ITSY 4114 : Ethical Hacking

Ethical HACKING: Reconnaiscance

NMAP SCANNING TOOL
NMAP Scanning

1. Preface

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.
It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap
uses raw IP packets in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics. While Nmap is commonly used for security audits, many systems and network
administrators find it useful for routine tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on each
depending on the options used. Key among that information is the “interesting ports table”.That
table lists the port number and protocol, service name, and state. The state is
either open, filtered, closed, or unfiltered. Open means that an application on the target machine is
listening for connections/packets on that port. Filtered means that a firewall, filter, or other
network obstacle is blocking the port so that Nmap cannot tell whether it
is open or closed. Closed ports have no application listening on them, though they could open up
at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap
cannot determine whether they are open or closed. Nmap reports the state
combinations open|filtered and closed|filtered when it cannot determine which of the two states
describe a port. The port table may also include software version details when version detection
has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on
supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further information on targets,
including reverse DNS names, operating system guesses, device types, and MAC addresses.

The 3-way TCP handshake

First a bit of background, during communication with a TCP service, a single connection is
established with the TCP 3 way handshake. This involves a SYN sent to an TCP open port that
has a service bound to it, typical examples are HTTP (port 80), SMTP (port 25), POP3 (port 110)
or SSH (port 22).
The server side will see the SYN and respond with SYN ACK, with the client answering the SYN
ACK with an ACK. This completes the set up and the data of the service protocol can now be
communicated.
In this example the firewall passes the traffic to the web server (HTTP -> 80) and the web server
responds with the acknowledgement.
In all these examples a firewall could be a separate hardware device, or it could be a local software
firewall on the host computer.

Filtered ports or when the Firewall drops a packet

The job of a firewall is to protect a system from unwanted packets that could harm the system. In
this simple example the port scan is conducted against port 81, there is no service running on this
port using a firewall to block access to it is best practice.

In the case of a filtered port result from Nmap it indicates that the port has not responded at all
the SYN packet has simply been dropped by the firewall. See the following Wireshark packet
capture, that shows the initial packet with no response.

Closed ports or when the Firewall fails

In this case the closed ports most commonly indicate that there is no service running on the port
but the firewall has allowed the connection to go through to the server. It can also mean there is
no firewall at all present.
Note that while we are discussing the most common scenarios here it is possible to configure a
firewall to reject packets rather than drop. This would mean packets hitting the firewall would be
seen as closed (the firewall is responding with RST ACK).
Pictured below is a case where a firewall rule allows the packet on port 81 through even though
there is no service listening on the port. This is most likely due to the fact that the firewall is poorly
configured.
An Open Port (service) is found

Open Ports are usually what you are looking for when kicking off Nmap scans. The open service
could be a publicly accessible service that is by its nature supposed to be accessible. It could also
be a back-end service that does not need to be publicly accessible and therefore should be blocked
by a firewall.

An interesting thing to notice in the wireshark capture is the RST packet sent after accepting
the SYN ACK from the web server. The RST is sent by Nmap as the state of the port (open) has
been determined by the SYN ACK if we were looking for further information such as the HTTP
service version or to get the page, the RST would not be sent. A full connection would be
established.
2. Technical Factors in using NMAP
2.1 Target Specification

When a hostname is given as a target, it is resolved via the Domain Name System (DNS) to
determine the IP address to scan. If the name resolves to more than one IP address, only the first
one will be scanned.

Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap supports CIDR-
style addressing. You can append /<numbits> to an IP address or hostname and Nmap will scan
every IP address for which the first <numbits> are the same as for the reference IP or hostname
given. For example, 192.168.10.0/24 would scan the 256 hosts between 192.168.10.0
(binary: 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000
10101000 00001010 11111111), inclusive. 192.168.10.40/24 would scan exactly the same targets.
Given that the host scanme.nmap.org is at the IP address 64.13.134.52, the
specification scanme.nmap.org/16 would scan the 65,536 IP addresses between 64.13.0.0 and
64.13.255.255. The smallest allowed value is /0, which targets the whole Internet. The largest
value for IPv4 is /32, which scans just the named host or IP address because all address bits are
fixed. The largest value for IPv6 is /128, which does the same thing.

