Intro

NMAP is a tool for network discovery and auditing. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for an in-depth explanation of commands.

Port Scan

Top Ports

Scan the top N number of ports

cmd
nmap --top-ports 10 target.dummy

TCP SYN Scan

TCP SYN scans do not perform a full TCP 3-way handshake. A RST is sent to the server when a SYN/ACK is received. The flow between the NMAP client and server looks like this:

Client TCP Connection Server
NMAP ---SYN--> SERVER
NMAP <--SYN/ACK--- SERVER
NMAP ---RST--> SERVER
cmd
sudo nmap -sS -p 22,113,139 target.dummy
Note
TCP SYN scans requires raw-packet privileges.

https://nmap.org/book/synscan.html

TCP Connect Scan

TCP connect scan utilises the underlying operating system to perform a full TCP 3-way handsake and sets up a connections between the client and the server. This scan is used when the user does not have raw packet privileges or is scanning IPv6 networks. The flow between the NMAP client and the server looks like this:

NMAP---SYN-->SERVER
NMAP<--SYN/ACK---SERVER
NMAP---ACK-->SERVER
NMAP<--DATA---SERVER
NMAP---RST-->SERVER
cmd
nmap -sT -p 22,80,443 target.dummy

https://nmap.org/book/scan-methods-connect-scan.html

UDP Scan

UDP scans send a UDP packet to the target port and depending on the response, NMAP will guess if the port is open based on the following table.

NMAP State Response Type
open Any UDP repsonse (this is unusual)
open | filtered No response received
closed ICMP port unreachable error (type 3, code 3)
filtered Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13)
cmd
sudo nmap -sU -p 53 target.dummy
Note
UDP scans requires raw-packet privileges.

https://nmap.org/book/scan-methods-udp-scan.html

Aggressive Scan

An aggressive scan combines a number of scan types without having to remember a large number of flags. The scans include:

  • OS Detection
  • Version Scanning
  • Script Scanning
  • Traceroute
cmd
nmap -A target.dummy
Note
Aggressive scans are intrusive and should not be used against a target without permission.

Ping Sweep

Subnet

Ping sweep a subnet

cmd
nmap -sn 10.1.1.0/24

https://nmap.org/book/man-host-discovery.html

NPing

NPing allows you to generate packets.

Gratuitous ARP

Target a host with a GARP reply

cmd
sudo nping -c 1 --arp-sender-mac 08:00:27:ba:6c:7f \\
  --arp-sender-ip 10.1.1.1 --arp-type ar \\
  --arp-target-mac 08:00:27:74:99:3b 10.1.1.11 \\
  --interface eth1 --dest-mac 08:00:27:74:99:3b