Nmap Reference Manual (Man Page). How to Use Nmap to Scan a Network Scanning a Single Host or IP Address
For many of us whose work tasks have been closely related to information security for at least some time, Nmap has long been a familiar and useful tool. It is as indispensable as a warm blanket on a cold winter night. Except that Nmap is a damn effective blanket.
Nmap is a popular and powerful command-line cross-platform network security scanner that can be used to investigate any network extremely efficiently. It can also help you get an overview of the systems that have connected to your network; you can use it to find out the IP addresses of all live hosts, scan open ports and services running on those hosts, and much, much more.
Without a doubt, Nmap is the most versatile port scanner in existence today. Yes, you can find faster scanners, but there is none so useful and simply indispensable for solving many, many of your tasks. And the vast majority of professionals in the field of information security will categorically agree with this statement.
However, far fewer people know that one of the most interesting features of Nmap is the ability to use NSE scripts, which will give your favorite network security tool even more flexibility and efficiency. With their help, you can do things that even from such a very advanced port scanner as Nmap, you would not expect to get.
Let's take a closer look at NSE scripts, and perhaps their potential will pleasantly surprise you.
In other words, in addition to the standard check of open ports by the Nmap scanner, by using NSE, you also have the opportunity to get extended information about the services running on it. So, for example, with NSE scripts, you can take a deeper look at your network services and see how well they are configured, what information is available, if weak credentials are being used, etc. In fact, NSE scripts make Nmap a flexible platform for interaction with network services.
Nmap Scripting Engine Scripting Capabilities
The Nmap port scanner development team conceived and created a scripting engine primarily to solve problems such as:
1. Network exploration
This is the main practical application of Nmap. Some scripts are designed to facilitate, optimize and speed up the work of your favorite port scanner. Some examples of their use include performing tasks such as:
- searching for WHOIS data (an application layer network protocol based on the TCP protocol; its main application is obtaining registration data on the owners of domain names, IP addresses and autonomous systems in text form) for the corresponding domains;
- sending queries to the main regional WHOIS servers ARIN (North America), RIPE (Europe and the Middle East) or APNIC (Asia and the Pacific) to determine the owner of a particular IP address;
- identd-search on open ports (allows you to identify users connected to them);
- making requests via the SNMP protocol (Internet protocol for managing devices in IP networks based on TCP/UDP architectures);
- compiling lists of available resources and services through network protocols for remote access NFS, SMB or RPC.
2. More sophisticated versioning
Nmap's versioning system for services and applications is capable of recognizing thousands of different services using probes and regular expression signature matching, but it's not all-powerful either. For example, Skype v2 service identification requires two independently operating probes whose versioning capabilities are not very flexible. Nmap is also able to recognize some of the SNMP services if it tries to enumerate several hundred community names using brute force. Both of the above tasks are not very convenient to use the standard Nmap versioning methods, but both of them are easily done using NSE. For this reason, the versioning system now calls NSE by default to resolve the versioning task when processing some complex services.
3. Search for vulnerabilities
When a new vulnerability is discovered, it becomes public knowledge, and network security professionals urgently need to scan their networks to quickly identify vulnerable systems before the bad guys do it for them. Although Nmap is not a full-fledged vulnerability scanner, NSE's powerful capabilities allow it to perform vulnerability checks even with very stringent requirements. For example, when a Heartbleed bug in OpenSSL cryptographic software compromised hundreds of thousands of systems around the world, the Nmap developers responded by writing an ssl-heartbleed detection script within two days.
4. Backdoor detection
Many cyber attackers, as well as some automated worms, leave behind backdoors to provide themselves with a loophole in the future to more easily penetrate your system. Some of these backdoors can be detected using standard Nmap versioning based on regular expression signature matching, but many of the more complex worms and backdoors require advanced NSE capabilities to reliably detect. In particular, NSE is used to detect the DoublePulsar backdoor, which uses a vulnerability in the implementation of the SMB protocol, backdoor versions for the UnrealIRCd IRC server, as well as vsftpd and ProFTPd FTP servers.
5. Vulnerability detection
Implemented on a general-purpose scripting language, NSE can even be used to create exploits that can help you discover vulnerabilities before they become known to the public. This ability to add custom scripted exploits can be extremely useful to some people (primarily penetration testers). However, NSE is still not a full-fledged platform for creating signatures and exploits, like Metasploit.
What categories of NSE scripts are there?