CIDR notation is short but not always flexible enough. For example, you might want to scan
192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network
and broadcast addresses. Nmap supports this through octet range addressing. Rather than specify
a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet.
For example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255,
and 192.168.3-5,7.1 will scan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and
192.168.7.1. Either side of a range may be omitted; the default values are 0 on the left and 255 on
the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the
target specification doesn't look like a command-line option. Ranges need not be limited to the
final octets: the specifier 0-255.0-255.13.37 will perform an Internet-wide scan for all IP addresses
ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.
Nmap accepts multiple host specifications on the command line, and they don't need to be the
same type. The command nmap scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does what you
would expect.

While targets are usually specified on the command lines, the following options are also available
to control target selection:
-iL <inputfilename> (Input from list)
Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname,
CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or
newlines
-iR <num hosts> (Choose random targets)

For Internet-wide surveys and other research, you may want to choose targets at random.
The <num hosts> argument tells Nmap how many IPs to generate. Undesirable IPs such
as those in certain private, multicast, or unallocated address ranges are automatically
skipped. The argument 0 can be specified for a never-ending scan. Keep in mind that some
network administrators bristle at unauthorized scans of their networks and may complain.
Use this option at your own risk! If you find yourself really bored one rainy afternoon, try
the command nmap -Pn -sS -p 80 -iR 0 --open to locate random web servers for browsing.

--exclude <host1>[,<host2>[,...]] (Exclude hosts/networks)

Specifies a comma-separated list of targets to be excluded from the scan even if they are
part of the overall network range you specify. The list you pass in uses normal Nmap
syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc. This can be useful
when the network you wish to scan includes untouchable mission-critical servers, systems
that are known to react adversely to port scans, or subnets administered by other people.

--excludefile <exclude_file> (Exclude list from file)

This offers the same functionality as the --exclude option, except that the excluded targets
are provided in a newline-, space-, or tab-delimited <exclude_file> rather than on the
command line.

The exclude file may contain comments that start with # and extend to the end of the line.

2.2 TCP connect() Scan [-sT]

These scans are so called because UNIX sockets programming uses a system call
named connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection
was made. If it fails, the connection could not be made (the remote system is offline, the port is
closed, or some other error occurred along the way). This allows a basic type of port scan, which
attempts to connect to every port in turn, and notes whether or not the connection succeeded. Once
the scan is completed, ports to which a connection could be established are listed as open, the rest
are said to be closed.
This method of scanning is very effective, and provides a clear picture of the ports you can and
cannot access. If a connect() scan lists a port as open, you can definitely connect to it - that is what
the scanning computer just did! There is, however, a major drawback to this kind of scan; it is very
easy to detect on the system being scanned. If a firewall or intrusion detection system is running
on the victim, attempts to connect() to every port on the system will almost always trigger a
warning. Indeed, with modern firewalls, an attempt to connect to a single port which has been
blocked or has not been specifically "opened" will usually result in the connection attempt being
logged. Additionally, most servers will log connections and their source IP, so it would be easy to
detect the source of a TCP connect() scan.
For this reason, the TCP Stealth Scan was developed.
3. NMAP CHEAT SHEET

Nmap 7.70SVN ( https://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
 -r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.

OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
 --max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
 -V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
4. NMAP Commands with Examples

Using nmap -A -T4 scanme.nmap.org

scanme.nmap.org
for Nmap scanning

PING SWEEP Nmap -sP 199.0.0.0/24

Nmap -sP -PT80 192.168.1.0/24
Nmap -sS 192.168.1.0/24
Scan a single IP nmap 192.168.1.1
Scan a host nmap www.testhostname.com
Scan a host name nmap -v server1.cyberciti.biz
with more info
Scan a range of IPs nmap 192.168.1.1-20
nmap 192.168.1.1 192.168.1.2 192.168.1.3
nmap 192.168.1.1,2,3
nmap 192.168.1. *
nmap 192.168.1.0/24
Scan a subnet nmap 192.168.1.0/24
Scan targets from nmap -iL list-of-ips.txt
a text file
Excluding nmap 192.168.1.0/24 --exclude 192.168.1.5
hosts/networks nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254
(IPv4) nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt
Turn on OS and nmap -A 192.168.1.254
version detection nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt
Find out if a nmap -sA 192.168.1.254
host/network is nmap -sA server1.cyberciti.biz
protected by a
firewall
Scan a host when nmap -PN 192.168.1.1
protected by the nmap -PN server1.cyberciti.biz
firewall
Scan an IPv6 nmap -6 IPv6-Address-Here
host/address nmap -6 server1.cyberciti.biz
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4
perform a fast scan nmap -F 192.168.1.1
The fastest way to nmap -T5 192.168.1.0/24
scan all your
devices/computers
for open ports ever
Display the reason nmap --reason 192.168.1.1
a port is in a nmap --reason server1.cyberciti.biz
particular state
Only show open nmap --open 192.168.1.1
(or possibly open) nmap --open server1.cyberciti.biz
ports
Show all packets nmap --packet-trace 192.168.1.1
sent and received nmap --packet-trace server1.cyberciti.biz
Show host nmap –iflist
interfaces and
routes
OUTPUT

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST

************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo (lo) 127.0.0.1/8 loopback up
eth0 (eth0) 192.168.1.5/24 ethernet up B8:AC:6F:65:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet up 00:50:56:C0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet up 00:50:56:C0:00:08
ppp0 (ppp0) 10.1.19.69/32 point2point up

**************************ROUTES**************************
DST/MASK DEV GATEWAY
10.0.31.178/32 ppp0
209.133.67.35/32 eth0 192.168.1.2
192.168.1.0/0 eth0
192.168.121.0/0 vmnet1
192.168.179.0/0 vmnet8
169.254.0.0/0 eth0
10.0.0.0/0 ppp0
0.0.0.0/0 eth0 192.168.1.2
scanning specific nmap -p [port] hostname
ports
## Scan port 80
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1

## Scan UDP port 53

nmap -p U:53 192.168.1.1

## Scan two ports ##

nmap -p 80,443 192.168.1.1

## Scan port ranges ##

nmap -p 80-200 192.168.1.1

## Combine all options ##

nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

## Scan all ports with * wildcard ##

nmap -p "*" 192.168.1.1

## Scan top ports i.e. scan $number most common ports ##

nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1

##Scan Ports by Name

nmap -p [port name(s)] [target]

nmap -p smtp,http 10.10.1.1

Executing nmap -p “http*” 10.10.1.1 would scan for all ports that start with http.

## Scan Ports by Protocol

nmap -p U: [UDP ports],T:[TCP ports] [target]
nmap -sU -sT -p U:53,T:25 10.10.1.1

Using the syntax -p U:53, T:25 instructs Nmap to perform a UDP scan on port 53 and
a TCP scan on port 25.
 Scan 100 Most significant ports
nmap -F 192.168.1.1

Scan all the 65535 Ports

nmap -p- 192.168.1.1
Scan a range of ports

nmap -p 1-100 192.168.1.1

detect remote nmap -O 192.168.1.1

operating system nmap -O --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1
nmap -A 192.168.1.1
detect remote nmap -sV 192.168.1.1
services (server /
daemon) version OUTPUT:
numbers
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0)
80/tcp open http?

----------------------------------------------------
## More aggressive Service Detection
nmap -sV --version-intensity 5 192.168.1.1
-----------------------------------------------------
Lighter banner grabbing detection
nmap -sV --version-intensity 0 192.168.1.1

Scan a host using If firewall is blocking standard ICMP pings, try the following host discovery methods:
TCP ACK (PA)
and TCP Syn (PS) nmap -PS 192.168.1.1
ping nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1
Scan a host using nmap -PO 192.168.1.1
IP protocol ping
Scan a host using This scan bypasses firewalls and filters that only screen TCP:
UDP ping
nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1
most commonly ### Stealthy scan ###
used TCP ports nmap -sS 192.168.1.1
using TCP SYN
Scan ### Find out the most commonly used TCP ports using TCP connect scan (warning:
no stealth scan)
### OS Fingerprinting ###
nmap -sT 192.168.1.1

### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1

### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1

### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1

Note:
Privileged access is required to perform the default SYN scans. If privileges are
insufficient a TCP connect scan will be used. A TCP connect requires a full TCP
connection to be established and therefore is a slower scan.
Scan a host for Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and
UDP services DHCP are three of the most common UDP services. Use the following syntax to find
(UDP scan) out UDP services:

nmap -sU nas03

nmap -sU 192.168.1.1

OUTPUT
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT STATE SERVICE
 111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)

Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

Scan for IP This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP,
protocol etc.) are supported by target machines:
nmap -sO 192.168.1.1
Scan a firewall for ## TCP Null Scan to fool a firewall to generate a response ##
security weakness ## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254

## TCP Fin scan to check firewall ##

## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254

## TCP Xmas scan to check firewall ##

## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX 192.168.1.254

Note : Mechanism to protect from such scans using Firewall has to be studied
Scan a firewall for The -f option causes the requested scan (including ping scans) to use tiny fragmented
packets fragments IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and
other annoyances to detect what you are doing.

nmap -f 192.168.1.1
nmap -f fw2.nixcraft.net.in
nmap -f 15 fw2.nixcraft.net.in

## Set your own offset size with the --mtu option ##

nmap --mtu 32 192.168.1.1

Cloak a scan with The -D option it appear to the remote host that the host(s) you specify as decoys are
decoys scanning the target network too. Thus their IDS might report 5-10 port scans from
unique IP addresses, but they won’t know which IP was scanning them and which were
innocent decoys:
 nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

Scan a firewall for ### Spoof your MAC address ##

MAC address nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
spoofing
### Add other options ###
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

### Use a random MAC address ###

### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN --spoof-mac 0 192.168.1.1
save output to a nmap 192.168.1.1 > output.txt
text file nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1
Scans for web nmap -p80 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -
servers and pipes nmap -p80,443 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -
into Nikto for
scanning
Speed up nmap Pass the -T option:
nmap -v -sS -A -T4 192.168.2.5
Scan selected ports nmap -Pn -F 192.168.1.1
- ignore discovery
Note:
Ignoring discovery is often required as many firewalls or hosts will not respond to
PING, so could be missed unless you select the -Pn parameter. Of course, this can make
scan times much longer as you could end up sending scan probes to hosts that are not
there.

Nmap Output ## Save default output to file

Formats nmap -oN outputfile.txt 192.168.1.1

Save results as XML

nmap -oX outputfile.xml 192.168.1.1

Save results in a format for grep

nmap -oG outputfile.txt 192.168.1.1
 Save in all formats
nmap -oA outputfile 192.168.1.1

Note:

The default format could also be saved to a file using a simple file redirect command
> file. Using the -oN option allows the results to be saved but also can be monitored in
the terminal as the scan is under way.
Digging deeper ## Scan using default safe scripts
with NSE Scripts nmap -sV -sC 192.168.1.1

## Get help for a script

nmap --script-help=ssl-heartbleed

## Scan using a specific NSE script

nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1

## Scan with a set of scripts

nmap -sV --script=smb* 192.168.1.1

Note:
According to my Nmap install there are currently 471 NSE scripts. The scripts are able
to perform a wide range of security related testing and discovery functions. If you are
serious about your network scanning you really should take the time to get familiar
with some of them.
The option --script-help=$scriptname will display help for the individual scripts. To
get an easy list of the installed scripts try locate nse | grep script.
You will notice I have used the -sV service detection parameter. Generally most NSE
scripts will be more effective and you will get better coverage by including service
detection.

A scan to search nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-

for DDOS sysdescr 192.168.1.0/24
reflection UDP
services Note: UDP based DDOS reflection attacks are a common problem that network
defenders come up against. This is a handy Nmap command that will scan a target list
for systems with open UDP services that allow these attacks to take place
HTTP Service #Gather page titles from HTTP services
Information nmap --script=http-title 192.168.1.0/24
 #Get HTTP headers of web services
nmap --script=http-headers 192.168.1.0/24
#Find web apps from known paths
nmap --script=http-enum 192.168.1.0/24

Note: There are many HTTP information gathering scripts, here are a few that are
simple but helpful when examining larger networks. Helps in quickly identifying what
the HTTP service is that is running on the open port. Note the http-enum script is
particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths
of web applications and scripts. This will inevitably generated hundreds of 404 HTTP
responses in the web server error and access logs
Detect Heartbleed nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
SSL Vulnerability
Note:
Heartbleed detection is one of the available SSL scripts. It will detect the presence of
the well known Heartbleed vulnerability in SSL services. Specify alternative ports to
test SSL on mail and other protocols (Requires Nmap 6.46).
Find Information nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24
about IP address
Note:
Gather information related to the IP address and netblock owner of the IP address. Uses
ASN, whois and geoip location lookups. See the IP Tools for more information and
similar IP address and DNS lookups.