ping my host:
Don’t Ping -PN do port scan without checking if host is up by sending icmp
Perform a Ping Only Scan -sP do ping without port scan
TCP SYN Ping -PS (a) you can also specify ports "-PS[port1,port1,..]", default port 80
TCP ACK Ping -PA // (a)
UDP Ping -PU // (a)
SCTP INIT Ping -PY // (a)
ICMP Echo Ping -PE (b) do ping without port scan
ICMP Timestamp Ping -PP // (b)
ICMP Address Mask Ping -PM
IP Protocol Ping -PO sends packets with the specified protocol to the target.
you can specify protocols "-PO[proto1,proto2,..]
if no arg then default protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP) are used
ARP Ping -PR Available only if the target is on the same LAN
Traceroute --traceroute
Force Reverse DNS Resolution -R
Disable Reverse DNS Resolution -n
Alternative DNS Lookup --system-dns Use host system’s DNS resolver
Manually Specify DNS Server(s) --dns-servers you can specify DNS servers as "--dns-servers [server1,server2,..]"
Create a Host List -sL
scan this then scan that:
TCP SYN Scan -sS default scan type for root
TCP Connect Scan -sT default scan type for non-root users
UDP Scan -sU
TCP NULL Scan -sN
TCP FIN Scan -sF
Xmas Scan -sX
TCP ACK Scan -sA
Custom TCP Scan --scanflags custom scan by manually specifying TCP flags "--scanflags [flags, ..]
IP Protocol Scan -sO
Send Raw Ethernet Packets --send-eth automatically implied by Nmap when needed
Send IP Packets --send-ip automatically implied by Nmap when needed
RPC scan -sR displays information about RPC services (if) running on the target system
TCP scan flags:
SYN Synchronize
ACK Acknowledgment
PSH Push
URG Urgent
RST Reset
FIN Finished
Tweak a scan:
Perform a Fast Scan -F scan the 100 most commonly used ports
Scan Specific Ports -p [port]
Scan Ports by Name -p [name] select ports by their port name, e.g. smtp, http.
regex is also supported, e.g. "http*"
Scan TCP Ports -pT default option
Scan UDP Ports -pU
Scan All Ports -p “*”
Scan Top Ports --top-ports [number] numers := [100,500,1000,5000,..]
Perform a Sequential Port Scan -r default scanning algorithm randomizes the port scan order
Fingerprint services and OSs:
OS Detection -O [--osscan-guess] If nmap can't find the OS then use the optional flag
Service Version Detection -sV [--version-trace] Print more info by using the optional flag
Just take your time:
Time argument default is interpreted as milliseconds, then we have (s)econds, (m)inutes, (h)ours. e.g. 100s
Timing Templates -T[0-5]
0 paranoid: Extremely slow
1 sneaky: Trying to avoid being monitored
2 polite: Less sneaky
3 normal: default option
4 aggressive: Aggressive and maybe fast scan
5 insane: Very aggressive and maybe fast scan
Minimum # of Parallel scans/ping/.. --min-parallelism
Maximum # of Parallel scans/ping/.. --max-parallelism
Minimum Host Group Size --min-hostgroup
Maximum Host Group Size --max-hostgroup
Maximum RTT Timeout --max-rtt-timeout
Initial RTT Timeout --initial-rtt-timeout
Minimum Scan Delay --scan-delay
Maximum Scan Delay --max-scan-delay
Minimum Packet Rate --min-rate
Maximum Packet Rate --max-rate
Maximum Retries --max-retries
Set the Packet TTL --ttl
Host Timeout --host-timeout
Defeat Reset Rate Limits --defeat-rst-ratelimit
My firewall is better than yours:
Fragment Packets -f fragments packets into 8-bytes streams
Specify a Specific MTU --mtu
Use a Decoy -D sppof traffic by having other addresses scanning your target
the arguments can be [address1,address2,..] OR [RND:number] to randomly generate decoy IP addresses
Idle Zombie Scan -sI
Manually Specify a Source Port --source-port
Append Random Data --data-length append random data to probe packets.
Randomize Target Scan Order --randomize-hosts
Spoof MAC Address --spoof-mac
Send Bad Checksums --badsum
Here we get choosy:
Verbose Output -v
Debugging output -d
Display Port State Reason --reason
Only Display Open Ports --open
Trace Packets --packet-trace
Display Host Networking --iflist
Tell nmap which network interface to use -e
Nmap Scripting Engine (NSE):
Execute Scripts by path and/or category --script [filepath.nse|filepath*|category,..]
Append script arguments --script-args [key=value,...]
Troubleshoot Scripts --script-trace
Update the Script Database --script-updatedb
Script Categories := [all,auth,default,discovery,external,intrusive,malware,safe,vuln]