There are currently 598 NSE scripts that you can find in the "scripts" folder, a subdirectory of the main Nmap directory. For better performance, all scripts are indexed in the "scripts/script.db" database, which indicates which category or categories each script belongs to.
Depending on the intended use, and to simplify their use, NSE scripts are grouped into different categories. The following categories of NSE scripts are currently defined: auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln (category names are not case sensitive). Below is a more detailed view of each category:
- auth- This category of scripts deals with authentication credentials (or bypasses them) on the target system. Examples of such scripts are "x11-access", "ftp-anon" and "oracle-enum-users". Note that scripts that use a brute force attack to attempt to determine credentials are categorized as brute.
- broadcast- Scripts in this category are usually used to discover hosts not specified on the command line through broadband communication with the local network. When using the "newtargets" script argument, they will automatically add the hosts they find to the scan queue.
- brute- This category of scripts is used to carry out brute force attacks to obtain authentication credentials of a remote server. Nmap offers scripts for brute-force attacks on dozens of protocols. These include the following scripts: "http-brute", "oracle-brute", "snmp-brute", etc.
- default- this category of scripts defines those scripts that are selected by the Nmap developers as useful for extending the functionality of the scanner or optimizing its operation, and are assigned to the basic "default" set. They are run when using the "-sC" or "-A" options, and not by specifying a specific list of scripts through the "--script" option. It is possible to explicitly specify this category of scripts, like the others, using "--script=default". The Nmap team, when determining whether a particular script should be categorized as default, tries to rely on the following requirements:
- speed- scanning by default should be completed quickly, which excludes the inclusion in this category of brute-force authentication crackers, web spiders, as well as any other scripts whose scanning time for one service is calculated in minutes or even hours.
- utility- Performing a scan in the default category requires obtaining valuable and up-to-date information. In other words, the result of scanning such a script should be understandable and useful to the average network security professional. Otherwise, it does not make sense to run it by default.
- brevity- the output of the information received by the Nmap scanner is used for a variety of purposes and needs, so this information should be readable and concise. Scripts that often create many pages with a full output of all the information received also do not belong in the default script category. In other words, NSE scripts that are categorized as default when they don't find any important information show nothing in the report. This is also true for default scripts that look for hidden vulnerabilities - they only output the result when these vulnerabilities are found.
- reliability- many scripts in their work can rely on heuristic analysis and fuzzy signature matching data to draw certain conclusions about the target host or service. Examples of such scripts are "sniffer-detect" and "sql-injection". Such scripts will not be included in the default category, since the results of their work are often erroneous and can mislead the user who does not clearly understand all the specifics of their work.
- unobtrusiveness- some scripts are overly intrusive when they use significant resources of the remote system, which can lead to the failure of this system or service, or their actions can be regarded as an attack by remote administrators. Such scripts are also not included in the default category. However, some "moderately aggressive" scripts have been categorized by the Nmap team as default based on their usefulness and how well they can behave, given other factors.
- confidentiality- many scripts can disclose confidential information to third parties, based on the very specifics of their work. For example, scripts for looking up WHOIS data must report the target IP address to regional registrars. In other words, in the default category of NSE scripts, the Nmap team tries not to add scripts that can violate privacy.
- discovery- This category of scripts actively tries to learn more about the network by sending public requests to the registrar, SNMP-enabled devices, directory service, etc. Examples of such scripts are "html-title" (gets the title of the root path of websites), "smb-enum-shares" (lists Windows shares) and "snmp-sysdescr" (retrieves detailed system information via the standard internet protocol for SNMP device management).
- dos- Scripts in this category should be used with extreme caution, as they can lead to a denial of service. They are sometimes used by security testers to test a system's vulnerability to denial of service attacks, but such testing can lead to unwanted side effects, such as causing some vulnerable services to crash.
- exploit- These scripts are aimed at actively exploiting a particular vulnerability. Examples of this category of scripts are "jdwp-exec" and "http-shellshock".
- external- scripts in this category can send data to third parties that control databases or other network resources. An example of such a script is "whois-ip", which connects to WHOIS servers to obtain information about the target's IP address. There is always the possibility that third-party database operators will record everything you send them, which in many cases will include information about your IP address and the IP address of your target. Most scripts that deal solely with traffic between the scanning computer and the client do not fall into this category.
- fuzzer is a category of scripts that is designed to send unexpected or randomized fields to the server software in each batch. While this method can be useful for finding unknown bugs and vulnerabilities in software, it is a slow process that is also bandwidth intensive. An example of this category of scripts is "dns-fuzz", which bombards the DNS server with partially modified domain queries until the server goes down or a user-set time limit expires.
- intrusive- this category of scripts includes those that cannot be classified as safe (safe), since the risks are too high that the target system will collapse under their pressure, significant resources will be required on the target host (for example, bandwidth or processor time), or some otherwise, their execution will be perceived by the administrators of the target system as malicious activity. Examples of such scripts are "http-open-proxy" (which tries to use the target server as an HTTP proxy) and "snmp-brute" (which tries to guess the so-called "community string" of SNMP devices by sending popular values such as public, private, and cisco). If the script does not belong to the version special category, it must be classified as safe or intrusive.
- malware- these scripts check if the target platform is infected with malware or backdoors. Examples of scripts in this category of scripts are "smtp-strangeport", which monitors SMTP servers running on unusual port numbers, and "auth-spoof", which detects spoofed identd daemons (implementing user identity protocol support) that provide a fake response yet before they receive a request. Whether for the first or the second example, this behavior, if detected, is usually a sign of malware infection on the system.
- safe- all scripts that were not created to cause a service failure, use large amounts of network bandwidth or other resources, and were not aimed at exploiting security holes, are categorized as safe. They are much less likely to attract the attention of remote administrators, although (as is the case with any other Nmap functionality) it cannot be 100% guaranteed that they will never attract collateral attention. Most of these scripts perform tasks related to general network exploration. Examples of scripts in this category are "ssh-hostkey" (gets the host's SSH key) and "html-title" (grabs the title from a web page). Scripts in the version category are not categorized as safe, but other non-safe scripts must be defined as intrusive.
- version- scripts from this special category are an extension of the version detection functionality and cannot be explicitly selected. They are only selected to run when prompted to determine the Nmap version ("-sV"). Their output cannot be separated from the output of the versioning function, and they do not work as host or service scripts. Examples of such scripts are "skypev2-version", "pptp-version" and "iax2-version".
- vuln- scripts in this category perform checks for the presence of some particular known vulnerability and usually give only those results that confirm that such a vulnerability has been found. Examples of such scripts are "realvnc-auth-bypass" and "afp-path-vuln".
Scripts, depending on their functional orientation, as well as the scanning phase during which they are executed, are divided into four types (some scripts can support several types of operations at once):
- Prerule scripts - This type of script is run before any Nmap operations are performed, so they are executed before the scan phase, when Nmap has not yet collected any information about the target. These scripts can be useful for performing tasks that are independent of specific scan targets, such as making broadcast requests to poll DHCP and DNS SD servers. Some of these scripts can create new targets for Nmap scanning (only if you provide the NSE argument "newtargets"). So, for example, the "dns-zone-transfer" script can get a list of IP addresses in a domain using a zone transfer request, and then automatically add them to the list of targets for Nmap scanning. Prerule scripts are identified using the prerule function.
- Host scripts - These scripts are run during the standard Nmap scanning process, after the Nmap scanner has performed normal operations such as host discovery, port scanning, versioning, and OS detection on the target host. This type of script is called once for each target host that matches its hostrule function. Examples include "whois-ip" which looks up the owner information for the target IP address, and "path-mtu" which attempts to determine the maximum size of an IP packet that can reach the target without requiring fragmentation.
- Service scripts - This type of script is run when certain services are found on the target host. For example, Nmap includes more than 15 http service scripts that are run to work with web servers. If the host has web servers running on multiple ports, these scripts can be run multiple times (one for each port). This is the most common type of script in Nmap, and they differ in that they contain a portrule function to determine which of the discovered services the script should run against.
- Postrule scripts - This type of script is run once, after Nmap has scanned all intended targets. They can be useful for formatting and presenting the output of information received by the Nmap scanner. For example, the "ssh-hostkey" script is more commonly known as a service script (with portrule defined) that connects to SSH servers, discovers their public keys, and prints them out. But it also includes a postrule functionality that checks for duplicate keys among all verified hosts and then prints all found ones. Another potential use case for scripts of this type is to reverse-print the output of an Nmap scanner - for example, listing all hosts running a particular service, rather than simply listing all hosts running services on them. Postrule scripts are identified using the postrule function.
Note: many scripts can run as prerule script as well as postrule script. In these cases, it is recommended to use the prerule functionality to avoid inconsistencies.
Eternal paranoid, Anton Kochukov.
