Nmap

Table of Contents

General

Tip

Always run Nmap as root to allow it finer control over the packets being sent (e.g. during probing phase).

Options

Below are the general options available with mostly every scan type.

Option Description
-n Never resolve IP addresses into names
--reason Display the reason a port is in a particular state
--packet-trace Show all packets sent and received
-6 Enable IPv6 support (works for all scan types)
Timing

By default, Nmap as a dynamic timing model that adapts scan timeouts based on performance and initial packets. Alter this default configuration (-T3) using one of the following timing profile.

Profile Flag Description
Paranoid -T0 5 minutes between packets, scans serially
Sneaky -T1 15 seconds between packets, scans serially
Polite -T2 0.4 seconds between packets, scans serially
Normal -T3 Default, scans in parallel
Aggressive -T4 Wait 1.25 seconds for probe response, scans in parallel
Insane -T5 Max 15 minutes per host, wait 0.3 seconds for probe response, scans in parallel
Runtime Interaction

Press any of the following keys while it is running to change Nmap behavior without the need for relaunching the full command.

Key Action
p Turn on packet tracing
v Increase verbosity
d Increase debugging level

Tip

Use MAJ in combination with any of the above key to invoke the opposite action.

Scan Types

Below are all options being relevant for all scan types.

Option Description
-p [ports] Only scan specified ports
--top-ports [number] Scan number most common ports (default: 1000)
-Pn Skip host discovery phase, assume all hosts are up
--badsum Generates packets with an invalid TCP or UDP checksum (firewall spotting)
Network Sweep

Always use the -sn option when performing network sweep to disable port scanning. If you omit this option, it will only change the behavior of the host discovery phase that happens prior to the port scanning phase.

nmap -n -sn <SCAN TYPE> <CIDR> --reason
Option Description
-PB Default, use ICMP Echo Request, SYN to tcp/443, ACK to tcp/80 and ICMP Timestamp Request (if run as root)
-PE Use ICMP Echo Request (ICMP type 8)
-PS[portlist] Use TCP SYN to specified ports in the port list
-PP Use ICMP Timestamp Request (ICMP type 13)
-PM Use ICMP Address Mask Request (ICMP type 17)
-PR Use ARP requests (default for targets on the same subnet)
Port Scan
nmap -n <SCAN TYPE> <CIDR> --reason --open
Scan Type Flag Description
SYN scan -sS SYN, SYN/ACK then stops (default when running as root)
TCP connect -sT Full TCP 3-way handshake (default when not running as root)
UDP Scan -sU Sends a UDP packet, using a protocol-specific payload for most common ports and an empty payload for others.

Note on UDP:
As UDP has no connection state, scanning is less reliable since you will not receive a lot of responses from uncommon ports using the default behavior. Thus, having a hard time differentiating between open and filtered ports. One option is to try sending non-empty payloads for uncommon ports using the following options.

Option Description
--data <hex string> Append a custom payload to sent packets
--data-string <string> Append a custom ASCII string to sent packets
--data-length <num> Append random data to sent packets

The other is to use the version detection feature (-sV) on already discovered open|filtered ports to differentiate between open and filtered ports.

Service Discovery
nmap -n -sV <CIDR> --reason --open
Option Description
-O Enable OS detection
Vulnerability Scan

Use the Nmap Scripting Engine (NSE) to perform a vulnerability scan, i.e. all scripts in the default category:

nmap -n -sC <HOST>

Tip

Both version and safe categories are usually safe to run and include more scripts which might provide more detailed information.

To run an individual script or category:

nmap -n --script=<ALL,CATEGORY,DIR,SCRIPT>

Depending on the script used, you might want to use one of the additional options.

Option Description
--script-help [ALL,CATEGORY,DIR,SCRIPT] Get a description of each script functionality
--script-args <ARGS> Pass arguments to a script
--script-trace Enable verbose output of NSE

All NSE scripts can be found under the /usr/share/nmap/scripts/ directory. Below are the list of available categories:

Category Description
auth Tests associated with authentication, including some password guessing and authentication bypass tests.
broadcast Send packets on the local network destined for broadcast or multicast addresses to find new targets.
brute Brute-force authentication guessing attacks.
discovery Determine more information about the network environment associated with the target.
dos May cause denial-of-service condition on the target.
exploit Launch an exploit for some discovered vulnerability on a target.
external Scripts that may send information to a third-party database or other systems on the Internet to pull additional data.
fuzzer Send unexpected input to a target system to see if a crash condition or other anomaly can be induced.
intrusive May leave logs, guess passwords, lock out accounts, consume excessive CPU or bandwidth, crash a target, or have other impacts on the target machines.
malware Detect the presence of an infection or backdoor on the target.
safe Designed to have minimal impact on a target, neither crashing it nor leaving any entries in its logs.
version Attempts to determine which versions of services are present on the target.
vuln Determine whether a given target has a given security flaw.

Search for script by category:

grep 'default\|version\|safe' /usr/share/nmap/scripts/script.db | grep <QUERY>

Warning

Might break poorly written software, use with caution.

Auto Mode

Auto mode enables OS fingerprinting (-O), version scanning (-sV), script scanning using the default category (-sC) and tracerouting (--traceroute).

nmap -n -A <CIDR>

Tip

Nmap algebra: -A = -O + -sV + -sC + --traceroute

Firewall Spotting

In order to determine if the port scan response comes from a firewall sitting between the attacker and the target, use a --badsum scan on a closed port. Since end systems silently drop bad checksum packets but most firewalls do not, any RESET that comes back must be from a firewall.

Another trick for performing firewall spotting is to look at the TTL values in responses coming back. If the TTL values from allowed services are different from the TTL values of blocked services, that could be a sign that a firewall is sending the RESET.

Understand Results

WebMap

The WebMap open source project allows to display a beautiful web interface from the Nmap XML output. As it is available as a docker image, simply start a new container mapping the directory containing the XML files to /opt/xml.

docker run -d -h webmap -p 8000:8000 -v [path/to/nmap/xml/results]:/opt/xml rev3rse/webmap

Reference: https://github.com/Rev3rseSecurity/WebMap

Port States
State (TCP) Description
open Received a SYN-ACK
closed Received a RST (either from the target device or a firewall)
filtered Either reiceived a ICMP Port Unreachable or no response at all
State (UDP) Description
open Received a regular UDP response
closed Received an ICMP Port Unreachable (Type 3, Code 3) response
filtered Received an ICMP Port Unreachable response other than Type 3, Code 3 (i.e. Type 3, Code 1, 2, 9, 10 or 13)
open\|filtered Received no response, we don’t know if the port is open or filtered