NMAP Quick Reference
Published: 2020-10-07
Intro
NMAP is a tool for network discovery and auditing. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for an in-depth explanation of commands.
Port Scan
Top Ports
Scan the top N number of ports
nmap --top-ports 10 target.dummyTCP SYN Scan
TCP SYN scans do not perform a full TCP 3-way handshake. A RST is sent to the server when a SYN/ACK is received. The flow between the NMAP client and server looks like this:
sudo nmap -sS -p 22,113,139 target.dummyTCP Connect Scan
TCP connect scan utilises the underlying operating system to perform a full TCP 3-way handsake and sets up a connections between the client and the server. This scan is used when the user does not have raw packet privileges or is scanning IPv6 networks. The flow between the NMAP client and the server looks like this:
nmap -sT -p 22,80,443 target.dummyUDP Scan
UDP scans send a UDP packet to the target port and depending on the response, NMAP will guess if the port is open based on the following table.
sudo nmap -sU -p 53 target.dummyAggressive Scan
An aggressive scan combines a number of scan types without having to remember a large number of flags. The scans include:
- OS Detection
- Version Scanning
- Script Scanning
- Traceroute
nmap -A target.dummyPing Sweep
Subnet
Ping sweep a subnet
nmap -sn 10.1.1.0/24NPing
NPing allows you to generate packets.
Gratuitous ARP
Target a host with a GARP reply
sudo nping -c 1 --arp-sender-mac 08:00:27:ba:6c:7f \
--arp-sender-ip 10.1.1.1 --arp-type ar \
--arp-target-mac 08:00:27:74:99:3b 10.1.1.11 \
--interface eth1 --dest-mac 08:00:27:74:99:3b