# nmap ## Scan Types * ARP * ICMP * TCP * UDP ## Port States 1. Open 2. Closed 3. Filtered 4. Unfiltered 5. Open|Filtered 6. Close|Filtered ## Usage ```sh nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit ``` ```sh nmap -oA nmap-vuln -Pn -script vuln -p ``` ### combo with searchsploit * nmap-full scan ```sh sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit searchsploit --nmap ./nmap-full.xml --verbose ``` ### Wordpress Enumeration ```sh nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com ``` ### Use List of Hosts ```sh nmap -iL ``` * Show hosts, dns resolution included ```sh nmap -sL -n 10.10.0.0/16 ``` ### ARP Scan Local Network ```sh nmap -PR -sn 192.168.0.0/24 ``` ### ICMP Scans * __Type 8__ (Ping Request) ```sh nmap -PE -sn 10.10.0.0/16 ``` * __Type 13__ (Timestamp Request) ```sh nmap -PP -sn 10.10.0.0/16 ``` * __Type 17__ (Address Mask Queries) ```sh nmap -PM -sn 10.10.0.0/16 ``` ### TCP Scans * `-PS23` Syn on port 23 * `-PA80-8080` ACK on port range 80-8080 #### TCP Scan Types * __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK` * __FIN Scan__ `-sF` , same procedure as null scan. * __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed. * __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks. * __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules. * __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules. * __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly. ### UDP SCans * `-PU` * May be answered by ICMP Type 3 if the port is not reachable ### DNS Scan * No lookup `-n` * Reverse lookup for every host `-R` * Host discovery only `-sn` ### Spoofing * IP `-S ` * MAC `--spoof-mac ` * Disable ping scan `-Pn` * Decoy addresses `-D ,,,RND,RND,ME` ### Service Detection * `-sV` * `--version-intensity ` * Intensity 2 `--version-light` * Intensity 9 `--version-all` ## Scripts Installed at `/usr/share/nmap/scripts` * __auth__ Authentication related scripts * __broadcast__ Discover hosts by sending broadcast messages * __brute__ Performs brute-force password auditing against logins * __default__ Default scripts, same as -sC * __discovery__ Retrieve accessible information, such as database tables and DNS names * __dos Detects__ servers vulnerable to Denial of Service (DoS) * __exploit__ Attempts to exploit various vulnerable services * __external__ Checks using a third-party service, such as Geoplugin and Virustotal * __fuzzer__ Launch fuzzing attacks * __intrusive__ Intrusive scripts such as brute-force attacks and exploitation * __malware__ Scans for backdoors * __safe__ Safe scripts that won’t crash the target * __version__ Retrieve service versions * __vuln__ Checks for vulnerabilities or exploit vulnerable services ## Tips & Tricks * Scan the 100 most interesting ports via `-F` * `--top-ports 100` * One probe every 5 minutes via `-T0` * A closed port responds with `RST/ACK` to a initial `SYN` * Scan ports iteratively by using `-r`, not random * Closed Port * Control packet rate via `--min-rate` and `--max-rate` * Control parallel probes via `--min-parallelism` and `--max-parallelism` * Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu` * Zombie Scan `-sI ` via pwnd host inside the targets network * `--reason`, `-d`, `-vv` * `--traceroute`