Scribd
Upload
819 views

Complete Guide To NMAP

Nmap is a powerful network scanning tool that can identify open ports and services on devices. The document provides a detailed overview of Nmap commands for basic scanning of individual IPs, ranges, subnets and CIDR blocks. It also covers more advanced scanning techniques like operating system detection, firewall evasion, and bypassing intrusion detection systems. The goal is to educate readers on proper usage of Nmap for penetration testing and security assessments.

Uploaded by

Pulkit R Aggarwal
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
819 views

Complete Guide To NMAP

Nmap is a powerful network scanning tool that can identify open ports and services on devices. The document provides a detailed overview of Nmap commands for basic scanning of individual IPs, ranges, subnets and CIDR blocks. It also covers more advanced scanning techniques like operating system detection, firewall evasion, and bypassing intrusion detection systems. The goal is to educate readers on proper usage of Nmap for penetration testing and security assessments.

Uploaded by

Pulkit R Aggarwal
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Complete Guide to NMAP

To start off, yes, I wrote this by myself. No copying/pasting


from any other forum/website. The ones I didn't know I did
research on the NMAP site but I changed the explanation to
simpler terms and in my own words. I hope you all enjoy
and use this thread. It's absolutely pertinent to any
penetration test. I also go over (N)IDS bypassing and
firewall evasion :)
1. Basic scanning - IP, subnet, range, list, exclusions, CIDR
Single IP:
nmap 192.168.1.7
This will get the basic ports and services of a singular IP
Subnet:
nmap 192.168.1.255
This will get the info of IPs in the entire 192.168.1.255 subnet
Range:
nmap 192.168.1.1-100
Machines 192.168.1.1 - 192.168.1.100 will be scanned
Exclusions:
nmap 192.168.1.1-100 --exclude 192.168.1.7
CIDR:
For this you'll need to know some basic networking knowledge of how IPs are
allocated.
an IP(v4) address is 4 groups of 8 bits of data which are converted to binary and sent
to the router. Depending on what the first 8 bits of data are, the class (unsubnetted) is
decided.
0 - 126 = Class A

127 = reserverd. Localhost. Commonly 127.0.0.1 but the whole subnet is reserved.
128 - 191 = Class B
192 - 223 = Class C
Note: there are other classes and theoretical classes but these are what we'll be
working with!
What does this mean?
In each class, a certain portion is representative of network, and the rest represent the
host.
Class A: 8 bits network, 24 bits host (CIDR /8)
Class B: 12 bits network, 16 bits host (CIDR /16)
Class C: 24 bits network, 8 bits host (CIDR /24)
See the pattern?
/8 essentially means scan:
X.255.255.255
/16
X.X.255.255
/24
X.X.X.255
So even if you have a 192.168 (class C) you can use any CIDR especially if it's
subnetted.
So if there are 192.168.1.5 and 192.168.2.5you should use a /16 CIDR.
Commands:
nmap 192.168.0.0/16
nmap 192.0.0.0/8
nmap 192.168.1.0/24

2. More Basic/Essential Scanning Parameters


Form here on out I'll be using a SINGLE IP even though it can be replaced with
anything from part 1.

- - - Part I - OS/Version Detection:


nmap -A 192.168.1.7
-A = aggressive scan
-O = OS detection
nmap -sV 192.168.1.7
-sV = Version Detection
nmap -A -O -sV 192.168.1.7
combine!
- - - Part II - Pinging:
Send a simple ICMP packet to see if the host is up
nmap -sP 192.168.1.7
- - - Part III - Firewall Checking / Scanning:
nmap -sA 192.168.1.7
Detects possible firewalls
nmap -PN 192.168.1.7
Attempts to circumvent the firewall.. Does not ping the IP beforehand.
- - - Part IV - Custom Ports:
single:
nmap -p 80 192.168.1.7
range:
nmap -p 80-443 192.168.1.7
list:
nmap -p 80,21,22,223,443 192.168.1.7
protocols:
nmap -p U:51,100,123,T:21,22,80 192.168.1.7
U: UDP use with -sU
T: TCP use with -sT
Again, combine all these commands for the desired output!!

nmap -sV -A -O -p 80-443 192.168.1.0/24 --exclude 192.168.1.7


Think what it would do by reading above, then click the spoiler
Spoiler (Click to View)
- - - Part V - Verbosity and Writing to Files:
-v 0-5 = verbose. 0-5 = level of verbosity.
nmap -w -O 192.168.1.7
-iL [path] = write output to text
nmap -A -O -iL /root/Desktop/ip.txt 192.168.1.7

