Network commands¶
nmap¶
- References:
- nmap home page: nmap.org, nmap tutorial, Nmap Reference Guide.
Target Specification¶
| IPv4 address | 192.168.1.1 |
| IPv6 address | AABB:CCDD::FF%eth0 |
| Host name | www.target.tgt |
| IP address range | 192.168.0-255.0-255 |
| CIDR block | 192.168.0.0/16 |
Target Ports¶
| default | 1,000 most popular ports |
| -F | Scan 100 most popular ports |
| -p<port1>-<port2> | Port range |
| -p<port1>,<port2>,… | Port List |
| -pU:53,U:110,T20-445 | Mix TCP and UDP |
| -r | Scan linearly (do not randomize) |
| –top-ports <n> | Scan n most popular ports |
| -p-65535 | 1 to 65535 |
| -p40- | 40 to 65535 |
| -p- | scan ports 1-65535 |
Scan Types¶
| -sP | Probe only (host discovery) |
| -sS | SYN Scan |
| -sT | TCP Connect Scan |
| -sU | UDP Scan |
| -sV | Version Scan |
| -O | OS Detection |
Probing Options¶
| -Pn | Don’t probe |
| -PB | Default probe (TCP 80, 445 & ICMP) |
| -PS<portlist> | probe TCP ports |
| -PE | Use ICMP Echo Request |
| -PP | Use ICMP Timestamp Request |
| -PM | Use ICMP Netmask Request |
Timing¶
Time between packets.
| -T0 | -T paranoid |
| -T1 | -T sneaky |
| -T2 | -T polite |
| -T3 | -T normal |
| -T4 | -T aggressive |
| -T5 | -T insane |
Examples¶
More details in nmap.org examples
| nmap -v scanme.nmap.org | verbose scan of reserved TCP ports |
| nmap -sS -O scanme.nmap.org/24 | stealth SYN, try to determine os |
| nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127 | host and scan on SSH, DNS, POP3, IMAP and 4564 TCP ports |
| nmap -sP -PS 198.116.1.0/24 | Discover hosts with TCP SYN ping scans |
| nmap -T4 -n -Pn -p- 198.116.0.0/16 | quick scan: aggressive, no dns, no ping |