Summary:

1. Getting started with Nmap

2. Nmap scripting engine (NSE)

3. GUI interface for Nmap: ZenMap

Details:

1. Getting started with Nmap

nmap 192.168.1.24-255

>default scan 1000 ports

nmap -sP 10.1.1.*

>ping scan (this is a ping only scan)

nmap -sS -p0 -sV -O 10.1.1.150-250

>sS: tcp sync scan (looking for tcp devices)

>p0: protocol scan (protocol 0 means all protocols)

>sV: show version of OS

>O: discover os system

nmap -T5 10.1.1.150

>T5 is faster than T1, time5 is faster than time1

nmap --top-ports 20 10.1.1.0/24

>only scan top 20 most likely opening ports

nmap -sT -p80 10.1.1.1-150

>Let's find out who's running web services 

>sT: scan for tcp connection type of traffic

>p80: only look at port 80

nmap -sS 10.1.1.150 -D 192.168.1.92,192.168.1.93

>sS: tcp sin scan 

>D: decoy, so that victim also thinks you are coming from two additional source IPs 192.168.1.92 or 192.168.1.93

 

nmap -v 10.1.1.150

>to see verbose

nmap -F 10.1.1.0/24 --exclude 10.1.1.33,10.1.1.34

>F: only scan top 100 ports

nmap -Pn 10.1.1.150

>skip ping scan

 

nmap -6 2001:db8:6783:1::1

>scan IPv6 address; you need to enable an IPv6 interface on your box

>To add an IPv6 address: “ifconfig eth0 inet6 add 2001:db8:6783:1::2/64”

 

nmap --iflist

>show your own interfaces and network information so that you know which IPs you can scan against

2. NSE: a collection of scripts to get even more detailed information of the hosts

2.1 Default script 

 

nmap --script=default 10.1.1.150 same as nmap -sC 10.1.1.150: run default script

2.2 Try script help option

nmap --script-help discovery

>man help for group discovery

2.3 Combine script groups 

 

nmap --script “safe or default” 10.1.1.150

>combine group of script

>safe: meaning it’s not likely to bring down the target’s system

nmap --script “discovery and version” 10.1.1.150

nmap -A -T4 10.1.1.150

>A means a bunch of groups for all

>timing 4 quickness

3. ZenMap

Scan a single host

Scan a network

You can create your own profile: