Nmap

Network scanning tool used for discovering hosts and services on a computer network.

Structure

nmap IP                          #Basic scan on the 1.000 most common ports
nmap -p port IP                  #Scan on specified port  $nmap -p 80 10.10.10.12
nmap -p- IP                      #Scan on all 65.535 ports
nmap 10.10.10.1-254              #Scan range of IPs
nmap 10.10.10.0/24               #Scan full network using the specified netmask
nmap domain.com                  #Scan a domain
nmap -iL list.txt                #Scan IPs from a listed file
nmap --exclude IP                #Exclude specified IP from scan
nmap -v -oG -                    #Lists the 1000 common ports that the basic scan does in grepable format (-oG)
nmap -oA myScan                  #Exports the result of the scan to all formats, XML (myScan.xml), grepable (myScan.gnmap) and text (myScan.nmap)
nmap --open                      #List only open ports
                                  

Host Discovery

#Parameters
-sL                              #No scanning, just lists network range  !echo it into a .txt
-sP                              #Ping scan, similar to -sn, but tries to resolve hostname
-Pn                              #Scan without pinging, treat all hosts as online, skips host discovery
--traceroute                     #Trace hop path to each host
-PU                              #UDP ping scan
-PR                              #ARP ping scan

#Examples
nmap -sn IP/prefix               #Ping scan, disabled port scanning, fast  $nmap -sn 192.168.1.0/24

Service Enum

#Parameters
-v -vv -vvv                      #Verbosity/detail level !Recommended -v
-sS                              #SYN scan, fast and stealthier
-sV                              #Scans for version of the service  !Essential!
-sV --version-intensity 7        #Sets aggression level, 0 low but fast, 9 precise but slower, default 7.
-sC                              #--script=default Uses default nmap scripts to better discover services and vulnerabilities
--script=custom_script IP        #For custom scripts save them on ~/.nmap/scripts/ for specific user or /usr/share/nmap/scripts for all
-sU                              #UDP scan
-O                               #Scans for OS detection
-A                               #Aggressive, scans for OS, version, scripts and traceroute
-T3                              #Timing option, 0 slowest to 5 very aggressive, default 3
-F                               #Fast mode, scans fewer ports  !For a quick peak

#Examples

Avoid Detection

#Parameters
-v -vv -vvv                      #Verbosity/detail level !Recommended -v
-f                               #Fragment packets

Examples

#Version scan on the 1.000 most common ports, saving results on all 3 file formats.
nmap -sV -oA myScan IP

#Version scan on all ports, only list open ones and save results on all 3 file formats.
nmap -sV --open -p- -oA myScan IP