Section: “Perform Host Discovery using Nmap – Is the Host UP/Down”
| Nmap Command | Description |
|---|---|
| nmap -sn -PR [Target IP Address] | Performs host discovery using ARP (Address Resolution Protocol) requests; only works on local networks. |
| nmap -sn -PU [Target IP Address] | Sends a UDP (User Datagram Protocol) packet to the target host(s) to check if they are up or down. |
| nmap -sn -PE [Target IP Address] | Sends ICMP (Internet Control Message Protocol) echo requests (pings) to the target host(s). |
| nmap -sn -PP [target IP address] | Sends ICMP timestamp requests to the target host(s) to determine if they are up or down. |
| nmap -sn -PM [target IP address] | Sends ICMP address mask requests to the target host(s) to determine if they are up or down. |
| nmap -sn -PS [target IP address] | Sends TCP (Transmission Control Protocol) SYN (synchronize) packets to the target host(s). |
| nmap -sn -PA [target IP address] | Sends TCP ACK (acknowledge) packets to the target host(s) to determine if they are up or down. |
Section: “Explore Various Network Scanning Techniques using Nmap”
| Nmap Command | Description |
|---|---|
| nmap -sT -v [Target IP Address] | Performs a TCP connect scan, which establishes a full TCP connection with the target host(s). |
| nmap -sS -v [Target IP Address] | Performs a stealth SYN scan, which sends TCP SYN packets to the target host(s) without completing the connection. |
| nmap -sX -v [Target IP Address] | Performs an Xmas scan, which sends TCP packets with FIN, URG, and PSH flags set to the target host(s). |
| nmap -sM -v [Target IP Address] | Performs a Maimon scan, which sends TCP FIN/ACK packets to the target host(s). |
| nmap -sA -v [Target IP Address] | Performs a TCP ACK scan, which checks for open, filtered, or closed ports on the target host(s). |
| nmap -sU -v [Target IP Address] | Performs a UDP (User Datagram Protocol) scan to discover open UDP ports on the target host(s). |
| nmap -sI -v [target IP address] | Performs an idle scan, which uses a zombie host to probe the target host(s) to avoid detection. |
| nmap -sY -v [target IP address] | Performs a SCTP (Stream Control Transmission Protocol) INIT scan to discover open SCTP ports. |
| nmap -sZ -v [target IP address] | Performs a SCTP COOKIE ECHO scan to discover open SCTP ports. |
| nmap -A [Target Subnet] | Performs an aggressive scan, which includes OS, version, script scanning, and traceroute. |
Section: “Perform OS Discovery using Nmap Script Engine (NSE)”
| Nmap Command | Description |
|---|---|
| nmap -A [Target IP Address] | Performs an aggressive scan, which includes OS, version, script scanning, and traceroute. |
| nmap -O [Target IP Address] | Performs OS detection based on responses to various probes. |
Section: “Scan beyond IDS/Firewall using various Evasion Techniques”
| Nmap Command | Description |
|---|---|
| nmap -f [Target IP Address] | Performs a scan with fragmented IP packets to evade IDS (Intrusion Detection Systems) and firewalls. |
| nmap -g 80 [Target IP Address] | Uses a source port of 80 (typically associated with HTTP traffic) to make the scan less suspicious. |
| nmap -mtu 8 [Target IP Address] | Sets a custom maximum transmission unit (MTU) size for the scan. |
| nmap -D RND:10 [Target IP Address] | Creates decoy scans to make it difficult for the target to identify the real scanning IP address. |
Section: “Create Custom Packets using Nmap to Scan beyond IDS/Firewall”
| Nmap Command | Description |
|---|---|
| nmap [Target IP Address] –data 0xdeadbeef | Adds custom hexadecimal data to the packets sent during the scan. |
| nmap [Target IP Address] –data-string “Ph34r my l33t skills” | Adds a custom data string to the packets sent during the scan. |
| nmap –data-length 5 [Target IP Address] | Sets the length of the payload in the packets sent during the scan. |
| nmap –randomize-hosts [Target IP Address] | Randomizes the order in which hosts are scanned to avoid detection. |
| nmap –badsum [Target IP Address] | Generates incorrect checksums for the packets sent during the scan to evade IDS and firewalls. |
Section: “Additional Nmap Scanning Techniques and Options”
