The following is a small collection of what I’d consider the basics that any hacker should be pretty familiar with when using nmap

General

  • Run nmap --script-updatedb before every time you use Nmap. New shiny script action and bug fixes!
  • Always use -oA, with descriptive filenames. You may not need all the files, but you may.
  • There’s not one Nmap scan that does it all. You’ll be running a bunch of scans; learn to use tmux/screen.
  • Never use -T4 or higher with UDP. Things will die.
  • Using -sU is near useless. Use -sUVC. Because UDP is connectionless, sending an empty packet will typically not elicit a return at all; using version and script scanning ensures there is a payload that the server may respond to.
  • The Nmap Scripting Engine (NSE) is fairly powerful and there are a ton of Lua scripts to do stuff. Find out where they’re stored on your machine and get familiar with what’s available.
    • OSX + Homebrew: /usr/local/Cellar/nmap/7.12/share/nmap/scripts/
  • Some scans will take a long ass time. Run these as soon as possible, then worry about going after low-hanging fruit with your quick & dirty scans. Don’t get to the end of a project, wishing that you’d kicked off a low & slow 65k pingless scan a week ago.

Flags

  • -iL fname.txt provide a textfile list of targets.
  • --excludefile fname.txt file of hosts we’ve been told not to scan.
  • -sL don’t scan or check for live hosts; useful for doing mass DNS lookups.
  • -sn don’t scan, do check for live hosts.
  • -Pn don’t bother checking if they’re live. Good for hosts with unusual ports and which don’t respond to ping.
  • -PS specify which TCP ports should be used to identify live hosts eg -PS443,80,445.
  • -n don’t resolve hosts. speeds things up, when names are not important or you already have them.
  • -sS TCP Syn scan.
  • -p specify ports. Can be a list -p22,80 or a range.
  • p0-1024 or all 65k -p-
  • --top-ports=400 only scan the most popular 400 ports as statistically collected by the Nmap project. Good for doing fast scanning against slow protocols such as UDP.
  • -sV attempt to find out what version/service is running on the port by sending payload packets. Essential for UDP.
  • --version-intensity=5 how many of Nmaps known probes should it send to this port to attemp to discovery version? 0 (light) to 9 (all).
  • -sC run common + safe scripts against discovered ports.
  • --script=abc run a specific script. nb there are a whole bunch of script flags so you can pass args and tweak them. Get familiar with them. Learn basic Lua so you can write/modify your own.
  • -O attempt to discover what OS is running.
  • -T3 this controls a whole variety of timing parameters. T5 is the fastest, T0 is glacial. There are a ton of tunable paramters related to timing, you’ll need these if you’re scanning huge networks.
  • -g Use a given source port number for scans. One of the only remaining useful firewall bypass techniques where someone has allowed inbound traffic in a wildcard for port 20 or 53.
  • -oA fname save greppable, text, and XML scan outputs. Use descriptive filenames.
  • -v verbose output, more v’s for more verbosity.
  • -6 IPv6 scanning.
  • -iR 50 choose 50 random hosts in the public IP space. Check in with your lawyer if this is ok or not.
  • --reason explain what response it got in order to make it believe a port is open/closed/filtered

Common Practical Scans

Fast hunt for low-hanging TCP fruit

nmap -vv -sSVC --top-ports 500 -T4 -n -oA nmap_sSVC-top500 -iL targets.txt

Thorough full-port scan, assuming hosts respond to ping

nmap -vv -sSVC -p- -n -oA nmap_sSVC_p65k -iL targets.txt

Suspicious that Hosts won’t respond to ICMP

nmap -vv -sS --top-ports 1000 -Pn -oA nmap_sS_top1k_Pn -iL targets.txt

Fast UDP service discovery

nmap -vv -sUVC --top-ports 25 -Pn -oA nmap_sUVC_top25_Pn -iL targets.txt

Checking for FWs that wildcard permit anything that might be DNS

nmap -vv -sS -p- -g 53 -oA nmap_sS_g53 -iL targets.txt

A port that won’t tell us what it is

nmap -vv -p5555 -sSV --version-intensity=9 -oA nmap_p5555_v9 -iL targets.txt

Check for /admin directory and retrieve its title on web ports

nmap -vv -p80,443,8080,8000,8008,8888 -Pn --script http-title --script-args 'http-title.url="/admin"' -oA nmap_http-title -iL targets.txt