===== Target specification ===== ^Example ^Description ^ |''%%nmap 192.168.1.1%%'' |Scan a single IP | |''%%nmap 192.168.1.1 192.168.2.1%%''|Scan specific IPs | |''%%nmap 192.168.1.1-254%%'' |Scan a range | |''%%nmap scanme.nmap.org%%'' |Scan a domain | |''%%nmap 192.168.1.0/24%%'' |Scan using CIDR notation| |''%%nmap -iL targets.txt%%'' |Scan targets from a file| |''%%nmap -iR 100%%'' |Scan 100 random hosts | |''%%nmap -exclude 192.168.1.1%%'' |Exclude listed hosts | ===== Nmap scan techniques ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -sS%%''|TCP SYN port scan (default)| |''%%nmap 192.168.1.1 -sT%%''|TCP connect port scan | |''%%nmap 192.168.1.1 -sU%%''|UDP port scan | |''%%nmap 192.168.1.1 -sA%%''|TCP ACK port scan | |''%%nmap 192.168.1.1 -sW%%''|TCP Window port scan | |''%%nmap 192.168.1.1 -sM%%''|TCP Maimon port scan | ===== Host discovery ===== ^Example ^Description ^ |''%%nmap 192.168.1.1-3 -sL%%'' |No scan. List targets only | |''%%nmap 192.168.1.1/24 -sn%%'' |Disable port scanning. Host discovery only. | |''%%nmap 192.168.1.1-5 -Pn%%'' |Disable host discovery. Port scan only. | |''%%nmap 192.168.1.1-5 -PS22-25,80%%''|TCP SYN discovery on ports 22-25, 80 (Port 80 by default)| |''%%nmap 192.168.1.1-5 -PA22-25,80%%''|TCP ACK discovery on ports 22-25, 80 (Port 80 by default)| |''%%nmap 192.168.1.1-5 -PU53%%'' |UDP discovery on port 53. (Port 40125 by default) | |''%%nmap 192.168.1.1-1/24 -PR%%'' |ARP discovery on local network | |''%%nmap 192.168.1.1 -n%%'' |Never do DNS resolution | ===== Port specification ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -p 21%%'' |Port scan for port 21 | |''%%nmap 192.168.1.1 -p 21-100%%'' |Port scan for range 21-100 | |''%%nmap 192.168.1.1 -p U:53,T:21-25,80%%''|Port scan multiple TCP and UDP ports | |''%%nmap 192.168.1.1 -p-%%'' |Port scan all ports | |''%%nmap 192.168.1.1 -p http,https%%'' |Port scan from service name | |''%%nmap 192.168.1.1 -F%%'' |Fast port scan (100 ports) | |''%%nmap 192.168.1.1 -top-ports 2000%%'' |Port scan the top 2000 ports | |''%%nmap 192.168.1.1 -p-65535%%'' |Leaving off the initial port in range makes the scan start at port 1 | |''%%nmap 192.168.1.1 -p0-%%'' |Leaving off the end port in range makes the scan go through to port 65535| ===== Service and version detection ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -sV%%'' |Attempts to determine version of the service running on port. | |''%%nmap 192.168.1.1 -sV -version-intensity 8%%''|Intensity level 0-9. Higher number increases possibility of correctness.| |''%%nmap 192.168.1.1 -sV -version-light%%'' |Enable light mode. Lower possibility of correctness. Faster. | |''%%nmap 192.168.1.1 -sV -version-all%%'' |Enable intensity level 9. Higher possibility of correctness. Slower. | |''%%nmap 192.168.1.1 -A%%'' |Enable OS detection, version detection, script scanning, and traceroute.| ===== OS detection ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -O%%'' |Remote OS detection using TCP/IP stack fingerprinting | |''%%nmap 192.168.1.1 -O -osscan-limit%%'' |If at least one open and one closed TCP port are not found it will not try OS detection against host.| |''%%nmap 192.168.1.1 -P -osscan-guess%%'' |Makes nmap guess more aggressively. | |''%%nmap 192.168.1.1 -O -max-os-tries 1%%''|Set the maximum number of OS detection tries | |''%%nmap 192.168.1.1 -A%%'' |Enables OS detection, version detection, script scanning, and traceroute. | ===== Timing and performance ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -T0%%''|Paranoid (0) IDS evasion | |''%%nmap 192.168.1.1 -T1%%''|Sneaky (1) IDS evasion | |''%%nmap 192.168.1.1 -T2%%''|Polite (2) slows down the scan to use less bandwidth and use less target machine resources.| |''%%nmap 192.168.1.1 -T3%%''|Normal (3) which is default speed. | |''%%nmap 192.168.1.1 -T4%%''|Aggressive (4) speed scans. Assumes you are on a reasonably fast and reliable network. | |''%%nmap 192.168.1.1 -T5%%''|Insane (5) speed scan. Assumes you are on an extraordinarily fast network. | ===== Timing and performance switches ===== ^Example ^Description ^ |''%%-host-timeout 1s;%%'' ''%%-host-timeout 4m;%%'' |Give up on target after this long. | |''%%-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 4m;%%''|Specifies probe round trip time. | |''%%-min-hostgroup/max-hostgroup 50%%'' |Parallel host scan group sizes | |''%%-min-parallelism/max-parallelism 10%%'' |Probe parallelization | |''%%-max-retries 3%%'' |Specify the max number of port scan probe retransmissions.