Eikonal Blog

2010.09.20

Nmap options, switches and uses

There are probably many places containing lists of useful nmap commands. I have found these two large lists quite useful:

Please use these sites directly, and this blog post only as a backup/blended copy.

Basic techniques

  • Scan a Single Target:
      nmap [target]
  • Scan Multiple Targets
      # nmap [target1, target2, etc]
      
  • Scan a List of Targets
      # nmap -iL [list.txt]
      
  • Scan a Range of Hosts
      # nmap [range of ip addresses]
      
  • Scan an Entire Subnet
      # nmap [ip address/cdir]
      
  • Scan Random Hosts
      # nmap -iR [number]
      
  • Excluding Targets from a Scan
      # nmap [targets] --exclude [targets]
      
  • Excluding Targets Using a List
      # nmap [targets] --excludefile [list.txt]
      
  • Perform an Aggressive Scan
      # nmap -A [target]
      
  • Scan an IPv6 Target
      # nmap -6 [target]
      

Discovery Options

  • Perform a Ping Only Scan
      # nmap -sP [target]
      
  • Don�t Ping
      # nmap -PN [target]
      
  • TCP SYN Ping
      # nmap -PS [target]
      
  • TCP ACK Ping
      # nmap -PA [target]
      
  • UDP Ping
      # nmap -PU [target]
      
  • SCTP INIT Ping
      # nmap -PY [target]
      
  • ICMP Echo Ping
      # nmap -PE [target]
      
  • ICMP Timestamp Ping
      # nmap -PP [target]
      
  • ICMP Address Mask Ping
      # nmap -PM [target]
      
  • IP Protocol Ping
      # nmap -PO [target]
      
  • ARP Ping
      # nmap -PR [target]
      
  • Traceroute
      # nmap --traceroute [target]
      
  • Force Reverse DNS Resolution
      # nmap -R [target]
      
  • Disable Reverse DNS Resolution
      # nmap -n [target]
      
  • Alternative DNS Lookup
      # nmap --system-dns [target]
      
  • Manually Specify DNS Server(s)
      # nmap --dns-servers [servers] [target]
      
  • Create a Host List
      # nmap -sL [targets
      

Advanced Scanning Functions

  • TCP SYN Scan
      # nmap -sS [target]
      
  • TCP Connect Scan
      # nmap -sT [target]
      
  • UDP Scan
      # nmap -sU [target]
      
  • TCP NULL Scan
      # nmap -sN [target]
      
  • TCP FIN Scan
      # nmap -sF [target]
      
  • Xmas Scan
      # nmap -sX [target]
      
  • TCP ACK Scan
      # nmap -sA [target]
      
  • Custom TCP Scan
      # nmap --scanflags [flags] [target]
      
  • IP Protocol Scan
      # nmap -sO [target]
      
  • Send Raw Ethernet Packets
      # nmap --send-eth [target]
      
  • Send IP Packets
      # nmap --send-ip [target]
      
  • TCP Connect scanning for localhost and network 192.168.0.0/24:
      # nmap -v -sT localhost
      # nmap -v -sT 192.168.0.0/24
      
  • >nmap TCP SYN (half-open) scanning:
      # nmap -v -sS localhost
      # nmap -v -sS 192.168.0.0/24
      
  • nmap TCP FIN scanning:
      # nmap -v -sF localhost
      # nmap -v -sF 192.168.0.0/24
      
  • nmap TCP Xmas tree scanning:
      # nmap -v -sX localhost
      # nmap -v -sX 192.168.0.0/24
      

    Useful to see if firewall protecting against this kind of attack or not.

  • nmap TCP Null scanning:
      # nmap -v -sN localhost
      # nmap -v -sN 192.168.0.0/24
      

    Useful to see if firewall protecting against this kind attack or not.

  • nmap TCP Windows scanning:
      # nmap -v -sW localhost
      # nmap -v -sW 192.168.0.0/24
      
  • nmap TCP RPC scanning:
      # nmap -v -sR localhost
      # nmap -v -sR 192.168.0.0/24
      

    Useful to find out RPC (such as portmap) services.

  • nmap UDP scanning:
      # nmap -v -O localhost
      # nmap -v -O 192.168.0.0/24
      

    Useful to find out UDP ports.

  • nmap remote software version scanning:
      # nmap -v -sV localhost
      # nmap -v -sV 192.168.0.0/24
      

    You can also find out what software version opening the port.

