General

filtered = unsure if open or closed

up arrow to check status if in progress

nmap <args> <ip_address>

# default: top 1000 ports
-F # fast (100 ports)
-p # ports
-p- # all ports
--top-ports X # X top ports
--open # only open

-s<> # scan type
-sS # stealth - syn scan
-sX # XMAS - rst if closed, nothing if open
-sF # FIN - rst if closed, nothing if open
-sN # NULL - rst if closed, nothing if open
-sA # ACK - test if there is firewall (no firewall = rst, firewall = no response)
-sU # UDP

--script ipidseq <ip/24> # to find zombie - Incremental
-sI <zombie_id> <target_id> # idle scan

-Pn # open ports only

-A # aggressive; lots of stuff inc OS; very noisy
-sV # software/service version
-O # operating system

-vvv # (very) (very) verbose
-n # only ips not names

--reason # why nmap says something

-L iplist.txt # from list

-oG # grep output, fewer lines
-oX output.xml # XML output
-oA # all outputs

Devices on network

$ nmap -sn <ip/24> # with ping, no port scan ; was sP
$ nmap -sL <ip/24> # no ping, just list
$ nmap -Pn <ip/24> # no ping, more info, no discovery
# shows MAC, name

| grep "Nmap scan" | cut -d" " -f5 > iplist.txt # find and save

# only up IPs
$ nmap -n -sn <ip/24> -oG - | awk '/Up$/{print $2}'

Scripts

-sV # check ports before to ensure port matches service

-sC # default scripts for those ports

ls /usr/share/nmap/scripts
# or
locate *.nse
| grep # to find

--script-help <script-name>

--script(=)

# common scripts
vuln
*-brute.nse
*.info-nse
dns-recursion
dns-zone-transfer
http-slowloris-check
ms-sql-info
ms-sql-dump-hashes
nbstat
smb-enum-users
smb-enum-shares
ssl-enum-ciphers -p 443
http-enum

--traceroute --script traceroute-geolocation.nse

Timing and IDP/IPS

More aggressive = more errors

-f # fragmentation - small packets - not available for all scans
--source-port 80
--randomize-hosts
-S # spoof
--badsum # purposefully force rejection?

-T0~5

--max-retries <num>
--host-timeout <num><time-unit> # time waiting
--scan-delay <num><time-unit> # time between
--[min/max]-parallelism <num> # 10 is good
--[min/max]-hostgroup <num> # for IP ranges
--[min/max]-rate <num> # number of packets

# RustScan
--min-rate 4500 --max-rtt-timeout 1500ms

# Other super-aggressive
--max-retries 0 --min-parallelism 50000

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e7d45185-00b3-4f7c-bbca-727b24bd90e0/Untitled.png

Webmap

SabyasachiRana/WebMap

mkdir /tmp/webmap
docker run -d \\
         --name webmap \\
         -h webmap \\
         -p 8000:8000 \\
         -v /tmp/webmap:/opt/xml \\
         reborntc/webmap
# now you can run Nmap and save the XML Report on /tmp/webmap
nmap -sT -A -T4 -oX /tmp/webmap/myscan.xml 192.168.1.0/24
# go to <http://localhost:8000/>
docker stop webmap

See also

Unicornscan