The following is a small collection of what I’d consider the basics that any hacker should be pretty familiar with when using
nmap --script-updatedbbefore every time you use Nmap. New shiny script action and bug fixes!
- Always use
-oA, with descriptive filenames. You may not need all the files, but you may.
- There’s not one Nmap scan that does it all. You’ll be running a bunch of scans; learn to use tmux/screen.
- Never use
-T4or higher with UDP. Things will die.
-sUis near useless. Use
-sUVC. Because UDP is connectionless, sending an empty packet will typically not elicit a return at all; using version and script scanning ensures there is a payload that the server may respond to.
- The Nmap Scripting Engine (NSE) is fairly powerful and there are a ton of Lua scripts to do stuff. Find out where they’re stored on your machine and get familiar with what’s available.
- OSX + Homebrew:
- OSX + Homebrew:
- Some scans will take a long ass time. Run these as soon as possible, then worry about going after low-hanging fruit with your quick & dirty scans. Don’t get to the end of a project, wishing that you’d kicked off a low & slow 65k pingless scan a week ago.
-iL fname.txtprovide a textfile list of targets.
--excludefile fname.txtfile of hosts we’ve been told not to scan.
-sLdon’t scan or check for live hosts; useful for doing mass DNS lookups.
-sndon’t scan, do check for live hosts.
-Pndon’t bother checking if they’re live. Good for hosts with unusual ports and which don’t respond to ping.
-PSspecify which TCP ports should be used to identify live hosts eg
-ndon’t resolve hosts. speeds things up, when names are not important or you already have them.
-sSTCP Syn scan.
-pspecify ports. Can be a list
-p22,80or a range.
p0-1024or all 65k
--top-ports=400only scan the most popular 400 ports as statistically collected by the Nmap project. Good for doing fast scanning against slow protocols such as UDP.
-sVattempt to find out what version/service is running on the port by sending payload packets. Essential for UDP.
--version-intensity=5how many of Nmaps known probes should it send to this port to attemp to discovery version? 0 (light) to 9 (all).
-sCrun common + safe scripts against discovered ports.
--script=abcrun a specific script. nb there are a whole bunch of script flags so you can pass args and tweak them. Get familiar with them. Learn basic Lua so you can write/modify your own.
-Oattempt to discover what OS is running.
-T3this controls a whole variety of timing parameters. T5 is the fastest, T0 is glacial. There are a ton of tunable paramters related to timing, you’ll need these if you’re scanning huge networks.
-gUse a given source port number for scans. One of the only remaining useful firewall bypass techniques where someone has allowed inbound traffic in a wildcard for port 20 or 53.
-oA fnamesave greppable, text, and XML scan outputs. Use descriptive filenames.
-vverbose output, more v’s for more verbosity.
-iR 50choose 50 random hosts in the public IP space. Check in with your lawyer if this is ok or not.
--reasonexplain what response it got in order to make it believe a port is open/closed/filtered
Common Practical Scans
Fast hunt for low-hanging TCP fruit
nmap -vv -sSVC --top-ports 500 -T4 -n -oA nmap_sSVC-top500 -iL targets.txt
Thorough full-port scan, assuming hosts respond to ping
nmap -vv -sSVC -p- -n -oA nmap_sSVC_p65k -iL targets.txt
Suspicious that Hosts won’t respond to ICMP
nmap -vv -sS --top-ports 1000 -Pn -oA nmap_sS_top1k_Pn -iL targets.txt
Fast UDP service discovery
nmap -vv -sUVC --top-ports 25 -Pn -oA nmap_sUVC_top25_Pn -iL targets.txt
Checking for FWs that wildcard permit anything that might be DNS
nmap -vv -sS -p- -g 53 -oA nmap_sS_g53 -iL targets.txt
A port that won’t tell us what it is
nmap -vv -p5555 -sSV --version-intensity=9 -oA nmap_p5555_v9 -iL targets.txt
/admin directory and retrieve its title on web ports
nmap -vv -p80,443,8080,8000,8008,8888 -Pn --script http-title --script-args 'http-title.url="/admin"' -oA nmap_http-title -iL targets.txt