Nmap favorites

Scanning techniques

• -sV option instructs Nmap to send requests to the open ports on the target host in order to determine the specific application or service running on that port, as well as its version number.

• -oN option in Nmap is used to save the scan results in a human-readable format to a specified filename.

nmap -sV -oN file.txt <IP>

• Perform a Ping Sweep on a subnet for host discovery. -sP will discover hosts only on port 80 (http). It will send an ACK flag. This will work only on very poor firewall rules where the firewall acts as a router and pass the traffic to the destination.

nmap -sP 10.10.1.0/24 

• -PS is a host discovery switch that will send an empty TCP packet with a SYN flag to the HTTP destination port 80. Another port can be specified e.g. -PS22 . The SYN flag suggests to the remote system that you are attempting to establish a connection. If the port is closed, and a RST packet is sent back. If the port is open, the target will send a SYN/ACK TCP packet. The kernel of the machine running Nmap responds with with a RST rather than sending an ACK packet which would complete the three-way-handshake and establish a full connection. The RST packet is sent by the kernel of the machine running Nmap in response to the unexpected SYN/ACK, not by Nmap itself.

nmap -sP -PS 10.10.10.0/24
nmap -sP -PS25 10.10.10.0/24

• -A indicates an aggressive scan and enables OS discovery, version detection, script scanning and traceroute. -T4 instructs Nmap to perform a quick scan of the target network. This switch forces Nmap to use a shorter timeout period in order to quickly move on to the next port or host if there is no response. Using the -T4 switch can speed up the scan process, but it may also result in less accurate results. It's important to test and adjust the timing and aggression levels of your scans to ensure that you are getting the information you need while avoiding detection and potential network disruptions.

nmap -T4 -A 10.10.1.11

• -sS sends a SYN TCP scan to identify open ports and filter out closed or filtered ports. This is a faster and stealthier option than other types of scans, as it does not complete a full connection to the target host.

• -O intites OS discovery.

• -sV indicates to perform the scan in a verbose mode.

• -p- scan all 65.595 TCP ports, without this switch, Nmap will only scan the 1000 top ports.

• -F performs a fast and light scan that only targets the 100 most common ports.

nmap -sI 10.10.1.22 10.10.1.11

• -n removes DNS resolution.

• -sL <IP/Range> lets you list all ip's of a certain range without scanning them. This can be useful to remove the out of scope hosts.

• The following command is useful when you want to cut the output, to show only a part of it. The following example will take the 5th field and save the result to a file.

 nmap -sL ip/range -n  | cut -f 5 -d " " > IPS	

• nmap -iL scan.txt -vvvv Scan from the list scan.txt with very very very verbose mode. The -vvvv option in Nmap increases the verbosity level to maximum, providing detailed information about the scanning process.

Firewall evasion

• -f indicates to Nmap to fragment the IP packet, in order to bypass firewall filters that may block large packets. When this switch is enabled, Nmap sends IP packets smaller than the maximum allowable packet size, which makes it harder for firewall filters to detect scanning activities.

• -sI lets you perform a Zombie scan by choosing any of the live IPs that you have obtained from the host discovery phase. This lets you spoof the source IP address to pretend being another host on the network. In this example, we are pretending to be the 10.10.1.22 when scanning the 10.10.1.11.

• -g permits you to specify the source port -g 53 from which you would like to initiate the scan. This is useful when the firewall rule is configured in a way that only traffic generated from a specific port is allowed.

Vulnerability scanning

• --script=*vuln* allows to use the Nmap build-in scripts that matches with vulnerabilities in order to detect vulnerabilities on a host.

Other nmap switches

grep -v Nmap            # Remove all lines that contain 'Nmap'
-Pn                     # Treat all hosts as alive; useful if common ports like 443 and 80 are closed
--open                  # Show only the open ports
--script=*vuln*         # Use all scripts with 'vuln' in their name to test servers for vulnerabilities
-oA scan1 --webxml      # Save output in all formats; '--webxml' makes the XML readable in HTML
-PS -PA -PU             # Use these switches to ensure no hosts are missed
--max-retries 1         # Limit retries, scan each closed port only once

Explanation:

• grep -v Nmap: Filters out lines containing 'Nmap' from the output, making it easier to focus on lines of interest.

• -Pn: Assumes hosts are up without pinging them, beneficial if default ports like 443 (HTTPS) and 80 (HTTP) are blocked.

• --open: Displays only the ports that are active, reducing clutter from closed or filtered ports.

• --script=*vuln*: Utilizes any script files with 'vuln' in their name to check for vulnerabilities, leveraging a wide range of available tests.

• -oA scan1 --webxml: Collects output in several formats for broad analysis; --webxml enhances XML readability in web browsers.

• -PS -PA -PU: Uses SYN, ACK, and UDP ping scans to improve host discovery, crucial for detecting devices that don't respond to conventional methods.

• --max-retries 1: Minimizes scan duration by attempting to probe closed ports only once, useful in time

Resources