NMAP Quick Reference
Updated: 16th of April 2022
Published: 29th of September 2017
Intro
NMAP is a tool for network discovery and auditing. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for an in-depth explanation of commands.
Port Scan
Top Ports
Scan the top N number of ports
nmap --top-ports 10 target.dummy
TCP SYN Scan
TCP SYN scans do not perform a full TCP 3-way handshake. A RST is sent to the server when a SYN/ACK is received. The flow between the NMAP client and server looks like this:
NMAP | ---SYN--> | SERVER |
NMAP | <--SYN/ACK--- | SERVER |
NMAP | ---RST--> | SERVER |
sudo nmap -sS -p 22,113,139 target.dummy
Note
TCP SYN scans requires raw-packet privileges.
https://nmap.org/book/synscan.html
TCP Connect Scan
TCP connect scan utilises the underlying operating system to perform a full TCP 3-way handsake and sets up a connections between the client and the server. This scan is used when the user does not have raw packet privileges or is scanning IPv6 networks. The flow between the NMAP client and the server looks like this:
NMAP | ---SYN--> | SERVER |
NMAP | <--SYN/ACK--- | SERVER |
NMAP | ---ACK--> | SERVER |
NMAP | <--DATA--- | SERVER |
NMAP | ---RST--> | SERVER |
nmap -sT -p 22,80,443 target.dummy
https://nmap.org/book/scan-methods-connect-scan.html
UDP Scan
UDP scans send a UDP packet to the target port and depending on the response, NMAP will guess if the port is open based on the following table.
NMAP State | Response Type |
---|---|
open | Any UDP repsonse (this is unusual) |
open | filtered | No response received |
closed | ICMP port unreachable error (type 3, code 3) |
filtered | Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13) |
sudo nmap -sU -p 53 target.dummy
Note
UDP scans requires raw-packet privileges.
https://nmap.org/book/scan-methods-udp-scan.html
Aggressive Scan
An aggressive scan combines a number of scan types without having to remember a large number of flags. The scans include:
- OS Detection
- Version Scanning
- Script Scanning
- Traceroute
nmap -A target.dummy
Note
Aggressive scans are intrusive and should not be used against a target without permission.
Ping Sweep
Subnet
Ping sweep a subnet
nmap -sn 10.1.1.0/24
https://nmap.org/book/man-host-discovery.html
NPing
NPing allows you to generate packets.
Gratuitous ARP
Target a host with a GARP reply
sudo nping -c 1 --arp-sender-mac 08:00:27:ba:6c:7f \
--arp-sender-ip 10.1.1.1 --arp-type ar \
--arp-target-mac 08:00:27:74:99:3b 10.1.1.11 \
--interface eth1 --dest-mac 08:00:27:74:99:3b