BlogContact

Nmap

Network scanning tool with enumeration script to get detailed information about TCP/UDP ports, and the underlying system

Description

LogoNmap: the Network Mapper - Free Security Scanner

Nmap's main use case is finding open TCP ports, but while doing so, it can do much more. 

nmap [options] 10.10.10.10

Some useful options include (see man nmap and docs for more details):

  • -sV, -O: Software versions, OS detection

  • -sC: Run default safe scripts

  • -Pn, -n: Disable ping, disable DNS resolution

  • -sS, -T4: Stealth scan (half connections, but requires sudo), faster scanning speed

  • -oN [filename]: Output to file

  • Situational options:

    • -p [ports]: Specify comma-separated or ranges of ports (-p- = all ports)

    • -sU: Scan UDP instead of TCP (slower and often inconsistent)

    • -vv: Verbose output while scan is running, seeing open ports before completion

    • 10.10.10.0/24: Subnets in target field

Examples
# Scan all TCP ports with all enumeration options, disabling unnecessary features
sudo nmap -sV -O -sC -Pn -n -sS -T4 -oN nmap.txt -p- -vv 10.10.10.10
# Scan top 100 UDP ports relatively quickly with enumeration
sudo nmap -Pn -n -sV -sC -O -vv -oN nmap-udp.txt --top-ports 100 -sU --version-intensity 0 -T4 10.10.10.10

Tip: While running, there are a few useful keybinds to alter your scan:

  • v: Increase verbosity

  • [any]: Print status update

Tip: Nmap is a binary that cannot simply be copied over to a compromised machine to scan from there, not even when compiled statically. It requires some folders for services and scripts which it cannot find and won't run.

The solution is to copy these folders over too, like done in the nmap-static-binaries repository. After transferring this folder you can run ./nmap

PreviousMasscanNextOSINT

Last updated