NMAP Quick Reference

Intro

NMAP is a tool for network discovery and auditing. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for an in-depth explanation of commands.

Port Scan

Top Ports

Scan the top N number of ports

nmap --top-ports 10 target.dummy

TCP SYN Scan

TCP SYN scans do not perform a full TCP 3-way handshake. A RST is sent to the server when a SYN/ACK is received. The flow between the NMAP client and server looks like this:

sudo nmap -sS -p 22,113,139 target.dummy

https://nmap.org/book/synscan.html

TCP Connect Scan

TCP connect scan utilises the underlying operating system to perform a full TCP 3-way handsake and sets up a connections between the client and the server. This scan is used when the user does not have raw packet privileges or is scanning IPv6 networks. The flow between the NMAP client and the server looks like this:

nmap -sT -p 22,80,443 target.dummy

https://nmap.org/book/scan-methods-connect-scan.html

UDP Scan

UDP scans send a UDP packet to the target port and depending on the response, NMAP will guess if the port is open based on the following table.

sudo nmap -sU -p 53 target.dummy

https://nmap.org/book/scan-methods-udp-scan.html

Aggressive Scan

An aggressive scan combines a number of scan types without having to remember a large number of flags. The scans include:

• OS Detection
• Version Scanning
• Script Scanning
• Traceroute

nmap -A target.dummy

Ping Sweep

Subnet

Ping sweep a subnet

nmap -sn 10.1.1.0/24

https://nmap.org/book/man-host-discovery.html

NPing

NPing allows you to generate packets.

Gratuitous ARP

Target a host with a GARP reply

sudo nping -c 1 --arp-sender-mac 08:00:27:ba:6c:7f \\
  --arp-sender-ip 10.1.1.1 --arp-type ar \\
  --arp-target-mac 08:00:27:74:99:3b 10.1.1.11 \\
  --interface eth1 --dest-mac 08:00:27:74:99:3b