Nmap

Quick start

nmap -sC -sV -oA folder/nmap-output 10.10.10.123
nmap -sV -vv --script vuln 10.10.10.123 -oA nmap-with-vuln

Scan Types

Syn Scan (Stealth scan)

nmap -sS

Syn Scan: https://nmap.org/book/synscan.html

UDP Scan

nmap -sU

Scan ports

Nmap per default only scans the first 1000 ports

nmap -p <port>

Scans all ports

nmap -p-

OS Detection

nmap -O

Service Version Detection

nmap -sV

Verbose (When you want to see what nmap is doing)

nmap -v / nmap -vv #-vv -> very verbose

Agressive Scan

Enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)

nmap -A

Scan Timing templates

T1 - T5 (where T5 is the fastest Method)

nmap -T4

Scan without Ping

Default behavior: nmap first tries to ping the host, if the ping fails nmap skips it. 

nmap -Pn

Nmap with scripts

Locate Nmap scripts

locate *.nse | grep <name>

Scan with default scripts

nmap -sC

Select specific script

nmap --script <something>

Run all scripts out of the vulnerability category

nmap --script vuln
nmap -sV --script=banner <IP>

Wildcard

nmap -p 139,445 --script=smb-vuln* $targetip

Output

For XML output

nmap -oX

Normal output

nmap -oA

Enumerate SMB

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP>

RPC

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount -oA . <IP>
PreviousEinführungNextGoBuster

Last updated