Post

Nmap Scanning

Posted
By x3ric
2 min read

Nmap is a versatile tool used for network discovery, scanning, and security auditing. It allows you to combine multiple options in a single command to perform various tasks efficiently. Below is a compact guide to the most commonly used Nmap arguments.

Basic Syntax

Nmap allows you to combine different options in a single command for flexible scanning. The general syntax is:

1

nmap [options] [target]

For example:

1

nmap -sSVO -p- target_ip

This performs a SYN scan (-sS), detects service versions (-V), identifies the operating system (-O), and scans all ports (-p-) in one execution.

Scanning Options

  1. Scan Types:
    • -sS: Perform a SYN scan (stealth scan).
    • -sT: Perform a full TCP connect scan.
    • -sU: Perform a UDP scan.
    • -sA: Perform a TCP ACK scan (useful for firewall rules detection).
    • -sn: Ping scan (discovery without scanning ports).
    • -Pn: Disable ping to scan directly without checking host availability.
  2. Port Specification:
    • -p-: Scan all 65535 ports.
    • -p [port_list]: Scan specific ports or ranges (e.g., -p 22,80,443).
    • -F: Scan the top 100 common ports.
    • --top-ports <num>: Scan the top <num> most commonly used ports.
  3. Service and OS Detection:
    • -sV: Detect service versions on open ports.
    • -O: Perform OS detection to identify the target’s operating system.
    • -A: Aggressive scan (combines OS detection, service version detection, and script scanning).
  4. Timing and Performance:
    • -T<0-5>: Timing template for scan speed (0 is slowest, 5 is fastest).
    • --min-rate <num>: Ensure a minimum packet send rate (e.g., --min-rate 10000 sends 10,000 packets per second).
    • --max-retries <num>: Set the maximum number of retries for scanning specific ports.
    • --stats-every <time>: Show scan progress at regular intervals (e.g., --stats-every=5s).
    • -v / -vv: Increase verbosity (more detailed scan output).

Host Discovery and Obfuscation

  1. Host Discovery:
    • -PE: Perform a ping scan using ICMP Echo Requests.
    • --disable-arp-ping: Disable ARP Ping Requests for discovering hosts.
    • -n: Disable DNS resolution (speeds up scans by skipping DNS queries).
  2. Obfuscation and Interface:
    • -D RND:<num>: Use random decoys to obfuscate the source IP.
    • -e <interface>: Specify the network interface to use for the scan.
    • -S <source_ip>: Set a specific source IP address for the scan.
    • -g <port>: Specify the source port for the scan.
    • --dns-server <ns>: Use a specified name server for DNS resolution.

Output Options

  1. Normal Output:
    • -oN <file>: Save the scan results in a human-readable format.
  2. Grepable Output:
    • -oG <file>: Save results in a grepable format (easy to filter with grep).
  3. XML Output:
    • -oX <file>: Save the results in XML format.
  4. Save in All Formats:
    • -oA <file>: Store results in all available formats (normal, XML, grepable).

Example Command

Here’s an example combining multiple options into one command:

1

nmap -sSVO -p 22,80,443 -T4 --min-rate 10000 -oN result.txt target_ip
  • -sS: SYN scan (stealth).
  • -V: Detect service versions.
  • -O: OS detection.
  • -p 22,80,443: Scan ports 22, 80, and 443.
  • -T4: Use an aggressive timing template for faster results.
  • --min-rate 10000: Send at least 10,000 packets per second.
  • -oN result.txt: Save the output in a readable file result.txt.

With Nmap, you can easily combine options into a single command for efficient scanning. By understanding how different arguments and options work together, you can optimize network discovery and auditing processes.

tools
tools
This post is licensed under CC BY 4.0 by the author.