# nmap ## Flags -Pn: Treat all hosts as online (No ping)\ This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified.\ -sS: Stealth Scan (TCP)\ -sU: UDP\ -sV: Probe open ports to determine service/version info\ -sN: sweep network\ -A: Enable OS detection, version detection, script scanning, and traceroute\ -p-: specifies every port\ -T1 up to -T5 slower to faster scanning (faster == more likely to miss)\ -p switch we can define port range\ -O: operating system detection\ -v: verbose, -vv: very verbose\ \ **OUTPUT**:\ -oN/-oX/-oS/-oG \: Output scan in normal, XML, s|\: output in 3 major formats at once
``` nmap -sn 192.168.1.0/24 # ->found router at 192.168.1.1 ______________________ nmap -T4 192.168.1.1 # ^T1-T5 slower to faster scanning (faster == more likely to miss) ______________________ nmap -T4 192.168.1.1 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-17 14:12 EST Nmap scan report for Linksys15214 (192.168.1.1) Host is up (0.0047s latency). Not shown: 993 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 10000/tcp open snet-sensor-mgmt 49152/tcp open unknown 49153/tcp open unknown ______________________ More efficient: scan for all ports, then scan -A with those specific ports, e.g. nmap -T4 -p- 192.168.1.1 nmap -T4 -A -p53,80,139,445,10000,49152,49153 192.168.1.1 ______________________ nmap -T4 -A -p- 192.168.1.1 ^-A is for all (ask for as much info as possible) -A: Enable OS detection, version detection, script scanning, and traceroute -p-: specifies every port ______________________ UDP scans: time intensive, false positives, lots of time to scan 60,000 ports nmap -sU -T4 192.168.1.1 ______________________ ls /usr/share/nmap/scripts/ #list all nmap scripts nmap -p 443 --script=all # will take a lot of time nmap -p 443 --script=ssl-enum-ciphers tesla.com ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.zacheller.dev/pentest/courses/beginner-network-pentesting/untitled-1/nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.