Automation Tools
Pre-made commands
SYN scan (TCP) (sudo)
This method reports if there is an application listening on the target port and does not register on the host system, because no ACK is sent to the target. This method does not retrieve any information about the service.
sudo nmap -sS {IP Address}Full connect scan
The advantage of this method is that a fully functional connection to the target host is made which allows information to be gathered from the listening service (aka banner grabbing).
nmap –sT –sV 10.16.32.23Null Scan (sudo)
This scan is useful to penetrate firewalls and routers set to filter certain flags out since it uses no flags. Open and filtered ports should have no response, filtered ports may also send an ICMP unreachable message, and closed ports should send a RST packet.
nmap -sN 10.50.1.1FIN scan (sudo)
Like the null scan it works to go through firewalls and routers, in addition to being considered stealthier due to the illegal flag combination. Open and filtered ports should have no response, filtered ports may also send an ICMP unreachable message, and closed ports should send a RST packet.
nmap -sF 25.50.75.100XMAS tree scan (sudo)
Open and filtered ports should have no response, filtered ports may also send an ICMP unreachable message, and closed ports should send a RST packet.
nmap -sX 7.92.5.19UDP scan
A UDP Scan can be used to find nix hosts that are blocking TCP and ICMP traffic. Since UDP is a stateless protocol it is often used to get through stateful firewalls. This kind of scan is not very useful for service discovery because UDP is connection-less.
nmap –sU -v 10.10.100.3RPC Scan
A RPC scan is looking for services that use RPC (remote Procedure Call). RPC allows for remote commands to be run on machines and this scan will determine the services and version of the service when run.
nmap -sR 10.50.22.29OS fingerprinting scan
By sending TCP and UDP packets it gathers information such as window size, TCP option ordering and IP ID sampling. It runs that information against its OS database. If a match is found it provides Vendor, OS, Generation, and device type.
nmap -O 6.2.9.5Version scan
A version scan uses open ports and the nmap-service-probes databases to query services to confirm the service running on a port and provide the version of the service running. This allows exploits to be properly chosen for use since different versions and patches are susceptible to different things.
nmap -sV 10.30.50.70Network sweep all IPs in a range
nmap -sn 10.10.10.1-253Scan all IPs in a network and see their HTTP title
nmap -sV -sC {IP/CIDR}
Flags
| Flag | Description |
|---|---|
| -n | Disables name resolution |
| -R | Resolves names to IP addresses |
| -iR | Choose random targets |
| -p | Port ranges |
| -p- | scan ALL ports |
| -F | Fast mode |
| -v | Verbosity level |
| -d | Debugging level |
| -6 | IPv6 scanning |
| -A | OS detection, version detection, script scanning, and traceroute |
Scripts are stored in a subdirectory of the Nmap data directory by default:
/usr/share/nmap/scripts
Quite a few Nmap scanning options require access to raw sockets, which in turn require root privileges.
Useful NSE Scripts
Find scripts related to a topic
ls -1 /usr/share/nmap/scripts/smb*
dns-brute.nse
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains.
nmap -p 80 --script dns-brute.nse $domainhttp-enum.nse
Enumerates directories used by popular web applications and servers.
nmap -sV --script=http-enum $domainAttachments
