Nmap: Difference between revisions
Jump to navigation
Jump to search
Created page with "= Nmap = '''Nmap''' (Network Mapper) is an open‑source utility for network discovery, security auditing, and host fingerprinting. It is one of the most widely used tools in active reconnaissance, offering port scanning, OS detection, service versioning, and a powerful scripting interface (Nmap Scripting Engine – NSE). == <span id="options"></span>Common Options == === Scan Types === {| class="wikitable" ! Option !! Description |- | <code>-sS</code> ||..." |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 32: | Line 32: | ||
|- | |- | ||
| <code>-6</code> || Use IPv6 addresses | | <code>-6</code> || Use IPv6 addresses | ||
|- | |||
| <code>-n</code> || Do not resolve hostnames (skip DNS resolution) | |||
|- | |||
| <code>--exclude [HOST]</code> || Exclude specific host(s) from the scan | |||
|- | |||
| <code>--excludefile [FILE]</code> || Exclude hosts listed in a file | |||
|} | |} | ||
=== Detection & Enumeration === | === Detection & Enumeration === | ||
| Line 45: | Line 53: | ||
|- | |- | ||
| [[#ex-script|<code>--script [NAME]</code>]] || Run specific NSE script(s) | | [[#ex-script|<code>--script [NAME]</code>]] || Run specific NSE script(s) | ||
|- | |||
| <code>--version-all</code> || Try every version detection method (used with <code>-sV</code>) | |||
|- | |||
| <code>--osscan-guess</code> || Guess OS more aggressively when uncertain | |||
|} | |} | ||
| Line 58: | Line 70: | ||
|- | |- | ||
| [[#ex-oX|<code>-oX [FILE]</code>]] || Save output in XML format | | [[#ex-oX|<code>-oX [FILE]</code>]] || Save output in XML format | ||
|- | |||
|- | |||
| <code>-v</code> || Increase verbosity (can be stacked: <code>-vv</code>, <code>-vvv</code>) | |||
|- | |||
| <code>--reason</code> || Show the reason each port is in its state (e.g. response flags) | |||
|- | |||
| <code>--open</code> || Show only open (or relevant) ports | |||
|} | |} | ||
| Line 66: | Line 85: | ||
nmap -sS 192.168.1.1 | nmap -sS 192.168.1.1 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
''[[#options|↑ Options]]'' | |||
=== <span id="ex-fullscan"></span>Full Insight Scan === | |||
<syntaxhighlight lang="bash"> | |||
nmap -A -T4 -p- -sC -sV -O -Pn 192.168.1.10 | |||
</syntaxhighlight> | |||
<code># -A: enable all scans, -T4: faster timing, -p-: all ports, -sC: default scripts, -sV: service versions, -O: OS detect, -Pn: no ping</code> | |||
''[[#options|↑ Options]]'' | ''[[#options|↑ Options]]'' | ||
Latest revision as of 14:46, 13 May 2025
Nmap
Nmap (Network Mapper) is an open‑source utility for network discovery, security auditing, and host fingerprinting. It is one of the most widely used tools in active reconnaissance, offering port scanning, OS detection, service versioning, and a powerful scripting interface (Nmap Scripting Engine – NSE).
Common Options
Scan Types
| Option | Description |
|---|---|
-sS |
TCP SYN scan (stealth mode) |
-sT |
TCP connect scan (full handshake) |
-sU |
Scan UDP ports |
-sP |
Ping scan to discover live hosts (alias for -sn)
|
-sL |
List targets without scanning |
Host Discovery & Targeting
| Option | Description |
|---|---|
-Pn |
Treat all hosts as online (skip ping) |
-p [PORT] |
Specify port(s) to scan |
-iL [FILE] |
Input list of hosts from file |
-6 |
Use IPv6 addresses |
-n |
Do not resolve hostnames (skip DNS resolution) |
--exclude [HOST] |
Exclude specific host(s) from the scan |
--excludefile [FILE] |
Exclude hosts listed in a file |
Detection & Enumeration
| Option | Description |
|---|---|
-sV |
Detect service versions |
-O |
Enable OS detection |
-A |
Aggressive scan: OS detection, version, script scan, traceroute |
--script [NAME] |
Run specific NSE script(s) |
--version-all |
Try every version detection method (used with -sV)
|
--osscan-guess |
Guess OS more aggressively when uncertain |
Performance & Output
| Option | Description |
|---|---|
-T[0‒5] |
Timing template (T0 = slow, T5 = fast) |
-d |
Enable debugging output |
-oN [FILE] |
Save output in normal format |
-oX [FILE] |
Save output in XML format |
-v |
Increase verbosity (can be stacked: -vv, -vvv)
|
--reason |
Show the reason each port is in its state (e.g. response flags) |
--open |
Show only open (or relevant) ports |
Examples
SYN Scan
nmap -sS 192.168.1.1Full Insight Scan
nmap -A -T4 -p- -sC -sV -O -Pn 192.168.1.10# -A: enable all scans, -T4: faster timing, -p-: all ports, -sC: default scripts, -sV: service versions, -O: OS detect, -Pn: no ping
↑ Options
TCP Connect Scan
nmap -sT 192.168.1.1UDP Scan
nmap -sU 192.168.1.1Ping Scan
nmap -sP 192.168.1.0/24Skip Host Discovery
nmap -Pn 192.168.1.100Scan Specific Ports
nmap -p 22,80 192.168.1.1Aggressive Scan
nmap -A 10.0.0.1OS Detection Only
nmap -O 10.0.0.1Fast Timing Template
nmap -T5 example.comRun NSE Script
nmap --script default example.comScan From File
nmap -iL targets.txtSave Output (Normal)
nmap -oN output.txt 192.168.1.1Save Output (XML)
nmap -oX output.xml 192.168.1.1List Targets Only
nmap -sL 192.168.1.0/30Debug Mode
nmap -d 192.168.1.1