See also:
nmap[ <Тип сканирования> ...] [ <Опции> ] { <цель сканирования> }
Description
nmap(" Network Mapper ») is an open source network exploration and security utility. It was designed to quickly scan large networks, although it also works well for single targets. Nmap uses raw IP packets in an original way to determine what hosts are available on the network, what services (application name and version) they offer, what operating systems (and OS versions) they use, what types of packet filters/firewalls are used, and many more. other characteristics. While Nmap is commonly used for security checks, many system administrators find it useful for common tasks such as monitoring network structure, managing service startup schedules, and keeping track of host or service uptime.
The output of Nmap is a list of targets scanned, with additional information on each target depending on the options given. The key information is « important ports table» . This table contains the port number, protocol, service name, and status. The status can be open (open), filtered (filtered), closed (closed), or unfiltered (not filtered). Open means that the application on the target machine is ready to connect/receive packets on this port. Filtered means that a firewall, network filter, or some other network interference is blocking the port, and Nmap cannot determine whether the port is open or closed. Closed ports are not associated with any application, but can be opened at any time. Ports are considered unfiltered when they respond to Nmap requests, but Nmap cannot tell if they are open or closed. Nmap issues open|filtered and closed|filtered combinations when it cannot determine which of the two states the port describes. This table may also provide details of the software version if requested. When scanning over IP protocol (-sO), Nmap provides information about supported protocols, not about open ports.
In addition to a table of important ports, Nmap can provide further target information: resolved DNS names, operating system guess, device types, and MAC addresses.
A typical scan using Nmap is shown in Example 1. The only arguments used in this example are -A , for OS version, scripted scanning, and tracing; -T4 for faster execution; then two target hosts.
Example 1. A typical example of scanning with Nmap
# nmap -A -T4 scanme..org) Interesting ports on scanme.site (64.13.134.52): (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X| 2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground..168.0.40): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows , Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
The latest version of Nmap can be downloaded from
Nmap is a cult scanner that almost no hacker can do without, so the topic of expanding its capabilities, I think, is of interest to many. Using other tools in conjunction with Nmap is a common practice. This article will talk about how to easily automate Nmap with your favorite tools. It is more convenient to “press one button” and get the result than to constantly do the same sequence of actions. Using scripts in Nmap can help hackers hack systems more automatically, and sysadmins can check systems for default holes and fix them in a timely manner.
A few words about Nmap
I am sure that most readers of Hacker magazine know what Nmap is and have probably used it more than once to explore the network and collect information. For those who have forgotten or do not know, just in case, let me remind you:
- Nmap is a cross-platform tool for scanning the network, checking its security, determining OS versions and various services, and much more. This is a very flexible and easily extensible utility, and the NSE scripting engine makes it so;
- NSE (Nmap Scripting Engine) is a powerful Nmap component that allows users to write scripts to automate a wide range of network tasks: more flexible interaction with existing Nmap capabilities, detection and exploitation of vulnerabilities, and more. NSE is based on the Lua language interpreter;
- Lua is a scripting language similar to JavaScript.
Formulation of the problem
As already mentioned, today we will be expanding the functionality of Nmap by writing our own scripts. Any hack/pentest usually starts with reconnaissance and data collection. One of the first checks is the presence of open ports on the host under study and the identification of running services. There is probably no better tool for gathering such information than Nmap. The next step after scanning is usually either searching for a sploit for the found vulnerable service, or selecting a login:password pair using the brute force method.
Let's say you actively use the THC-Hydra brute-forcer to guess the passwords of several services (for example, HTTP-Basic, SSH, MySQL). In this case, you have to set the hydra on each service separately, you need to remember the features of the services and the flags necessary to launch the hydra. And if it becomes necessary to brute much more than five services? .. Why not automate it?
Therefore, let's write a simple script that will automate the process of starting Hydra to select logins / passwords for one service (for example, PostgreSQL). For this we need the following tools:
- nmap;
- THC-Hydra;
- any text editor.
If you don't already have Nmap and/or Hydra installed, fix it immediately:
$ sudo apt-get install nmap hydra
Okay, let's start. Scripts for Nmap are plain text files with *.nse extension. So open up your favorite text editor and create a new file. I will use Vim:
$ vim hydra.nse
NSE script structure
Before moving on to writing, it must be said that all scripts have a certain structure. In addition to the code itself, which automates certain actions, it contains a description of the script (what it is intended for and how to use it), information about the author, licenses, dependence on other scripts, categories to which the script belongs, and so on. Let's take a closer look at each of these parts.