| |''%%-min-rate 100%%'' |Send packets to no slower than 100 per second | |''%%-max-rate 100%%'' |Send packets no faster than 100 per second | ===== NSE scripts ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -sC%%'' |Scan with default NSE scripts. Useful and safe.| |''%%nmap 192.168.1.1 -script default%%'' |Scan with default NSE scripts. | |''%%nmap 192.168.1.1 -script=banner%%'' |Scan with single script. Example banner. | |''%%nmap 192.168.1.1 -script=http*%%'' |Scan with a wildcard. Example http. | |''%%nmap 192.168.1.1 -script=http,banner%%'' |Scan with two scripts. http and banner. | |''%%nmap 192.168.1.1 -script "not intrusive"%%'' |Scan default, but remove intrusive scripts. | |''%%nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1%%''|NSE script with arguments | ===== Useful NSE script examples ===== ^Example ^Description ^ |''%%nmap -Pn -script=http-sitemap-generator scanme.nmap.org%%'' |http site map generator | |''%%nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000%%'' |Fast search for random web servers | |''%%nmap -Pn -script=dns-brute domain.com%%'' |Brute forces DNS hostnames guessing subdomains| |''%%nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1%%''|Safe SMB scripts to run | |''%%nmap -script whois* domain.com%%'' |Whois query | |''%%nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org%%'' |Detect cross site scripting vulnerabilities | |''%%nmap -p80 -script http-sql-injection scanme.nmap.org%%'' |Check for SQL injections | ===== Firewall/IDS evasion and spoofing ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -f%%'' |Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters.| |''%%nmap 192.168.1.1 -mtu 32%%'' |Set your own offset size | |''%%nmap -D 192.168.1.101,192.168.1.102,192.168.1.103%%'' |Send scans from spoofed IPs | |''%%nmap -D decoy-ip1,decoy-ip2,your-own-ip%%'' |Same as above | |''%%nmap -S www.microsoft.com www.facebook.com%%'' |Scan Facebook from Microsoft (''%%-e eth0 -Pn%%'' may be required | |''%%nmap -g 53 192.168.1.1%%'' |Use given source port number | |''%%nmap -proxies%%''[[http://192.168.1.1:8080,http://192.168.1.2:8080|''%%http://192.168.1.1:8080,http://192.168.1.2:8080%%'']]''%%192.168.1.1%%''|Relay connections through HTTP/SOCKS4 proxies | |''%%nmap -data-length 200 192.168.1.1%%'' |Appends random data to sent packets | ===== Output ===== ^Example ^Description ^ |''%%nmap 192.168.1.1 -oN normal.file%%'' |Normal output to the file ''%%normal.file%%'' | |''%%nmap 192.168.1.1 -oX xml.file%%'' |XML output to the file ''%%xml.file%%'' | |''%%nmap 192.168.1.1 -oG grep.file%%'' |Grepable output to the file ''%%grep.file%%'' | |''%%nmap 192.168.1.1 -oA results%%'' |Output in the three major formats at once | |''%%nmap 192.168.1.1 -oG -%%'' |Grepable output to screen. ''%%-oN, -oX%%'' also usable. | |''%%nmap 192.168.1.1 -oN file.txt -append-output%%''|Append a scan to a previous scan file | |''%%nmap 192.168.1.1 -v%%'' |Increase verbosity level (use ''%%-vv%%'' or more) | |''%%nmap 192.168.1.1 -d%%'' |Increase debugging level (use ''%%-dd%%'' or more) | |''%%nmap 192.168.1.1 -reason%%'' |Display the reason a port is in a particular state, same output as ''%%-vv%%''| |''%%nmap 192.168.1.1 -open%%'' |Only show open (or possibly open) ports | |''%%nmap 192.168.1.1 -T4 -packet-trace%%'' |Show all packets sent and received | |''%%nmap -iflist%%'' |Shows the host interfaces and routes | |''%%nmap -resume results.file%%'' |Resume a scan from ''%%results.file%%'' | ===== Helpful nmap output examples ===== ^Example ^Description ^ |''%%nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep open%%'' |Scan for web servers and grep to show which IPs are running web servers| |''%%nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt%%'' |Generate a list of the IPs of live hosts | |''%%nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d "" -f5 >> live-hosts.txt%%''|Append IP to the list of live hosts | |''%%ndiff scan.xml scan2.xml%%'' |Compare the output of two scan results | |''%%xsltproc nmap.xml -o nmap.html%%'' |Convert nmap xml files to html files | ===== Other useful nmap commands ===== ^Example ^Description ^ |''%%nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn%%'' |Discovery only on ports X, no port scan | |''%%nmap 192.168.1.1-1/24 -PR -sn -vv%%'' |ARP discovery only on local network, no port scan | |''%%nmap -iR 10 -sn -traceroute%%'' |Traceroute to random targets, no port scan | |''%%nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1%%''|Query the internal DNS for hosts, list targets only | |''%%nmap 192.168.1.1 --packet-trace%%'' |Show the details of the packets that are sent and received during a scan and capture the traffic|