ToolsFebruary 9, 20262 min readby 0xt0pus

Nmap

Network scanner for port discovery, service detection, OS fingerprinting, and script scanning

#scanning#enumeration#reconnaissance

Nmap

Description

Nmap is a network scanning tool used for port scanning, service version detection, OS fingerprinting, and script scanning. It is used during the reconnaissance and enumeration phase of penetration testing.

Usage 1: All Ports Scan

Scan all 65535 ports with a fast rate.

Command:

nmap -p- --min-rate 2500 -T4 -oN AllPorts.txt $ip

Usage 2: Service Version and Script Scan

Run default scripts and service version detection on specific ports.

Command:

nmap -sC -sV -oN ServiceVersion.txt -p PORTS $ip

Usage 3: SYN Scan (Default)

SYN scans are faster because fewer packets are sent. If a TCP port is open, a SYN-ACK should be sent back. The scanner does not send the final ACK to complete the three-way handshake.

Command:

sudo nmap -sS 192.168.50.149

Usage 4: TCP Connect Scan

When a user running nmap does not have raw socket privileges, Nmap will default to TCP connect scan. Three-way handshake is completed. Takes longer.

Command:

nmap -sT 192.168.50.149

Usage 5: UDP Scan

Some services run on UDP. UDP scans are slower and more difficult to conduct.

Command:

sudo nmap -sU 192.168.50.149

Usage 6: Combined UDP and SYN Scan

The UDP scan can be used in conjunction with a TCP SYN scan to build a more complete picture of the target.

Command:

sudo nmap -sU -sS 192.168.50.149

Usage 7: Host Discovery (Ping Sweep)

Discover live hosts on the network.

Command:

nmap -sn 192.168.50.1-253

Command (Save output in greppable format):

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt

Usage 8: Top 20 Ports Across Network

Scan top 20 ports across a network range with aggressive detection.

Command:

nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

Usage 9: OS Fingerprinting

Detect the operating system of the target.

Command:

sudo nmap -O 192.168.50.14 --osscan-guess

Usage 10: Aggressive Service and OS Detection

Run aggressive scan with service version, OS detection, and scripts.

Command:

nmap -sT -A 192.168.50.14

Usage 11: NSE Script Scanning

Use NSE scripts for specific enumeration like http-headers, smb-os-discovery.

Command:

nmap --script http-headers 192.168.50.6

Command (SMB OS Discovery):

nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

Command (Vulnerability Scan):

nmap --script vuln -iL hosts

Command (SMB Enum Shares):

nmap --script smb-enum-shares 192.168.12.36

Command (Shellshock):

nmap --script http-shellshock --script-args uri=/cgi-bin/login.cgi 192.168.23.12 -p 80

Usage 12: Idle Scan (Stealthy)

Stealth scanning using an idle host as a zombie.

Command:

nmap -sI ZOMBIE_IP TARGET_IP

Usage 13: Specific Port Scan with Service Version

Scan specific ports with service version, scripts, and OS detection.

Command:

nmap -p 22,80 10.10.11.20 -sC -sV -O -oN serviceVersion.txt

Usage 14: NFS Enumeration Scripts

Enumerate NFS shares using NSE scripts.

Command:

nmap --script nfs-ls,nfs-showmount,nfs-statfs IP

Usage 15: Scan with Proxychains

Run nmap through proxychains for pivoting scenarios.

Command:

proxychains nmap -sT -Pn -n 10.10.10.5 --top-ports 50