Untitled

#NMAP Guide
-----------

1) Basic scan to see what ports have a valid service running on them:

	nmap {host}
	nmap -v {host}

Pass the `-v` flag to print a little more information.

2) Basic scan to just see what ports are open/closed/filtered, but will not actually test the port for a service running:

	nmap --top-ports {number of ports} {host}

3) Scanning a range of IP addresses or a subnet:

	nmap {host} 192.168.1.2 192.168.1.3
	nmap {host},2,3 	# multiple
	nmap {host}-20 	# range

	nmap 192.168.1.* 		# range
	nmap 192.168.1.0/24		# subnet

4) Scanning and reading from a list of hosts

	input.txt
	----------------------------------------
	host1.com
	host2.com
	{host}

	nmap -iL input.txt

5) Exclusions:

	nmap 192.168.1.0/24 --exclude 192.168.1.5
	nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

OR exclude list from a file called exclude.txt

	nmap -iL /tmp/scanlist.txt --excludefile exclude.txt

6) OS Detection of services:

	nmap -A -v {host}

7) Firewall protection of the host:

	nmap -sA -v {host}

8) Scanning a host protected by a firewall (very useful):

	nmap -PN -v {host}

9) Scanning a IPv6 host:

	nmap -6 IPv6-Address-Here
	nmap -6 2607:f0d0:1002:51::4
	nmap -v A -6 2607:f0d0:1002:51::4

10) Scan a network and find out which servers and devices are up and running

	nmap -sP 192.168.1.0/24

11) Scanning a host quickly:

	nmap -F {host}

ONLY show open ports

	nmap -F --open {host}

12) Print packet trace on a scan:

	nmap --packet-trace {host}

13) Doing a full nmap scan of the host requires root privelages. To invoke run this:

	sudo nmap -v -sV -sC -O {host}

This will generate a full report of services and attempt to identify OS. Good for finding admin panels and such running on hidden ports.

14) Show host interfaces and routes:

	nmap --iflist {host}

15) Scanning specific ports:

	nmap -p 80 {host}

	# Scan TCP port 80
	nmap -p T:80 {host}

	# Scan UDP port 53
	nmap -p U:53 {host}

	# Scan two ports
	nmap -p 80,443 {host}

	# Scan port range
	nmap -p 80-200 {host}

	# Combination port scan
	nmap -p U:53,111,137,T:21-25,80,139,8080 {host}
	nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 {host}

	# Scan all ports with * wildcard
	nmap -p "*" {host}

	# Scan top ports
	nmap --top-ports {number of ports} {host}
	nmap --top-ports {number of ports} {host}

16) Scanning for a remote operating system:

	nmap -O -v {host}

17) Scanning for remote services (server/daemon):

	nmap -sV -v {host}

18) Scanning a host using TCP ACK (PA) and TCP Syn (PS) ping. Use this when a firewall is blocking standard ICMP pings:

	nmap -PS {host}

19) Scanning a host using IP protocol ping:

	nmap -PO {host}

20) Scanning a host using UDP ping. This scan bypasses firewalls and filters that only screen TCP:

	nmap -PU {host}

21) Scanning a host for the most commonly used TCP ports using TCP SYN Scan:

	# Stealth scan
	nmap -sS {host}

	# Find the most commonly used TCP ports using TCP connect scan (warning: no stealth scan)
	nmap -sT {host}

	# Find the most commonly used TCP ports using TCP ACK scan
	nmap -sA {host}

	# Find the most commonly used TCP ports using TCP Window scan
	nmap -sW {host}

	# Find the most commonly used TCP ports using TCP Maimon scan
	nmap -sM {host}

22) Scanning a host for UDP services (UDP scan):

	nmap -sU {host}

23) Scanning a host for IP protocol, this allows you to determine which IP protocols are supported by the host:

	nmap -sO {host}

24) Scanning a firewall for security weaknesses:

	# TCP Null Scan to trigger firewall to generate a response
	nmap -sN {host}

	# TCP Fin scan to check firewall
	nmap -sF {host}

	# TCP Xmas scan to check firewall
	nmap -sX {host}

25) Cloaking a scan with decoys

	nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 {host}

26) Scanning a firewall for MAC address spoofing:

	### Spoof your MAC address ##
	nmap --spoof-mac {your-mac-address} {host}

You can pass any other flags here as well `-v -O` etc…