nmap

How to use nmap for some basic scans.

Some useful nmap switches:

  • -T change the speed of your scans. Range is from 0 (slowest) to 5 (fastest, less accurate, easier to detect)
  • -0 fingerprint/guess the operating system

Syn Scan

This is the default scan for nmap. It is faster than the TCP connect scan because it only completes the first two steps of the tree-way-handshake.

nmap -sS -p- -pn 192.168.0.50
  • run the syn scan: -sS (could be omitted, because it is the default)
  • ping all ports: -p-
  • disable host discovery: -Pn (ping every system as if it were alive)

TCP Connect Scan

nmap will try to do a three-way-handshake on each port specified in the command:

nmap -sT -p- -Pn 192.168.0.50
  • run the TCP connect scan: -sT
  • ping all ports: -p-
  • disable host discovery: -Pn (ping every system as if it were alive)

UDP Scan

Scan UDP ports.

nmap -sUV 192.168.0.50
  • run the UDP scan: -sU
  • use -sV to do version scanning (attempt to identify services)

XMAS and Null Scans

This will only work with Unix/Linux systems, but not Windows (because it is not RFC-compliant).

These scans violate traditional TCP communication and are used to determine whether a port is open or closed.

nmap -sX -p- -Pn 192.168.0.50
nmap -sN -p- -Pn 192.168.0.50
  • run XMAS scan: -sX
  • run Null scan: -sN
networking/nmap.txt · Last modified: 2014-06 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready