Skip to main content

Nmap

Scan Types

ICMP Echo Request and ARP Ping

nmap 10.129.2.18 -sn -oA host -PE --packet-trace

nmap 10.129.2.18 -sn -oA host -PE --reason

nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

Top Ports Scan

nmap 10.129.2.28 --top-ports=10

nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping

Connect Scan

nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT

Filtered Ports

nmap -p 139 -Pn -n --disable-arp-ping --max-retries 1 <target>

Host Discovery

nmap -sn -T4 -oG Discovery.gnmap 192.168.1.1/24
grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > LiveHosts.txt
nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt
nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt

Full Port Scanning

nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt
nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt
nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt
nmap 10.129.2.28 -F -sU

Detect Service Version

nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt
nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt
nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt

nmap 10.129.2.28 -p- -sV --stats-every=5s

nmap 10.129.2.28 -p- -sV -v

Nmap Scripting Engine (NSE)

Default Scripts

nmap <target> -sC

Specifying Scripts

nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Aggressive Scan

nmap 10.129.2.28 -p 80 -A

Vuln Category

nmap 10.129.2.28 -p 80 -sV --script vuln

Performance Optimization

Timeouts

nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

Max Retries

nmap 10.129.2.0/24 -F --max-retries 0

Rate Optimization

nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300

Timing Templates

-T 0 / -T paranoid
-T 1 / -T sneaky
-T 2 / -T polite
-T 3 / -T normal
-T 4 / -T aggressive
-T 5 / -T insane

Firewall and IDS/IPS Evasion

TCP ACK Scan

nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace
nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

Decoy Scanning

nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Testing Firewall Rules

sudo nmap 10.129.2.28 -n -Pn -p445 -O

Scan Using Different Source IP

nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying

SYN-Scan of a Filtered Port From DNS Port

nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Advanced Techniques

Modify MTU Size

nmap --mtu 24

Botnet Scanning

nmap -sI [Zombie IP] [Target IP]

Add Random Data Length

nmap --data-length 25 IP

MAC Address Spoofing

nmap --spoof-mac Dell/Apple/3Com IP
Back to top