Nmap

From Omnia
Revision as of 22:25, 29 January 2019 by Kenneth (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

nmap

# Syn Scan (defaults to SYN Scan if root, Connect Scan if not. See below)
nmap <ip>
# SYN Scan (default scan type if logged in as root)
nmap -sS <ip>
# "SYN ->"  "SYN/ACK <-"  "RST ->"
# No port scan (ping only) a list of IPs
nmap -iL list.txt -sn

# TCP Connect Scan (only scan you can do without root privileges)
nmap -sT <ip>
# "SYN ->"  "SYN/ACK <-"  "ACK ->"
# List Scan does a reverse DNS lookup on a range to find hosts
nmap -sL 66.35.250.150-160
# Ping Scan does a quick ping to each box, and nothing more
nmap -sP 10.0.0.0-255
# Nmap 3.75 help example:
namp -v -sS -) www.my.com 192.168.0.0/16 '192.88-90.*.*'
# Nmap 4.11 help examples:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -P0 -p 80

Nmap files can be found here (such as nmap-services):

/usr/share/nmap/

You can use --datadir flag to point Nmap to alternate support files.

Target Specification

All of these formats will scan the same class B network:

Wildcards: 192.168.*.*
Range: 192.168.0-255.0-255
Mask Notation: 192.168.0.0/16

Common Options

-sS TCP SYN Scan
-sT TCP connect() scan
-sU UDP port scans (not very reliable)
-v Verbose output
-vv Very verbose output
-O Detect Operating system (TCP/IP fingerprinting)
-sV Service version detection
-P0 Don't ping, just scan
-A Agressive: same thing as -O -sV
-T Scan timing
-p Choose ports to be scanned
-F Fast Scan: only scan ports in nmap-services file
-n Don't do reverse DNS lookup (increase scan speed)

nmap References

Auditor CD?