Nmap Notes
Basic Usage Notes for Nmap
Contents
Scan an IP address for OS and open ports:
nmap -A targetIPaddress
Scan an IP address for OS and open ports, skips the ping stage of scan:
nmap -PN -A 192.168.1.2Host Discovery
Top BottomList Scan. Lists IP address to be scanned without sending any packets:
nmap -sL 192.168.1.0/24
Ping Sweep. Sends an ICMP echo request to a list of addreses. ICMP echo replies are normally filtered by firewalls, so this scan should not be expected to work across a firewall:
nmap -sP 192.168.1.0/24
Scan a network for active network devices, but avoid broadcast addresses '0' and '255':
nmap -sP 192.168.1.1-254
TCP SYN Ping (scan hosts for particular services by sending a TCP SYN packet. Hosts will respond with RST if port is closed, or SYN/ACK if port is open:
nmap -PS22-25,80,339,8080 192.168.1.1-2
TCP ACK Ping. Scan hosts for particular service by sending a TCP ACK packet. Useful where firewalls are blocking incoming SYN packets:
nmap -PA22-25,80,339,8080 192.168.1.1-2
UDP Ping. Scan hosts by sending an empty UDP packet. A closed port will respond with a destination unreachable ICMP. Open ports will solicit no response. Bypasses firewalls that only filter TCP:
nmap -PU 192.168.1.1-2
IP Protocol Ping:
nmap -PO 192.168.1.1-2
ARP Ping:
nmap -PR 192.168.1.1-2Port States
Top Bottom- open
- An application is accepting connections
- closed
- accessible but no application listening
- filtered
- port is packet filtered
- unfiltered
- port is accessible, may be open or closed
- open|filtered
- when an open port gives no response
- closed|filtered
- unable to determine if port is closed or filtered
Port Scanning Techniques
Top Bottom- TCP SYN scan (default scan type if priviledged user). This scan sends a TCP SYN packet to host. A closed port will respond with a RST (reset) packet. An open port will respond with a SYN/ACK, to which nmap will send a RST packet. Only provides open, closed or filtered port information
- nmap -sS -v 192.168.1.2
- TCP connect scan. Does not require priviledge account. Uses a normal TCP connection to determine if a port is open. Recieves RST from closed ports, and SYN/ACK from open ports. Responds to SYN/ACK with ACK followed by RST. This type of scan is very visible in application event logs.
- -sT
- UDP scan. A closed port will respond with ICMP port unreachable. An open port will respond with UDP data. A closed port will respond with no data and will be identified as open|filtered.
- -sU
- TCP Null scan
- -sN
- TCP FIN scan
- -sF
- TCP Xmas scan
- -sX
- The Null, Fin and Xmas scans are the least visible scans available and use least network traffic. On Microsoft machines, all ports appear as closed - if a port is reported as open, then you are dealing with a non-Microsoft machine.
- TCP ACK scan will only identify filtered or unfiltered ports, becuase it never connects to a port to determine an open state. This scan is very unobtrusive and can be used to identify filtered ports which respond with RST
- nmap -sA 192.168.1.2
- TCP Window scan. When an open port receives an ACK frame, it reponds with a RST and a specific TCP window size. Useful for identifying open ports and is very unobtrusive as no connection attempt is made. Most OSs have patched their TCP stacks to evade this scan.
- nmap -sW 192.168.1.2
- RPC scan. Provides detailed information on RPC-based applications but also involves establishing connections to ports.
- nmap -sR 192.168.1.2
- TCP Maimon scan
- -sM
- IP Protocol scan. Shows the IP protocols in use by a remote device (eg ICMP, TCP, UDP, EGP, IGP, etc). IP protocol scans are very obvious in packet traces, since most network communications will only use TCP or UDP protocols.
- nmap -sO 192.168.1.1
- Zombie Host Scan or Idle scan. Uses another idle machine to perform the scan
- nmap -v -sI 192.168.1.3. 192.168.1.2
Service Version Detection
Top BottomTo detect service version information:
nmap -sV 192.168.1.2By default use TCP SYN scan to identify ports. Specify alternate scans if required:
nmap -sF -sV 192.168.1.2Version scanning is very invasive and will involve connecting to applications to determine version information
