Nmap: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| Line 6: | Line 6: | ||
== <span id="options"></span>Common Options == | == <span id="options"></span>Common Options == | ||
=== Scan | == Syntax == | ||
<syntaxhighlight lang="bash"> | |||
nmap [Scan Type(s)] [Options] <target specification> | |||
</syntaxhighlight> | |||
Nmap commands are structured into three key components: **Scan Type(s)**, **Options**, and **Target Specification**. | |||
Each part plays a distinct role in how the scan behaves and what it attempts to discover. | |||
== <span id="options"></span>Scan Type(s) == | |||
These flags define *how* Nmap interacts with the target (e.g., TCP, UDP, stealth, protocol-level scans): | |||
{| class="wikitable" | {| class="wikitable" | ||
! Option !! Description | ! Option !! Description | ||
| Line 12: | Line 22: | ||
| [[#ex-sS|<code>-sS</code>]] || TCP SYN scan (stealth mode) | | [[#ex-sS|<code>-sS</code>]] || TCP SYN scan (stealth mode) | ||
|- | |- | ||
| [[#ex-sT|<code>-sT</code>]] || TCP connect scan (full handshake) | | [[#ex-sT|<code>-sT</code>]] || TCP connect scan (full TCP handshake) | ||
|- | |||
| [[#ex-sU|<code>-sU</code>]] || UDP scan | |||
|- | |- | ||
| [[#ex- | | [[#ex-sN|<code>-sN</code>]] || TCP NULL scan (no flags set) | ||
|- | |- | ||
| [[#ex- | | [[#ex-sF|<code>-sF</code>]] || TCP FIN scan (bypasses some firewalls) | ||
|- | |- | ||
| [[#ex- | | [[#ex-sX|<code>-sX</code>]] || Xmas scan (sets FIN, PSH, URG flags) | ||
| | |- | ||
| [[#ex-sA|<code>-sA</code>]] || ACK scan (used to map firewall rules) | |||
|- | |||
| [[#ex-sW|<code>-sW</code>]] || Window scan (analyzes TCP window size) | |||
|- | |- | ||
| [[#ex- | | [[#ex-sM|<code>-sM</code>]] || TCP Maimon scan (obscure IDS evasion) | ||
|- | |- | ||
| [[#ex- | | [[#ex-sL|<code>-sL</code>]] || List scan (lists targets without scanning) | ||
|- | |- | ||
| [[#ex- | | [[#ex-sn|<code>-sn</code>]] || Ping scan (host discovery only; replaces <code>-sP</code>) | ||
|- | |- | ||
| <code>- | | [[#ex-sY|<code>-sY</code>]] || SCTP INIT scan (SCTP equivalent of TCP SYN) | ||
|- | |- | ||
| <code>- | | [[#ex-sZ|<code>-sZ</code>]] || SCTP COOKIE-ECHO scan | ||
|- | |- | ||
| <code>- | | [[#ex-sO|<code>-sO</code>]] || IP protocol scan (scans for supported protocols) | ||
|- | |- | ||
| <code>- | | [[#ex-sI|<code>-sI</code>]] || Idle scan (ultra-stealth scan using zombie host) | ||
|} | |} | ||
== Options == | |||
These parameters modify the behavior of the scan (timing, output, verbosity, detection methods, etc.). | |||
=== Detection & Enumeration === | === Detection & Enumeration === | ||
| Line 70: | Line 82: | ||
|- | |- | ||
| [[#ex-oX|<code>-oX [FILE]</code>]] || Save output in XML format | | [[#ex-oX|<code>-oX [FILE]</code>]] || Save output in XML format | ||
|- | |- | ||
| <code>-v</code> || Increase verbosity (can be stacked: <code>-vv</code>, <code>-vvv</code>) | | <code>-v</code> || Increase verbosity (can be stacked: <code>-vv</code>, <code>-vvv</code>) | ||
| Line 78: | Line 89: | ||
| <code>--open</code> || Show only open (or relevant) ports | | <code>--open</code> || Show only open (or relevant) ports | ||
|} | |} | ||
== Target Specification == | |||
These options control '''who''' you're scanning and '''how''' they're discovered or selected. | |||
=== Host Discovery & Targeting === | |||
{| class="wikitable" | |||
! Option !! Description | |||
|- | |||
| [[#ex-Pn|<code>-Pn</code>]] || Treat all hosts as online (skip ping) | |||
|- | |||
| [[#ex-p|<code>-p [PORT]</code>]] || Specify port(s) to scan | |||
|- | |||
| [[#ex-iL|<code>-iL [FILE]</code>]] || Input list of hosts from file | |||
|- | |||
| <code>-6</code> || Use IPv6 addresses | |||
|- | |||
| <code>-n</code> || Do not resolve hostnames (skip DNS resolution) | |||
|- | |||
| <code>--exclude [HOST]</code> || Exclude specific host(s) from the scan | |||
|- | |||
| <code>--excludefile [FILE]</code> || Exclude hosts listed in a file | |||
|} | |||
== Examples == | == Examples == | ||
Revision as of 06:03, 15 June 2025
Nmap
Nmap (Network Mapper) is an open‑source utility for network discovery, security auditing, and host fingerprinting. It is one of the most widely used tools in active reconnaissance, offering port scanning, OS detection, service versioning, and a powerful scripting interface (Nmap Scripting Engine – NSE).
