Dedicated NMAP commands and techniques page - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

Below is a collected page of nmap commands, flags, and techniques:

Flags

  • -p {port} - Specific port for nmap to scan, can run on a range, for example 1-6000, with "-p 1-6000", and also on many specific ports, for example "-p 135,139,445,3389". TCP can be specified by labeling ports, needs flags -sU and a specific TCP (like -sS), exp. T:53,U:53 to scan ports 53 TCP/UDP
    • -p- - Tells nmap to scan every port (equivalent to "-p 1-65535")
  • -Pn - Tells nmap to skip ping test and scan every target host provided
  • -sn - Tells nmap to not scan ports after host discovery, default host discover "consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80" nmap.org
  • -n - Tells nmap not to do reverse DNS resolution
  • -sV - Tells nmap to do service/version detection
  • -sU - Tells nmap to do a UDP scan
  • -A - Tells nmap to do OS detection, version detection, script tracing, and traceroute
  • -sS - Tells nmap to do a SYN scan, sends SYN to server to see if it will get a SYN/ACK back
  • -sU - Tells nmap to do a UDP port scan, slow, sends UDP packet and waits for response
  • -T{1,2,3,4,5} - set timing, higher is faster, 5 is too fast for normal use
  • --top-ports {number} - Tells nmap to scan highest ratio ports according to number
  • -O - Tells nmap to detect OS on target host
  • -oG - Tells nmap to output scan in grepable format
  • --open - Tells nmap to only report open ports
  • -sL - Tells nmap to simply list each host of the networks specified, WITHOUT SENDING ANY PACKETS TO THE TARGET HOSTS
  • --dns-servers {server} - Tells nmap to do reverse DNS with certain DNS servers
  • --script {script} - Tells nmap to run a certain script, can be followed with --script-args to specify arguments in the script
  • -sT - Tells nmap to do a connect scan, connect is the same system call that webservers and other services do. It is the full 3-way handshake with the client (SYN,SYN/ACK,ACK)

One-liners

sudo nmap -n -sn 10.0.5.2-50 | awk '/Nmap scan report for/ {print $5}' >> sweep.txt
  • ^ Runs nmap for host discovery on a range (10.0.5.2-50 is an example), uses awk to find specific lines that appear when nmap finds results, deliminates on whitespace and prints IP, appends to file (sweep.txt is an example.)
sudo nmap 10.0.17.135 -p 3389
  • ^ Runs nmap to scan a specific port (in this case the port for RDP) (IP and port can be changed)
sudo nmap 10.0.17.135 -p 1-6000 -sV
  • ^ Runs nmap to scan a range of ports (IP and port can be changed), then performs version control on those ports (could be swapped for -A for more verbose output, happens AFTER ports have been found.)
sudo nmap 10.0.17.135 -p 135,139,445,3389 -A
  • ^ Runs nmap to scan specific ports, then does OS detection, version detection, script tracing, and traceroute on those ports.
sudo nmap -Pn 10.0.5.1-254 --open -p 53 -oG dns-servers2.txt
  • ^ Tell nmap to skip host discovery, -Pn, scan across a 10.0.5.0/24, 10.0.5.1-254, only report open ports, --open, and use a grepable output to send to dns-servers2.txt, -oG dns-servers2.txt.
sudo nmap -sU -sS -sV 10.0.5.22 -p T:53,U:53
  • ^ Run nmap on ports with UDP enabled, -sU, with TCP, -sS for SYN scan, for 53 tcp, T:53, and UDP, U:53
sudo nmap 10.0.5.23 -sT -A --top-ports 100 -Pn -oG top100ports.txt && nmaptocsv -i top100ports.txt -d ","
  • ^ Tell nmap to perform a connect scan,-sT, while conduction verbose service detection, -A, on the top 100 well known ports, --top-ports 100, while skiping host discovery, -Pn, and exporting to a grepable format, -oG top100ports.txt, AND take that grepable file and input, -i, it into nmaptocsv with the delimiter of a comma, -d ",". This in result with a csv ready formatted scan printed to the console.

Field notes

  • Filtered means that a firewall is protecting the port, indicates that it might be open but protected
  • Default nmap settings are = T3, top 1000 TCP ports, SYN TCP scan (assuming root)

SOURCES: