nmap

Flags

-Pn: Treat all hosts as online (No ping) This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. -sS: Stealth Scan (TCP) -sU: UDP -sV: Probe open ports to determine service/version info -sN: sweep network -A: Enable OS detection, version detection, script scanning, and traceroute -p-: specifies every port -T1 up to -T5 slower to faster scanning (faster == more likely to miss) -p switch we can define port range -O: operating system detection -v: verbose, -vv: very verbose OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3 -oA <basename>: output in 3 major formats at once

nmap -sn 192.168.1.0/24
# ->found router at 192.168.1.1
______________________

nmap -T4 192.168.1.1
#     ^T1-T5 slower to faster scanning (faster == more likely to miss)
______________________

nmap -T4 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-17 14:12 EST
Nmap scan report for Linksys15214 (192.168.1.1)
Host is up (0.0047s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
49152/tcp open unknown
49153/tcp open unknown
______________________

More efficient: scan for all ports, then scan -A with those specific ports, e.g.
nmap -T4 -p- 192.168.1.1
nmap -T4 -A -p53,80,139,445,10000,49152,49153 192.168.1.1
______________________

nmap -T4 -A -p- 192.168.1.1
^-A is for all (ask for as much info as possible)
-A: Enable OS detection, version detection, script scanning, and traceroute
-p-: specifies every port
______________________

UDP scans: time intensive, false positives, lots of time to scan 60,000 ports
nmap -sU -T4 192.168.1.1
______________________

ls /usr/share/nmap/scripts/ #list all nmap scripts

nmap -p 443 --script=all # will take a lot of time

nmap -p 443 --script=ssl-enum-ciphers tesla.com

Last updated