Nmap
Table of Contents
General
Tip
Always run Nmap as root to allow it finer control over the packets being sent (e.g. during probing phase).
Options
Below are the general options available with mostly every scan type.
| Option | Description |
|---|---|
-n |
Never resolve IP addresses into names |
--reason |
Display the reason a port is in a particular state |
--packet-trace |
Show all packets sent and received |
-6 |
Enable IPv6 support (works for all scan types) |
Timing
By default, Nmap as a dynamic timing model that adapts scan timeouts based on performance and initial packets. Alter this default configuration (-T3) using one of the following timing profile.
| Profile | Flag | Description |
|---|---|---|
| Paranoid | -T0 |
5 minutes between packets, scans serially |
| Sneaky | -T1 |
15 seconds between packets, scans serially |
| Polite | -T2 |
0.4 seconds between packets, scans serially |
| Normal | -T3 |
Default, scans in parallel |
| Aggressive | -T4 |
Wait 1.25 seconds for probe response, scans in parallel |
| Insane | -T5 |
Max 15 minutes per host, wait 0.3 seconds for probe response, scans in parallel |
Runtime Interaction
Press any of the following keys while it is running to change Nmap behavior without the need for relaunching the full command.
| Key | Action |
|---|---|
p |
Turn on packet tracing |
v |
Increase verbosity |
d |
Increase debugging level |
Tip
Use MAJ in combination with any of the above key to invoke the opposite action.
Scan Types
Below are all options being relevant for all scan types.
| Option | Description |
|---|---|
-p [ports] |
Only scan specified ports |
--top-ports [number] |
Scan number most common ports (default: 1000) |
-Pn |
Skip host discovery phase, assume all hosts are up |
--badsum |
Generates packets with an invalid TCP or UDP checksum (firewall spotting) |
Tip
Use nmap -sT --top-ports <NUMBER> -v -oG - to output the list of the most common ports.
Network Sweep
Always use the -sn option when performing network sweep to disable port scanning. If you omit this option, it will only change the behavior of the host discovery phase that happens prior to the port scanning phase.
nmap -n -sn <SCAN TYPE> <CIDR> --reason
| Option | Description |
|---|---|
-PB |
Default, use ICMP Echo Request, SYN to tcp/443, ACK to tcp/80 and ICMP Timestamp Request (if run as root) |
-PE |
Use ICMP Echo Request (ICMP type 8) |
-PS[portlist] |
Use TCP SYN to specified ports in the port list |
-PP |
Use ICMP Timestamp Request (ICMP type 13) |
-PM |
Use ICMP Address Mask Request (ICMP type 17) |
-PR |
Use ARP requests (default for targets on the same subnet) |
Port Scan
nmap -n <SCAN TYPE> <CIDR> --reason --open
| Scan Type | Flag | Description |
|---|---|---|
| SYN scan | -sS |
SYN, SYN/ACK then stops (default when running as root) |
| TCP connect | -sT |
Full TCP 3-way handshake (default when not running as root) |
| UDP Scan | -sU |
Sends a UDP packet, using a protocol-specific payload for most common ports and an empty payload for others. |
Note on UDP: As UDP has no connection state, scanning is less reliable since you will not receive a lot of responses from uncommon ports using the default behavior. Thus, having a hard time differentiating between open and filtered ports. One option is to try sending non-empty payloads for uncommon ports using the following options.
| Option | Description |
|---|---|
--data <hex string> |
Append a custom payload to sent packets |
--data-string <string> |
Append a custom ASCII string to sent packets |
--data-length <num> |
Append random data to sent packets |
The other is to use the version detection feature (-sV) on already discovered open|filtered ports to differentiate between open and filtered ports.
Service Discovery
nmap -n -sV <CIDR> --reason --open
| Option | Description |
|---|---|
-O |
Enable OS detection |
Vulnerability Scan
Use the Nmap Scripting Engine (NSE) to perform a vulnerability scan, i.e. all scripts in the default category:
nmap -n -sC <HOST>
Tip
Both version and safe categories are usually safe to run and include more scripts which might provide more detailed information.
To run an individual script or category:
nmap -n --script=<ALL,CATEGORY,DIR,SCRIPT>
Depending on the script used, you might want to use one of the additional options.
| Option | Description |
|---|---|
--script-help [ALL,CATEGORY,DIR,SCRIPT] |
Get a description of each script functionality |
--script-args <ARG1=VAL1,ARG2=VAL2,...> |
Pass arguments to a script |
--script-trace |
Enable verbose output of NSE |
All NSE scripts can be found under the /usr/share/nmap/scripts/ directory. Below are the list of available categories:
| Category | Description |
|---|---|
auth |
Tests associated with authentication, including some password guessing and authentication bypass tests. |
broadcast |
Send packets on the local network destined for broadcast or multicast addresses to find new targets. |
brute |
Brute-force authentication guessing attacks. |
discovery |
Determine more information about the network environment associated with the target. |
dos |
May cause denial-of-service condition on the target. |
exploit |
Launch an exploit for some discovered vulnerability on a target. |
external |
Scripts that may send information to a third-party database or other systems on the Internet to pull additional data. |
fuzzer |
Send unexpected input to a target system to see if a crash condition or other anomaly can be induced. |
intrusive |
May leave logs, guess passwords, lock out accounts, consume excessive CPU or bandwidth, crash a target, or have other impacts on the target machines. |
malware |
Detect the presence of an infection or backdoor on the target. |
safe |
Designed to have minimal impact on a target, neither crashing it nor leaving any entries in its logs. |
version |
Attempts to determine which versions of services are present on the target. |
vuln |
Determine whether a given target has a given security flaw. |
Search for script by category:
grep 'default\|version\|safe' /usr/share/nmap/scripts/script.db | grep <QUERY>
Warning
Might break poorly written software, use with caution.
Auto Mode
Auto mode enables OS fingerprinting (-O), version scanning (-sV), script scanning using the default category (-sC) and tracerouting (--traceroute).
nmap -n -A <CIDR>
Tip
Nmap algebra: -A = -O + -sV + -sC + --traceroute
Firewall Spotting
In order to determine if the port scan response comes from a firewall sitting between the attacker and the target, use a --badsum scan on a closed port. Since end systems silently drop bad checksum packets but most firewalls do not, any RESET that comes back must be from a firewall.
Another trick for performing firewall spotting is to look at the TTL values in responses coming back. If the TTL values from allowed services are different from the TTL values of blocked services, that could be a sign that a firewall is sending the RESET.
Understand Results
WebMap
The WebMap open source project allows to display a beautiful web interface from the Nmap XML output. As it is available as a docker image, simply start a new container mapping the directory containing the XML files to /opt/xml.
docker run -d -h webmap -p 8000:8000 -v [path/to/nmap/xml/results]:/opt/xml rev3rse/webmap
Reference: https://github.com/Rev3rseSecurity/WebMap
Port States
| State (TCP) | Description |
|---|---|
open |
Received a SYN-ACK |
closed |
Received a RST (either from the target device or a firewall) |
filtered |
Either reiceived a ICMP Port Unreachable or no response at all |
| State (UDP) | Description |
|---|---|
open |
Received a regular UDP response |
closed |
Received an ICMP Port Unreachable (Type 3, Code 3) response |
filtered |
Received an ICMP Port Unreachable response other than Type 3, Code 3 (i.e. Type 3, Code 1, 2, 9, 10 or 13) |
open|filtered |
Received no response, we don’t know if the port is open or filtered |