Common Options
Syntax
nmap [Scan Type(s)] [Options] <target specification>Nmap commands are structured into three key components: **Scan Type(s)**, **Options**, and **Target Specification**. Each part plays a distinct role in how the scan behaves and what it attempts to discover.
Scan Type(s)
These flags define *how* Nmap interacts with the target (e.g., TCP, UDP, stealth, protocol-level scans):
| Option | Description |
|---|---|
-sS |
TCP SYN scan (stealth mode) |
-sT |
TCP connect scan (full TCP handshake) |
-sU |
UDP scan |
-sN |
TCP NULL scan (no flags set) |
-sF |
TCP FIN scan (bypasses some firewalls) |
-sX |
Xmas scan (sets FIN, PSH, URG flags) |
-sA |
ACK scan (used to map firewall rules) |
-sW |
Window scan (analyzes TCP window size) |
-sM |
TCP Maimon scan (obscure IDS evasion) |
-sL |
List scan (lists targets without scanning) |
-sn |
Ping scan (host discovery only; replaces -sP)
|
-sY |
SCTP INIT scan (SCTP equivalent of TCP SYN) |
-sZ |
SCTP COOKIE-ECHO scan |
-sO |
IP protocol scan (scans for supported protocols) |
-sI |
Idle scan (ultra-stealth scan using zombie host) |
Options
These parameters modify the behavior of the scan (timing, output, verbosity, detection methods, etc.).
Detection & Enumeration
| Option | Description |
|---|---|
-sV |
Detect service versions |
-O |
Enable OS detection |
-A |
Aggressive scan: OS detection, version, script scan, traceroute |
--script [NAME] |
Run specific NSE script(s) |
--version-all |
Try every version detection method (used with -sV)
|
--osscan-guess |
Guess OS more aggressively when uncertain |
Performance & Output
| Option | Description |
|---|---|
-T[0‒5] |
Timing template (T0 = slow, T5 = fast) |
-d |
Enable debugging output |
-oN [FILE] |
Save output in normal format |
-oX [FILE] |
Save output in XML format |
-v |
Increase verbosity (can be stacked: -vv, -vvv)
|
--reason |
Show the reason each port is in its state (e.g. response flags) |
--open |
Show only open (or relevant) ports |
Target Specification
These options control who you're scanning and how they're discovered or selected.
Host Discovery & Targeting
| Option | Description |
|---|---|
-Pn |
Treat all hosts as online (skip ping) |
-p [PORT] |
Specify port(s) to scan |
-iL [FILE] |
Input list of hosts from file |
-6 |
Use IPv6 addresses |
-n |
Do not resolve hostnames (skip DNS resolution) |
--exclude [HOST] |
Exclude specific host(s) from the scan |
--excludefile [FILE] |
Exclude hosts listed in a file |
Examples
SYN Scan
nmap -sS 192.168.1.1Full Insight Scan
nmap -A -T4 -p- -sC -sV -O -Pn 192.168.1.10# -A: enable all scans, -T4: faster timing, -p-: all ports, -sC: default scripts, -sV: service versions, -O: OS detect, -Pn: no ping
↑ Options
TCP Connect Scan
nmap -sT 192.168.1.1UDP Scan
nmap -sU 192.168.1.1Ping Scan
nmap -sP 192.168.1.0/24Skip Host Discovery
nmap -Pn 192.168.1.100Scan Specific Ports
nmap -p 22,80 192.168.1.1Aggressive Scan
nmap -A 10.0.0.1OS Detection Only
nmap -O 10.0.0.1Fast Timing Template
nmap -T5 example.comRun NSE Script
nmap --script default example.comScan From File
nmap -iL targets.txtSave Output (Normal)
nmap -oN output.txt 192.168.1.1Save Output (XML)
nmap -oX output.xml 192.168.1.1List Targets Only
nmap -sL 192.168.1.0/30Debug Mode
nmap -d 192.168.1.1