Nmap

Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. It's one of the most essential tools in a penetration tester's arsenal.

Basic Usage

Simple Scan

nmap target.example.com

Scan Specific Ports

nmap -p 22,80,443 target.example.com

Scan Port Range

nmap -p 1-1000 target.example.com

Scan All Ports

nmap -p- target.example.com

Advanced Scanning Techniques

SYN Scan (Stealth Scan)

sudo nmap -sS target.example.com

UDP Scan

sudo nmap -sU target.example.com

OS Detection

sudo nmap -O target.example.com

Version Detection

nmap -sV target.example.com

Comprehensive Scan

sudo nmap -sS -sV -sC -A -O -p- target.example.com

Network Scanning

Scan a Subnet

nmap 192.168.1.0/24

Scan Multiple Targets

nmap 192.168.1.1 192.168.1.2 192.168.1.3

Scan from a File

nmap -iL targets.txt

Output Options

Save Output to a File

nmap -oN scan_results.txt target.example.com

Save in XML Format

nmap -oX scan_results.xml target.example.com

Save in All Formats

nmap -oA scan_results target.example.com

Performance Options

Timing Templates

# Paranoid (0) - Very slow, used for IDS evasion
nmap -T0 target.example.com

# Sneaky (1) - Quite slow, used for IDS evasion
nmap -T1 target.example.com

# Polite (2) - Slows down to consume less bandwidth
nmap -T2 target.example.com

# Normal (3) - Default timing template
nmap -T3 target.example.com

# Aggressive (4) - Assumes you're on a reasonably fast and reliable network
nmap -T4 target.example.com

# Insane (5) - Very aggressive; may overwhelm targets or miss open ports
nmap -T5 target.example.com

Parallel Host Scan

nmap --min-parallelism 100 target.example.com

Evasion Techniques

Fragmentation

sudo nmap -f target.example.com

Decoy Scan

sudo nmap -D decoy1.example.com,decoy2.example.com,ME target.example.com

Spoof MAC Address

sudo nmap --spoof-mac 00:11:22:33:44:55 target.example.com

NSE Scripts

Nmap Scripting Engine (NSE) provides additional functionality:

Vulnerability Scanning

nmap --script vuln target.example.com

Default Scripts

nmap -sC target.example.com

Specific Script

nmap --script http-title target.example.com

Multiple Scripts

nmap --script "http-*" target.example.com

Practical Examples

Basic Network Enumeration

nmap -sV -sC -oA network_enum 192.168.1.0/24

Web Server Scan

nmap -p 80,443 --script "http-*" target.example.com

Find All Open SMB Shares

nmap -p 445 --script smb-enum-shares 192.168.1.0/24

Check for EternalBlue Vulnerability

nmap -p 445 --script smb-vuln-ms17-010 target.example.com

Stealthy Scan for Firewall Evasion

sudo nmap -sS -T2 -f -D 192.168.1.101,192.168.1.102,ME target.example.com

Cheat Sheet

Command	Description
`nmap -sS target`	TCP SYN scan
`nmap -sT target`	TCP connect scan
`nmap -sU target`	UDP scan
`nmap -sV target`	Service/version detection
`nmap -sC target`	Default script scan
`nmap -O target`	OS detection
`nmap -A target`	Aggressive scan (OS + version + scripts + traceroute)
`nmap -p 1-65535 target`	Scan all ports
`nmap -p- target`	Scan all ports (shorthand)
`nmap -p http,https target`	Scan named ports
`nmap -F target`	Fast scan (top 100 ports)
`nmap -T0-5 target`	Timing templates (higher is faster)
`nmap -oN results.txt target`	Save output to text file
`nmap -oX results.xml target`	Save output to XML
`nmap -oG results.gnmap target`	Save output in grepable format
`nmap -oA results target`	Save in all formats

FilesExpand file tree

nmap.md

Latest commit

History