This is going to be a bit of a living document. As I find things that make understanding and memorizing the tool easier - I'll add or change it.
NMAP is a network mapper. It's a tool used to check for devices, what ports they have open, operating systems running as well as some scripting solutions that may even breach the system if used.
Let's start with a basic scan
nmap 192.168.2.13This is really all you need to make a scan happen but it's pretty noisy and doesn't really show what the app can do. There's a bunch of switches. We can break them down into categories though. It's best to always run nmap as sudo.
Switch | TYPE | Examples | Comment |
-s{x} | TCP Connect | -sT | TCP Connect |
| | -sS | SYN Scan |
| | -sU | UDP Scan |
| | -sN | NULL Scan |
| | -sF | FIN Scan |
| | -sX | XMAS Scan |
| | -sA | ACK Scan |
| | -sI | Zombie Scan: Use another PC as your scanner |
| | -sV | Service Version |
-P{x} | Ping Scans | -PR = Arp Scan | Be sure to use with -sn for no port scan if needed |
| | -PE = Ping Echo | |
| | -PP = ICMP Timestamp | |
| | -PM = ICMP Address Mask | |
| | -PS = PING SYN | |
| | -PA = Ping ACK | |
| | -PU = PING UDP | |
-oX | Ouput File - You can use all the switches together too | -oN | Normal - Screen print |
| | -oG | Grepable |
| | -oX | XML |
A few other options to use are:
Spoofing IP:
sudo nmap -S SPOOFED_IP TARGET_IPSpoofing MAC:
sudo nmap TARGET_IP --spoof-mac SPOOFED_MACFragment data into 8 bytes (adding another -f will make it 16 -ff)
sudo nmap -f TARGET_IPScripts
All the scripts are located here: /usr/share/nmap/scripts and if you want to just run nmap using all the default scripts use -sC. You can also specify the script by name using --script "SCRIPT-NAME" or a pattern such as --script "ftp*", which would include ftp-brute
Catagory | Description |
auth | Authentication |
broadcast | discovery by broadcast messages |
brute | brute-force password |
default | same as -sC |
discovery | check accessible info: DB Tables, DNS |
dos | vulnerable to DoS |
exploit | attempts various vuln services |
external | checks using 3rd party like virustotal, etc |
fuzzer | launch fuzzing attacks |
intrusive | intrusive brute-force, exploits |
malware | scans for backdoors |
safe | safe scripts |
version | service version |
vuln | exploit vuln services |
You can grep out what you're looking for :