Description of the script (description)
This section contains a description of the script, comments by the author, an example of displaying the result of the script execution on the screen, and additional features.
For our script that selects logins / passwords for PostgeSQL, the description will look like this:
Description = [[ Brute force all services running on a target host. The results are returned in a table with each path, detected method, login and/or password. ]] --- -- @usage -- nmap --script hydra [--script-args "lpath=
Comment; -- - multi-line comment; @usage, @output, @args - an example of calling a script, displaying the result on the screen, the necessary arguments when calling.
Above in @usage we see the script launch format. In this case, only the name of the script (hydra) is specified. This becomes possible if the script is placed in the directory /
Categories where the script is located (categories)
When writing an NSE script, you can specify its category (or several categories). This is useful when the Nmap user wants to use not a specific script, but a set of scripts that are in the same category. Examples of some categories:
- auth - a category in which scripts define the authentication data of the target host;
- brute - a category whose scripts help determine logins and passwords for various services;
- default - a category that contains the main scripts. There are some criteria that determine whether a script belongs to this category: scanning speed, usefulness, reliability, confidentiality, visual output;
- malware - a category that helps identify malware.
For example, if you need to run all scripts from the auth category, then the command will look like this:
$ nmap --script=auth example.com
In this case, the scripts of this category will be run in turn for the specified host. Our script belongs to the brute category. Let's add the following line to the file:
Categories = ("brute")
Information about the author (author)
Each script contains information about its author. In my case:
Author = "Olga Barinova"
Information about the license in use (license)
Nmap welcomes all user developments and encourages sharing, including NSE scripts. When specifying a license, you confirm the right to share the script with the community. The standard Nmap license looks like this:
License = "Same as Nmap--See http://nmap.org/book/man-legal.html"
Let's add this line to our script as well.
Dependencies on other scripts (dependencies)
This area contains the names of NSE scripts that must be executed before this script can be run in order to obtain the necessary information. For example,
Dependencies = ("smb-brute").
In our case, this feature will not be needed, so we will not add dependencies.
Host and port (host & port)
Nmap needs to know for which services and on which ports to run the script. There are special rules for this:
- prerule() - script is executed once before scanning any host, used for some network operations;
- hostrule(host) - the script is executed for each host from the table, which it takes as an argument;
- portrule(host, port) - the script is executed for each host and for each port from the tables that it takes as arguments;
- postrule() - the script is executed once after scanning any host. It is mainly used for processing the results, summarizing statistics and the like.
There are libraries for the formation of such rules. Our script only needs to specify the port number (5432) and the service name (postgresql), and then it will work only for this port and service. There is a fairly popular shortport library built into NSE that includes various methods. We will use the method
Port_or_service (ports, services, protos, states)
where ports are port numbers, services are service names, protos are protocol names (for example, udp), states are states.
This method returns true if the service currently being parsed is on one of the ports in the ports list or matches any service in the services list, and the protocol and status are checked for a match, otherwise false is returned.
To make our script work with PostgreSQL, we need to add the port number and service name:
Portrule = shortport.port_or_service((5432), ("postgresql"))
Connecting Libraries
Let's digress for a second from the structure of the script and consider how external libraries are connected, the functionality of which we need to access.
Continued available to members only
Option 1. Join the "site" community to read all the materials on the site
Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!
Below you will find 20 basic examples of using the Nmap command.
You will learn how to use Nmap from command line in linux to search for active hosts on the network and scan open ports.
You will see how remotely detect operating system using TCP/IP stack fingerprints and how check software version running on a remote server.
I will also show you how to use Nmap to implement covert scanning, as define firewall And How change MAC address.
1. Scan Single Host or IP Address
Scan Separate IP Address:
$ nmap 192.168.1.1
Scan server by Host name:
$ nmap server.site
Increase Level of detail scan results:
$ nmap -v server..site
2. Scanning Multiple IP Addresses
Scan Multiple IP Addresses:
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3 $ namp 192.168.1.1,2,3
Scan Subnet:
$ nmap 192.168.1.0/24 $ nmap 192.168.1.*
Scan Range of IP Addresses (192.168.1.0 — 192.168.1.200):
$ nmap 192.168.1.0-200
3. Search for Active Computers on the Network
Useful advice: Scan the network with just one ping command! Calculate all active computers!
