Basic Nmap Switches
Some basic but useful nmap switches to get started:
Common Switches
| -sU |
Scan UDP ports |
| -sS |
Scan default TCP ports |
| -A |
All |
| -sV |
Service detection |
| -O |
OS detection |
| T1, T2, T3, T4, T5 |
Timing - T1 slowest | T5 fastest |
| -p |
Port |
| -iL |
Input List |
Default Scan
- Scans up to 1000 hosts per second
- Only sends syn requests
- Stealthy
Full TCP Three Way Handshake Connection
- Slow and generates a lot of traffic
- Uses the underlying operating system to send the packets
- Does three way handshake with each port it scans
- May flag IDS and other systems designed to detect scanning activity
Ping Scan
- See which servers in the range are up/down
- Note: Some systems do not respond to pings and falsely present as being down
Version Enumeration/ Banner Grabbing
- Used to see which software and software versions are running on the open ports
Port Scanning
- -p used to scan specific ports
- -p- used to scan all ports
- Can be used to scan UDP and TCP ports
- Nmap -p U:53,T:22,25
- –exclude-ports 53
Operating System Detection
Scan ICMP Disabled Hosts
Nmap -Pn 10.10.10.10 (older versions of nmap use P0)
- Used to find hosts that do not respond to ping
- Treats all hosts as live
- Can be very noisy
Scan a List of Files
- Used to scan a list of hosts in a text file
Timing
- Used to control the timing of the scan
- How fast or slow the scan runs, 0 being the slowest scanning one port every 5 minutes
- T4 is generally a comfortable speed
Output Results to File
Nmap -p- 10.10.10.10 -oG nmap-scan.txt
- -oG – greppable output format
- -oN – Normal output what you see on the screen
- -oX – XML output format
- -oA – Combined format with all of the above as 3 separate files