web analytics

Nmap Commands

by

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
–exclude : Exclude hosts/networks
–excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan – simply list targets to scan
-sn: Ping Scan – disable port scan
-Pn: Treat all hosts as online — skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–dns-servers : Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
–traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags : Customize TCP scan flags
-sI : Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
–exclude-ports : Exclude the specified ports from scanning
-F: Fast mode – Scan fewer ports than the default scan
-r: Scan ports consecutively – don’t randomize
–top-ports : Scan most common ports
–port-ratio : Scan ports more common than
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
–version-intensity : Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to –script=default
–script=: is a comma separated list of
directories, script-files or script-categories
–script-args=: provide arguments to scripts
–script-args-file=filename: provide NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=: Show help about scripts.
is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take are in seconds, or append ‘ms’ (milliseconds),
‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup : Parallel host scan group sizes
–min-parallelism/max-parallelism : Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
–max-retries : Caps number of port scan probe retransmissions.
–host-timeout : Give up on target after this long
–scan-delay/–max-scan-delay : Adjust delay between probes
–min-rate : Send packets no slower than per second
–max-rate : Send packets no faster than per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; –mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/–source-port : Use given port number
–proxies : Relay connections through HTTP/SOCKS4 proxies
–data : Append a custom payload to sent packets
–data-string : Append a custom ASCII string to sent packets
–data-length : Append random data to sent packets
–ip-options : Send packets with specified ip options
–ttl : Set IP time-to-live field
–spoof-mac : Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
–reason: Display the reason a port is in a particular state
–open: Only show open (or possibly open) ports
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–append-output: Append to rather than clobber specified output files
–resume : Resume an aborted scan
–stylesheet : XSL stylesheet to transform XML output to HTML
–webxml: Reference stylesheet from Nmap.Org for more portable XML
–no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
–datadir : Specify custom Nmap data file location
–send-eth/–send-ip: Send using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
–unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80

Example nmap scan against a Windows Server running Active Directory Services:

kanna@tekgenx:~$ sudo nmap –vv -O -sV 172.16.100.11
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-13 14:21 CET
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 14:21
Scanning 172.16.100.11 [1 port]
Completed ARP Ping Scan at 14:21, 0.95s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:21
Completed Parallel DNS resolution of 1 host. at 14:21, 0.00s elapsed
Initiating SYN Stealth Scan at 14:21
Scanning 172.16.100.11 [1000 ports]
Discovered open port 445/tcp on 172.16.100.11
Discovered open port 139/tcp on 172.16.100.11
Discovered open port 53/tcp on 172.16.100.11
Discovered open port 80/tcp on 172.16.100.11
Discovered open port 135/tcp on 172.16.100.11
Discovered open port 464/tcp on 172.16.100.11
Discovered open port 636/tcp on 172.16.100.11
Discovered open port 3268/tcp on 172.16.100.11
Discovered open port 3269/tcp on 172.16.100.11
Discovered open port 389/tcp on 172.16.100.11
Discovered open port 593/tcp on 172.16.100.11
Discovered open port 88/tcp on 172.16.100.11
Completed SYN Stealth Scan at 14:22, 4.91s elapsed (1000 total ports)
Initiating Service scan at 14:22
Scanning 12 services on 172.16.100.11
Stats: 0:02:14 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 14:24 (0:00:11 remaining)
Completed Service scan at 14:24, 141.14s elapsed (12 services on 1 host)
Initiating OS detection (try #1) against 172.16.100.11
NSE: Script scanning 172.16.100.11.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:24
Completed NSE at 14:24, 0.07s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:24
Completed NSE at 14:24, 1.01s elapsed
Nmap scan report for 172.16.100.11
Host is up, received arp-response (0.00090s latency).
Scanned at 2022-02-13 14:21:58 CET for 149s
Not shown: 988 filtered ports
Reason: 988 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 128
80/tcp open http syn-ack ttl 128 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2022-02-13 13:22:09Z)
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: cybersec-tgx.com, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 128 Microsoft Windows Server 2008 R2 – 2012 microsoft-ds (workgroup: CYBERSEC-TGX)
464/tcp open kpasswd5? syn-ack ttl 128
593/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 128
3268/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: cybersec-tgx.com, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 128
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/13%Time=62090606%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,”\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03″);
MAC Address: 00:0C:29:33:0F:05 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/13%OT=53%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=6209
OS:068B%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=I%II=I%SS=S%TS=A)
OS:OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4
OS:NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
OS:ECN(R=Y%DF=Y%TG=80%W=2000%O=M5B4NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%TG=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=Z)

Uptime guess: 0.050 days (since Sun Feb 13 13:11:57 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: CYBERSEC_DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.69 seconds
Raw packets sent: 2027 (91.026KB) | Rcvd: 23 (1.334KB)

Share IT!