)
  operating system detection
  active ports
  services & version detection

Common options

Help :                  nmap -h
Normal scan :           nmap
Verbose :               nmap -v
No DNS resolve :        nmap -v -n
Do DNS resolve :        nmap -v -R
Version Scan :          nmap -v -n -sV
Port numbers :          nmap -v -n -sV -p1-65535 
Skip ping (P0) :        nmap -v -n -sV -p1-65535 -PN 
Ping scan :             nmap -v -n -sP 
Normal output file :    nmap -v -n -sP -oN up-hosts
Grepable output file :  nmap -v -n -sP -oG up-hosts
List IPs :              echo $(grep "Host:" up-hosts  | awk '{print$2}') > IPs
Scan IP List :          nmap -v -n -iL IPs > net-scan-info

OS detection, Version detection, Script scanning, Traceroute

nmap -v -n -A -iL IPs > OS-Svc-info

Version detection (/usr/share/nmap/nmap-service-probes)

   nmap -sV
      --version-intensity    0-9 / default 7
      --version-all          intensity 9
      --version-light        quick - intensity 2
      --version-trace        debug info

OS detection only

nmap -O

   --osscan-limit  at least one open port and one closed port
   --osscan-guess  aggressively guess
   --max-os-tries  1      [5 or 2]


-T0        Paranoid        5 min
-T1        Sneaky          15 Sec
-T2        Polite          0.4
-T3        Normal          parallel
-T4        Aggresive       10 ms
-T5        insane          5 ms

Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second

Custom TCP scan

nmap  --scanflags SYN  -PN -n -p135


Target Specifcation


nmap 192.168.3-5,7.1

nmap 192.168.5,10,15-16.10,20

nmap -n -v -sP -PE 192.168.2,1,3-7.-

nmap 0-255.0-255.13.37
   Internet-wide scan for all IP addresses ending in 13.37

nmap -n -v -sP --exclude,

nmap -n -v -sP --excludefile filename.txt
    (tab, space, or newline delimited)

Port Specification (/usr/share/nmap/nmap-services)

-r: Scan ports consecutively - donīt randomize
      nmap -r -n -v --reason

single Port :   nmap -p80
Port range :    nmap -p130-140
start from 1 :  nmap -p-100
to 65535     :  nmap -p60000-
from 1 to 65535 : nmap -p-
different tcp/udp ports :  nmap -sU -sS -p U:53,T:80,134-139

port name :
  egrep '^http' /usr/share/nmap/nmap-services
  nmap -p ftp,http*

port range from file : 
  nmap -p[6000-6100]

Fast scan / fewer ports :
  nmap -F 

custome nmap-services :
  nmap --servicedb /root/my-services

IP Protocol scan :
  nmap -sO

Host discovery

ICMP echo request :(8->0)              nmap -n -v -sP -PE
ICMP timestamp request :(13-14)        nmap -n -v -sP -PP
ICMP address mask request:(17-18)      nmap -n -v -sP -PM
ARP ping :                             nmap -n -v -sP -PR
Disable ARP ping :                     nmap -n -v -sP --send-ip
TCP SYN ping :(SYN/ACK-RST)            nmap -n -v -sP -PS80 --reason
TCP ACK ping :(RST)                    nmap -n -v -sP -PA80 --reason
UDP ping (close/31338/ICMP udp port unreachable) nmap -n -v -sP -PU --reason 
Discovery :                            nmap -n -v -sP -PS -PA -PU
IP ping :                              nmap -n -v -sP -PO1 
  1 ICMP
  2 IGMP
  4 IP-IP
No ping : -PN (-P0)  Diable Host Discovery
List targets : (DNS)                   nmap -sL
--dns-servers <srv1[,srv2],...>

Discovery using TCP SYN 80 without ping

nmap -n -v -sP -PN -PS

Basic Port Scanning

Open / Closed / Filtered / Unfiltered / Open|filtered / Closed|filtered

TCP SYN : (SYN/ACK - RST)              nmap -sS
TCP connection scan :                  nmap -sT
UDP scan : (open|filtered)             nmap -sU
IP protocol scan :                     nmap -sO

TCP SYN / all ports                    nmap -p1-65535 -sS
TCP SYN / version scan / all ports     nmap -v -sV -p1-65535 -sS

TCP SYN / display the reason a port state 
                                       nmap -n -v --reason -sS


nmap -n -v --traceroute -sS -sP

Advanced Port Scanning

Any packet not containing a SYN, RST, or ACK flag, will result in a returned RST if the port is closed and no response if the port is open (reported as open|filtered).

TCP Null  : (RST:Close ; "":Open|Filter)         nmap -p80 -n -v -sN
TCP FIN   : (RST:Close ; F:Open|Filtered)        nmap -p80 -n -v -sF
TCP Xmas  : (RST:Close ; FPU:open|Filter)        nmap -p80 -n -v -sX

Firewall scan :

TCP ACK:(RST:Unfiltered ; "" or ICMP ERR:Filter) nmap -p80 -n -v -sA

TCP Idle Scan (-sI):

Idle scan : nmap -p80 -n -v --send-ip -PN -sI 

* TCP SYN SCAN : SYN/ACK = Open RST = Close
* unsolicited SYN/ACK : RST
* unsolicited RST : ignored
* IP packet : fragment identification number (IP ID) : 
    how many packets have been sent since the last probe.

Open Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN)
Target -> Zombie (SYN/ACK)
Zombie -> Target (RST IPID=31338)
Scanner -> Zombie (SYN/ACK IPID=31339)

Close Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN)
Target -> Zombie (RST/Ignore)
Scanner -> Zombie (SYN/ACK IPID=31338)

Filter Port on target :
Scanner -> Zombie (SYN/ACK IPID=31337)
Scanner (Zombie) -> Target (SYN/No response)
Scanner -> Zombie (SYN/ACK IPID=31338)

Another stealthy scan method is the FTP bounce scan (-b). The FTP bounce scan uses the FTP proxy feature on an FTP server to scan a target from the FTP server instead of your system. The FTP proxy feature allows you to log into an FTP server and request a ?le to be sent to another system. By sending ?les to a target system and port you can determine whether a port is open or closed. Most FTP servers no longer support this functionality, but some are still available. The FTP bounce scan can be used to bypass ?rewalls by scanning from an organization?s FTP server, which may be on an internal network, or allowed to the internal network by the ?rewall rules.


Nmap Network Scanning
A tcpdump Tutorial and Primer
A TCP Tutorial
SecTools.Org: Top 125 Network Security Tools
ike-scan: IPSec VPN scanning, fingerprinting and testing tool
Tcpdump : Capturing TCP packets with particular flag combinations

BY: Pejman Moghadam
TAG: nmap
DATE: 2013-01-15 12:08:54

Pejman Moghadam / General [ TXT ]