Summary:
​
1. Getting started with Nmap
2. Nmap scripting engine (NSE)
3. GUI interface for Nmap: ZenMap
Details:
​
1. Getting started with Nmap
​
nmap 192.168.1.24-255
>default scan 1000 ports
​
nmap -sP 10.1.1.*
>ping scan (this is a ping only scan)
​
nmap -sS -p0 -sV -O 10.1.1.150-250
>sS: tcp sync scan (looking for tcp devices)
>p0: protocol scan (protocol 0 means all protocols)
>sV: show version of OS
>O: discover os system
​
nmap -T5 10.1.1.150
>T5 is faster than T1, time5 is faster than time1
​
nmap --top-ports 20 10.1.1.0/24
>only scan top 20 most likely opening ports
​
nmap -sT -p80 10.1.1.1-150
>Let's find out who's running web services
>sT: scan for tcp connection type of traffic
>p80: only look at port 80
​
nmap -sS 10.1.1.150 -D 192.168.1.92,192.168.1.93
>sS: tcp sin scan
>D: decoy, so that victim also thinks you are coming from two additional source IPs 192.168.1.92 or 192.168.1.93
nmap -v 10.1.1.150
>to see verbose
​
nmap -F 10.1.1.0/24 --exclude 10.1.1.33,10.1.1.34
>F: only scan top 100 ports
​
nmap -Pn 10.1.1.150
>skip ping scan
nmap -6 2001:db8:6783:1::1
>scan IPv6 address; you need to enable an IPv6 interface on your box
>To add an IPv6 address: “ifconfig eth0 inet6 add 2001:db8:6783:1::2/64”
nmap --iflist
>show your own interfaces and network information so that you know which IPs you can scan against
2. NSE: a collection of scripts to get even more detailed information of the hosts
​
2.1 Default script
nmap --script=default 10.1.1.150 same as nmap -sC 10.1.1.150: run default script
2.2 Try script help option
​
nmap --script-help discovery
>man help for group discovery
2.3 Combine script groups
nmap --script “safe or default” 10.1.1.150
>combine group of script
>safe: meaning it’s not likely to bring down the target’s system
​
nmap --script “discovery and version” 10.1.1.150
​
nmap -A -T4 10.1.1.150
>A means a bunch of groups for all
>timing 4 quickness
3. ZenMap
​
Scan a single host
​
Scan a network
​
You can create your own profile:
​