3. Different Scanning Types


-sO = IP scan.... VERY IMPORTANT. This uses IP (internet protocol) to scan. Keep
in mind, this does NOT scan ports!!!! DO NOT USE -p! This will tell you what
protocols can be used to scan so you can tailor your scan accordingly (TCP, UDP,
ICMP, IGMP, SCTP, etc)
nmap -sO 192.18.1.7
-sS = TCP SYN scan. Most common and often useful. Very fast and can usually
bypass most firewalls.
nmap -sS 192.18.1.7
-sT = TCP connect scan. A great alternative if -sS is not an option (blocked)
nmap -sT 192.18.1.7
-sU = UDP scan. VERY underused even though many services (DNS, DHCP, SNMP
to name a few) may have possible exploits on common UDP ports (53, 67, 161)
nmap -sU 192.18.1.7
-sY = SCTP scan. SCTP (Stream Control Transmission Protocol) is a fairly new

alternative to TCP and UDP. Liky a TCP SYN scan, it is pretty undetectable and
overall has great stability.
nmap -sY 192.18.1.7
-sN = CP null scan. Sets the entire TCP headers (FIN/PSH/URG) to null...
nmap -sN 192.18.1.7
-sF = FIN scan. Only sets the FIN flag in the TCP header
nmap -sF 192.18.1.7
-sX = The infamous Christmas (Xmas) scan. Sets all of the headers. It gets its name
because the packet is 'lit up like a xmas tree'.
nmap -sX 192.18.1.7
-sA = TCP ACK scan. Not a conventional scan and n00bs should stay away from it. If
usually used for attempting to determine firewall rulesets. It sends a ACK packet to
the ports and if a reset (RST) packet is received then it is labeled 'unfiltered' by the
firewall. If it receives an ICMP error it is labeled 'filtered'. This does NOT determine
if they are opened/closed ports.
nmap -sA 192.18.1.7
-sW = Window Scan. Keep in mind this is not perfect. Basically, it's simmilar to a
ACK scan ut it ATTAMPTS to read the signatures of the RST packet returned to
differentiate between open and closed. Not all systems work the same so the margin
of error is vast...
nmap -sW 192.18.1.7
-sZ = SCTP Cookie scan. Basically, open ports should drop packets with cookie echo
packets, and closed ports will send an ABORT packet. If it is does not get a response,
it's 'open', if it get's an abort packet, it's 'closed'.
nmap -sZ 192.18.1.7

-sI <IP of zombie>= Zombie scan... this is GREAT for IDS bypassing as I'll show you
next section. Basically, it uses the zombie as a middleman during the scan. It is sent
to/from the zombie and the target. It is not always available, but is awesome when it
is!
nmap -sI 192.168.1.5 192.18.1.7

4. IDS/IPS/NIDS Bypassing + Firewall Evasion


This is what type of scanning you should use in a network that is protected by hostbased IDSes or NIDSes...
-f = Fragment. This will fragment the headers over multiple packets so the IDS will
not notice any suspicious headers in one packet alone. Great for signature based
IDSes.
-T(0-5) = Time? The lower the number, the slower it will be to avoid volumetricly
activated IDSes. We will use -T0 if you want to be REALLY fucking sneaky or -T5 if
you're not worried about getting in trouble when you get caught.
--data-length # = adds bytes to the end of the packets. Let's do 14 because it's not as
common a number for this and it's a multiple of 7.
-D <decoy(s)> = Decoy. Can take a couple parameters (using -sS as an example):
nmap -sS -D 192.168.1.5 192.168.1.7 [uses specific decoy]
nmap -sS -D RND 192.168.1.7 [Uses one random decoy]
nmap -sS -D RND:7 192.168.1.7 [uses 7 random decoys]
nmap -sS -D 192.168.1.1-6 192.168.1.7 [uses 192.168.1.1-6 as decoys]
nmap -sS -D 192.168.1.5,192.168.1.6 192.168.1.7 [uses those 2 as decoys]
nmap -sS -D ME 192.168.1.7 [Uses yourself as a decoy... not recommended]
You can also mix-n-match
nmap -sS -D RND:5,192.168.1.5-6 192.168.1.7
--randomize-hosts = When you scan, by default, it scnas each host in sequential order.

This can be detected by many NIDSes


and can possibly be circumvented by randomizing the order in which they are
scanned.
--spoof-mac 0/VenderID/[MAC Addr Here] = simply spoofs the MAC that's
scanning... 0 = random. VenderID = all vendors have their own MAC prefixes.
Custom = 6 groups of hex values separated by colons (Example: 1F:A9:03:B7:11:A8
or 00:00:00:11:22:33)
Final NMAP command for bypassing network based IDSes, signature based IDSes,
and decent firewalls:
Keep in mind, any scanning technique will work here. -sS is the most common s that's
what I'm using.
Also note that randomizing hosts when scanning one will not do anything. Theres ony
one host
Also note that when using -D RND it does NOT gnerate a in-network IP. Its a random
IP (ex: 73.218.77.169 not 192.168.5.3) so it's best to use that when scanning an
external IP. Otherwise, specify the IPS manually
nmap -sS -T0 -f -D 192.168.2.3, 192.168.2.7, 192.168.2.15, 192.168.2.24 -randomize-hosts --data-length 14 --spoof-mac 00:00:00:77:33:77 192.168.1.0/24
nmap.org/book/man-port-scanning-techniques.html

This scan may take up to SEVERAL hours to complete if there are lotsof hosts on the
network.

Tutorial written by Goodies from Hack Forums.


If you have ANY question sor corrections please post them in
the thread :)

You might also like