Port Scanning Options

  • Perform a Fast Scan
      # nmap -F [target]
      
  • Scan Specific Ports
      # nmap -p [port(s)] [target]
      
  • Scan Ports by Name
      # nmap -p [port name(s)] [target]
      
  • Scan Ports by Protocol
      # nmap -sU -sT -p U:[ports],T:[ports] [target]
      
  • Scan All Ports
      # nmap -p "*" [target]
      
  • Scan Top Ports
      # nmap --top-ports [number] [target]
      
  • Perform a Sequential Port Scan
      # nmap -r [target]
      

Version Detection

  • Operating System Detection
      # nmap -O [target]
      
  • Submit TCP/IP Fingerprints
      # www.nmap.org/submit/
      
  • Attempt to Guess an Unknown OS
      # nmap -O --osscan-guess [target]
      
  • Service Version Detection
      # nmap -sV  [target]
      
  • Troubleshooting Version Scans
      # nmap -sV --version-trace [target]
      
  • Perform a RPC Scan
      # nmap -sR [target]
      

Timing Options

  • Timing Templates
      # nmap -T[0-5] [target]
      
  • Set the Packet TTL
      # nmap --ttl [time] [target]
      
  • Minimum # of Parallel Operations
      # nmap --min-parallelism [number] [target]
      
  • Maximum # of Parallel Operations
      # nmap --max-parallelism [number] [target]
      
  • Minimum Host Group Size
      # nmap --min-hostgroup [number] [targets
      
  • Maximum Host Group Size
      # nmap --max-hostgroup [number] [targets
      
  • Maximum RTT Timeout
      # nmap --initial-rtt-timeout [time] [target]
      
  • Initial RTT Timeout
      # nmap --max-rtt-timeout [TTL] [target]
      
  • Maximum Retries
      # nmap --max-retries [number] [target]
      
  • Host Timeout
      # nmap --host-timeout [time] [target]
      
  • Minimum Scan Delay
      # nmap --scan-delay [time] [target]
      
  • Maximum Scan Delay
      # nmap --max-scan-delay [time] [target]
      
  • Minimum Packet Rate
      # nmap --min-rate [number] [target]
      
  • Maximum Packet Rate
      # nmap --max-rate [number] [target]
      
  • Defeat Reset Rate Limits
      # nmap --defeat-rst-ratelimit [target]
      

Firewall Evasion Techniques

  • Fragment Packets
      # nmap -f [target]
      
  • Specify a Specific MTU
      # nmap --mtu [MTU] [target]
      
  • Use a Decoy
      # nmap -D RND:[number] [target]
      
  • Idle Zombie Scan
      # nmap -sI [zombie] [target]
      
  • Manually Specify a Source Port
      # nmap --source-port [port] [target]
      
  • Append Random Data
      # nmap --data-length [size] [target]
      
  • Randomize Target Scan Order
      # nmap --randomize-hosts [target]
      
  • Spoof MAC Address
      # nmap --spoof-mac [MAC|0|vendor] [target]
      
  • Send Bad Checksums
      # nmap --badsum [target]
      

Output Options

  • Save Output to a Text File
      # nmap -oN [scan.txt] [target]
      
  • Save Output to a XML File
      # nmap -oX [scan.xml] [target]
      
  • Grepable Output
      # nmap -oG [scan.txt] [targets
      
  • Output All Supported File Types
      # nmap -oA [path/filename] [target]
      
  • Periodically Display Statistics
      # nmap --stats-every [time] [target]
      
  • 133t Output
      # nmap -oS [scan.txt] [target]
      

Troubleshooting and Debugging

  • Getting Help
      # nmap -h
      
  • Display Nmap Version
      # nmap -V
      
  • Verbose Output
      # nmap -v [target]
      
  • Debugging
      # nmap -d [target]
      
  • Display Port State Reason
      # nmap --reason [target]
      
  • Only Display Open Ports
      # nmap --open [target]
      
  • Trace Packets
      # nmap --packet-trace [target]
      
  • Display Host Networking
      # nmap --iflist
      
  • Specify a Network Interface
      # nmap -e [interface] [target]
      

Nmap Scripting Engine

  • Execute Individual Scripts
      # nmap --script [script.nse] [target]
      
  • Execute Multiple Scripts
      # nmap --script [expression] [target]
      
  • Script Categories
      # all, auth, default, discovery, external, intrusive, malware, safe, vuln
      
  • Execute Scripts by Category
      # nmap --script [category] [target]
      
  • Execute Multiple Script Categories
      # nmap --script [category1,category2,etc
      
  • Troubleshoot Scripts
      # nmap --script [script] --script-trace [target]
      
  • Update the Script Database
      # nmap --script-updatedb
      

Ndiff

  • Comparison Using Ndiff
      # ndiff [scan1.xml] [scan2.xml
      
  • Ndiff Verbose Mode
      # ndiff -v [scan1.xml] [scan2.xml
      
  • XML Output Mode
      # ndiff --xml [scan1.xml] [scan2.xml
      

See also: https://eikonal.wordpress.com/2010/01/29/vulnerability-assessment-tools/ at this blog.

Advertisements

2 Comments »

  1. […] HERE (=at this blog): Nmap options, swtiches and uses – https://eikonal.wordpress.com/2010/09/20/nmap-options-swtiches-and-uses/ […]

    Like

    Pingback by Vulnerability Assessment tools « Eikonal Blog — 2010.09.20 @ 10:51

  2. […] Nmap options, switches and uses – https://eikonal.wordpress.com/2010/09/20/nmap-options-swtiches-and-uses/ […]

    Like

    Pingback by Unix pages (at this blog) « Eikonal Blog — 2011.04.04 @ 15:46


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: