# nmap

## Network Mapping

After gathering information passively about a target organization, a penetration tester moves to the **active information gathering phase**. This phase involves identifying which hosts are online, what ports are open, and what operating systems are running on those hosts. The process used for this is **Network Mapping**.

**Network Mapping** refers to the identification of devices, hosts, and network elements within a target network. It is an essential part of pentesting, helping the tester understand the network's layout, architecture, and identify potential vulnerabilities.

### Why Map a Network?

* **Discovery of Live Hosts**: Identify which devices or hosts are currently active.
* **Identification of Open Ports**: Determine which services are accessible via specific ports.
* **Network Topology Mapping**: Understand how the network is structured, including its layout.
* **Operating System Fingerprinting**: Identify the operating systems running on each active host.
* **Service Version Detection**: Discover which versions of services are running, potentially exposing outdated or vulnerable software.
* **Identifying Filtering and Security Measures**: Uncover firewall rules, intrusion prevention systems (IPS), and other security mechanisms.

Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It helps identify devices on a network, discover open ports, services, operating systems, and potential vulnerabilities by scanning IP addresses. Nmap is commonly used by cybersecurity professionals for network exploration, troubleshooting, and security assessments.

## nmap Basic Scan

```
nmap [TARGET]
nmap -p- [TARGET] //Scans for all ports
```

## Service & Version Detection

```
# Determine the version of the service running on port
nmap -sV [TARGET]

# Enables OS Detection, Version Detection, Script Scanning, and Traceroute
nmap -A [TARGET]
```

## :bomb: I USE THIS ALL THE TIME  :bomb:

{% code overflow="wrap" %}

```bash
nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 [TARGET]
```

{% endcode %}

### General Flag

```
-Pn: Disables host discovery, assuming all targets are online.
-T4: Sets a faster timing template for aggressive scanning.
```

### Port Scanning Options

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>--open: Focuses scanning on ports found to be open.
</strong>-sS: Performs a TCP SYN scan, sending SYN packets to probe for open ports.
-sC: Runs common Nmap scripts for service detection and vulnerability identification.
-sV: Attempts to determine service versions running on open ports.
--min-rate=1000: Sets a minimum send rate of 1000 packets per second.
--max-retries=3: Limits the number of retries for unresponsive ports to 3.
-p-: Scans all 65535 TCP ports.
</code></pre>

### Output

```
-oN scanReportForHost2: Saves scan results to a text file named "scanReportForHost2".
```

### Target

```
[TARGET]: Replace with the actual IP address or hostname of the target system.
```

## Output Formats

```
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --noninteractive: Disable runtime interactions via keyboard
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
```

## Output to a File

`-oN sth.txt`: Saves results in a **normal text format**.

`-oX test.xml`: Saves results in **XML format**. - useful for metasploit.

`-oG sth.txt`: Saves results in a greapable forma, which can be later used with `egrep`&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.navidnaf.com/ollivanders/nmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.