Scan the network in search Active Hosts:
$ nmap -sn 192.168.1.0/24
4. Scanning a List of Hosts from a File
Scan a list of hosts/networks from File:
$ nmap -iL input.txt
File format:
# Entries can be in any of the formats that # Nmap works with from the command line (IP addresses, hostnames, CIDR, IPv6, or octet # ranges). Entries must be separated by one or more spaces, tabs # or newlines. $ cat input.txt server.site 192.168.1.0/24 192.168.2.1,2,3 192.168.3.0-200
5. Excluding IP/Hosts/Networks from Scanning
Exclude Goals from Nmap scan:
$ nmap 192.168.1.0/24 --exclude 192.168.1.1 $ nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3
Exclude List hosts taken from the file:
$ nmap 192.168.1.0/24 --excludefile exclude.txt
The file format with excluded hosts is the same as above.
6. Scan Specific Ports
Scan One Port:
$ nmap -p 80 192.168.1.1
Scan Multiple Ports:
$ nmap -p 80,443 192.168.1.1
Scan Port Range:
$ nmap -p 80-1000 192.168.1.1
Scan All Ports:
$ nmap -p "*" 192.168.1.1
Scan a few of the most Common Ports:
$ nmap --top-ports 5 192.168.1.1 $ nmap --top-ports 10 192.168.1.1
7. Definition of Supported IP Protocols
Determine which IP protocols(TCP, UDP, ICMP, etc.) supports scanned host:
$ nmap -sO 192.168.1.1
8. Scan TCP/UDP Ports
Scan all TCP Ports:
$ nmap -sT 192.168.1.1
Scan certain TCP ports:
$ nmap -p T:80 192.168.1.1
Scan all UDP ports:
$ nmap -sU 192.168.1.1
Scan specific UDP ports:
$ nmap -p U:53 192.168.1.1
Combining scans of different ports:
$ nmap -p U:53,79,113,T:21-25,80,443,8080 192.168.1.1
9. Quick Scan
Activate Quick Mode scanning:
$ nmap -F 192.168.1.1
* Scans fewer ports than regular scanning.
10. Show Port Status Reason
Show reason, by which Nmap considers that the port is in a certain state:
$ nmap --reason 192.168.1.1
11. Show Only Open Ports
Show Only Open Ports(or possibly open):
$ nmap --open 192.168.1.1
12. OS definition
One of Nmap's best-known features is remote OS discovery based on TCP/IP stack analysis.Nmap sends a series of TCP and UDP packets to a remote host and examines the responses.
After running a lot of tests, Nmap compares the results with its database and, if it finds a match, displays information about the OS.
Turn on OS definition:
$ nmap -O 192.168.1.1
13. Determining the Version of the Services
Turn on Determining the Version of Services:
$ nmap -sV 192.168.1.1
* Determines the versions of programs running on the remote server.
14. Firewall detection
Find out if your computer is protected by any Packet Filters or firewall:
$ nmap -sA 192.168.1.1
15. MAC Address Spoofing
Change MAC Addresses:
$ nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
Change MAC Address Random MAC:
$ nmap --spoof-mac 0 192.168.1.1
16. Firewall Scan for Vulnerabilities
These three scan types use a subtle loophole in the TCP RFC to separate open and closed ports.When an RFC compliant system is being scanned, any packet that does not contain a SYN, RST, or ACK bit set will result in an RST being sent in response if the port is closed, or will result in no response if the port is open.
Because none of these bits is set, then any combination of the remaining three (FIN, PSH, and URG) will be valid.
TCP Null scanning:
$ nmap -sN 192.168.1.1
* No bits (Flags in TCP Header 0) are set.
TCP Fin scanning:
$ nmap -sF 192.168.1.1
* Only the TCP FIN bit is set.
TCP Xmas scanning:
$ nmap -sX 192.168.1.1
* The FIN, PSH and URG flags are set (the package lights up like a Christmas tree).
17. Hidden Scan
Useful advice: Stay anonymous during port scans! Use Nmap + Tor + ProxyChains! Safe and easy penetration testing!
TCP SYN scanning:
$ nmap -sS 192.168.0.1
* Known as half-open connection scanning, as it does not open full TCP connections.
18. Disable Host Discovery (No Ping)
Do not ping hosts before scanning:
$ nmap -Pn 192.168.1.1
19. Disable DNS usage
Useful advice: Need to tighten security on Linux? Encrypt DNS traffic to protect against spoofing!
Never perform reverse DNS resolution for each active IP address found.
Tcpdump - a useful guide with examples
Key management Key distribution involving a key distribution center
Which files infect macro viruses