Description
A free and open source utility for network discovery and security auditing.
| Platform | All |
| Author | |
| License | Free |
| URL | nmap.org |
Usage
Nmap 7.91 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLESExamples
nmap x.x.x.x
he default nmap scan will check if common ports are open.
└─# nmap 192.168.145.71
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 14:09 EDT
Nmap scan report for bratarina (192.168.145.71)
Host is up (0.038s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
445/tcp open microsoft-dsnmap -A x.x.x.x -p 22,25,53,80,445
The -A option enables OS detection, version detection, script scanning, and traceroute output.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 14:12 EDT
Nmap scan report for bratarina (192.168.145.71)
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| 256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
|_ 256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
25/tcp open smtp OpenSMTPD
| smtp-commands: bratarina Hello bratarina [192.168.49.145], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp closed domain
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Aggressive OS guesses: Linux 2.6.32 (88%), Linux 2.6.32 or 3.10 (88%), Linux 2.6.39 (88%), Linux 3.10 - 3.12 (88%), Linux 4.4 (88%), WatchGuard Fireware 11.8 (88%), Synology DiskStation Manager 5.1 (87%), Linux 2.6.35 (87%), Linux 4.9 (87%), Linux 3.4 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: bratarina
| NetBIOS computer name: BRATARINA\x00
| Domain name: \x00
| FQDN: bratarina
|_ System time: 2021-04-11T14:12:39-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-11T18:12:38
|_ start_date: N/A
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 38.83 ms 192.168.49.1
2 38.83 ms bratarina (192.168.145.71)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.03 secondsnmap -sT -p 1-65535 x.x.x.x
This command will do a full TCP connect scan on every port.
sudo nmap -n -sT x.x.x.x/24 -oA /tmp/scan
The -n will not resolve host names, the -sT will do a TCP connect scan on the subnet specified, and the -oA will save normal, grepable, and XML output to /tmp/scan.
sec@slingshot:~$ sudo nmap -n -sT 10.130.10.0/24 -oA /tmp/scan
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 14:25 UTC
Nmap scan report for 10.130.10.4
Host is up (0.030s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
Nmap scan report for 10.130.10.5
Host is up (0.030s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 10.130.10.6
Host is up (0.030s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 10.130.10.10
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
9100/tcp open jetdirect
Nmap scan report for 10.130.10.11
Host is up (0.028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9100/tcp open jetdirect
Nmap scan report for 10.130.10.21
Host is up (0.029s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 10.130.10.22
Host is up (0.026s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
9100/tcp open jetdirect
Nmap scan report for 10.130.10.25
Host is up (0.030s latency).
Not shown: 978 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
465/tcp open smtps
587/tcp open submission
593/tcp open http-rpc-epmap
808/tcp open ccproxy-http
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
2525/tcp open ms-v-worlds
3389/tcp open ms-wbt-server
6001/tcp open X11:1
6502/tcp open netop-rc
6565/tcp open unknown
6646/tcp open unknown
Nmap scan report for 10.130.10.33
Host is up (0.029s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
Nmap scan report for 10.130.10.44
Host is up (0.031s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 10.130.10.45
Host is up (0.030s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap done: 256 IP addresses (11 hosts up) scanned in 26.57 seconds sudo nmap -n -O -sT –open x.x.x.x-x
This will do a scan without resolving names, OS fingerprinting, a full-connect TCP scan, and only display open ports.
sec@slingshot:~$ ping -c2 10.130.10.10
PING 10.130.10.10 (10.130.10.10) 56(84) bytes of data.
64 bytes from 10.130.10.10: icmp_seq=1 ttl=63 time=26.8 ms
64 bytes from 10.130.10.10: icmp_seq=2 ttl=63 time=26.9 ms
--- 10.130.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 26.868/26.889/26.910/0.021 ms
sec560@slingshot:~$ sudo nmap -n -O -sT --open 10.130.10.21-22
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 16:19 UTC
Nmap scan report for 10.130.10.21
Host is up (0.030s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 10.130.10.22
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
9100/tcp open jetdirect
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/15%OT=22%CT=1%CU=38811%PV=Y%DS=2%DC=I%G=Y%TM=6230BC9
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)SEQ(SP=FD
OS:%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=
OS:M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=F4B3%W2=F4
OS:B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M54DNNSNW7
OS:%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 19.22 seconds sudo nmap -n -sT -sV –open x.x.x.x-x
This scan will not resolve host names, perform a TCP full-connect, connect to services and perform version scanning (using /usr/share/nmap/nmap-service-probes), and only show open ports.
sec@slingshot:~$ sudo nmap -n -sT -sV --open 10.130.10.21-22
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 16:44 UTC
Nmap scan report for 10.130.10.21
Host is up (0.032s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.130.10.22
Host is up (0.032s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
9100/tcp open jetdirect?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 16.19 seconds nmap –proxy socks4://127.0.0.1:4444 x.x.x.x
This is how you route nmap traffic through a dynamic proxy, like the kind you can create with ssh -D.
nmap -Pn <ip>
The -Pn option will skip the host discovery portion of the scan. This is useful if a firewall is filtering ICMP packets like the Windows firewall does by default.
Additional Details
- When not running as root, nmap does a full TCP connect.
- /usr/share/nmap/nmap-service-probes
- where nmap stores service version identification checks
- /usr/share/nmap/scripts/script.db
- index of all the local NSE scripts
- can grep for specific scripts
- /usr/share/nmap/nmap-services
- nmap’s personal /etc/services
Blog Posts