nmap
This page will have all the pentesting techniques related to nmap.
Network Mapping
After gathering information passively about a target organization, a penetration tester moves to the active information gathering phase. This phase involves identifying which hosts are online, what ports are open, and what operating systems are running on those hosts. The process used for this is Network Mapping.
Network Mapping refers to the identification of devices, hosts, and network elements within a target network. It is an essential part of pentesting, helping the tester understand the network's layout, architecture, and identify potential vulnerabilities.
Why Map a Network?
Discovery of Live Hosts: Identify which devices or hosts are currently active.
Identification of Open Ports: Determine which services are accessible via specific ports.
Network Topology Mapping: Understand how the network is structured, including its layout.
Operating System Fingerprinting: Identify the operating systems running on each active host.
Service Version Detection: Discover which versions of services are running, potentially exposing outdated or vulnerable software.
Identifying Filtering and Security Measures: Uncover firewall rules, intrusion prevention systems (IPS), and other security mechanisms.
Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It helps identify devices on a network, discover open ports, services, operating systems, and potential vulnerabilities by scanning IP addresses. Nmap is commonly used by cybersecurity professionals for network exploration, troubleshooting, and security assessments.
nmap Basic Scan
nmap [TARGET]
nmap -p- [TARGET] //Scans for all portsService & Version Detection
# Determine the version of the service running on port
nmap -sV [TARGET]
# Enables OS Detection, Version Detection, Script Scanning, and Traceroute
nmap -A [TARGET]💣 I USE THIS ALL THE TIME 💣
nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 [TARGET]General Flag
-Pn: Disables host discovery, assuming all targets are online.
-T4: Sets a faster timing template for aggressive scanning.Port Scanning Options
--open: Focuses scanning on ports found to be open.
-sS: Performs a TCP SYN scan, sending SYN packets to probe for open ports.
-sC: Runs common Nmap scripts for service detection and vulnerability identification.
-sV: Attempts to determine service versions running on open ports.
--min-rate=1000: Sets a minimum send rate of 1000 packets per second.
--max-retries=3: Limits the number of retries for unresponsive ports to 3.
-p-: Scans all 65535 TCP ports.Output
-oN scanReportForHost2: Saves scan results to a text file named "scanReportForHost2".Target
[TARGET]: Replace with the actual IP address or hostname of the target system.Output Formats
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML outputOutput to a File
-oN sth.txt: Saves results in a normal text format.
-oX test.xml: Saves results in XML format. - useful for metasploit.
-oG sth.txt: Saves results in a greapable forma, which can be later used with egrep
Last updated