| Nmap Command | Description |
|---|---|
| nmap -p- [Target IP Address] | Scans all 65535 ports on the target host(s). |
| nmap -p 1-65535 [Target IP Address] | Scans a specific range of ports (in this case, all of them) on the target host(s). |
| nmap -p U:53,111,137,T:21-25,80,139,8080 [Target IP Address] | Scans specific UDP and TCP ports on the target host(s). |
| nmap -sV [Target IP Address] | Performs service version detection on the target host(s). |
| nmap –top-ports 10 [Target IP Address] | Scans the top 10 most common ports on the target host(s). |
| nmap –open [Target IP Address] | Only shows open ports in the scan results. |
| nmap –script vuln [Target IP Address] | Executes NSE (Nmap Scripting Engine) scripts related to vulnerability detection. |
| nmap –script smb-enum-shares.nse [Target IP Address] | Executes the smb-enum-shares.nse script to enumerate SMB shares on the target host(s). |
| nmap -6 [IPv6 Target Address] | Scans an IPv6 address instead of an IPv4 address. |
| nmap -T4 [Target IP Address] | Sets the scan speed to “T4” (aggressive); options range from T0 (paranoid) to T5 (insane). |
Section: “Nmap Output and Timing Options”
| Nmap Command | Description |
|---|---|
| nmap -oN output.txt [Target IP Address] | Saves the scan results in a normal human-readable format to a file named “output.txt”. |
| nmap -oX output.xml [Target IP Address] | Saves the scan results in an XML format to a file named “output.xml”, suitable for further processing. |
| nmap -oG output.gnmap [Target IP Address] | Saves the scan results in a grepable format to a file named “output.gnmap”. |
| nmap -oA output [Target IP Address] | Saves the scan results in all three formats (normal, XML, and grepable) with the base filename “output”. |
| nmap –stats-every 10s [Target IP Address] | Displays periodic timing and statistical updates every 10 seconds during the scan. |
| nmap –max-retries 2 [Target IP Address] | Sets the maximum number of retransmissions for each probe to 2 (default is 10). |
| nmap –host-timeout 30m [Target IP Address] | Sets a timeout of 30 minutes per host, after which Nmap will move on to the next host. |
| nmap –min-rate 100 [Target IP Address] | Sets a minimum sending rate of 100 packets per second to speed up the scan. |
| nmap –max-rate 1000 [Target IP Address] | Limits the maximum sending rate to 1000 packets per second to avoid overwhelming the network. |
Section: “Nmap Scripting Engine (NSE) and Script Categories”
| Nmap Command | Description |
|---|---|
| nmap –script default [Target IP Address] | Runs the default set of NSE scripts, which are considered safe and useful for most scans. |
| nmap –script safe [Target IP Address] | Runs NSE scripts that are considered safe and unlikely to cause any issues on the target host(s). |
| nmap –script discovery [Target IP Address] | Runs NSE scripts that focus on host discovery and gathering additional information. |
| nmap –script auth [Target IP Address] | Runs NSE scripts that check for authentication-related vulnerabilities or weaknesses. |
| nmap –script broadcast [Target IP Address] | Runs NSE scripts that send broadcast probes to discover hosts and services on the network. |
| nmap –script brute [Target IP Address] | Runs NSE scripts that perform brute-force attacks against various services and protocols. |
| nmap –script exploit [Target IP Address] | Runs NSE scripts that attempt to exploit known vulnerabilities on the target host(s). |
| nmap –script external [Target IP Address] | Runs NSE scripts that rely on third-party services or databases to gather information. |
| nmap –script fuzzer [Target IP Address] | Runs NSE scripts that use fuzzing techniques to discover vulnerabilities in the target host(s). |
| nmap –script intrusive [Target IP Address] | Runs NSE scripts that are considered intrusive and may cause issues on the target host(s). |
| nmap –script malware [Target IP Address] | Runs NSE scripts that detect malware or signs of a compromised system on the target host(s). |
| nmap –script all [Target IP Address] | Runs all available NSE scripts, including intrusive ones (use with caution). |
