about summary refs log blame commit diff stats
path: root/tools/nmap.html
blob: c3d53168fb7a381e4a5cbb4120916b0816682574 (plain) (tree)
1
2
3
4
5
6
7
8
9
10
               





                              
                                            

                     















                                                                                                        
                            







                                              







                                                              






















































































                                                    

























                                                                                                               
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>Nmap</title>
    </head>
    <body>
        <a href="index.html">Tools Index</a>
        <h1>Nmap</h1>

        <p>Nmap is powerful network analysis tool, information described
        was mostly taken from hackertarget.com 
        <a href="https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/">nmap cheatsheet</a>,
        they also have <a href="https://hackertarget.com/nmap-tutorial/">nmap tutorial</a>.</p>

        <h2>Target selection</h2>

        <p>Scan single ip address;</p>

        <pre>
        # nmap -v 192.168.1.67
        </pre>

        <p>Or by hostname;</p>

        <pre>
        # nmap -v c9.root.sx
        </pre>

        <p>Check OS and version detection;</p>

        <pre>
        # nmap -A 192.168.1.67
        # nmap -v -A 192.168.1.67
        </pre>

        <p>Discover other hosts on local lan, try -sn and -sP,
        not sure if both only disable port scan.</p>

        <pre>
        # nmap -sn 192.168.1.0/24
        </pre>

        <p>Scan a range of IPs;</p>

        <pre>
        # nmap 192.168.1.1-20
        </pre>

        <p>Scan targets from a text file;</p>

        <pre>
        # nmap -iL list-of-hosts.txt
        </pre>

        <h2>Port selection</h2>

        <p>Scan single port;</p>

        <pre>
        # nmap -p 22 192.168.1.1
        </pre>

        <p>Scan a range of ports;</p>

        <pre>
        #nmap -p 1-100 192.168.1.1
        </pre>

        <p>Scan all 65535 ports;</p>

        <pre>
        # nmap -p- 192.168.1.1
        </pre>

        <h2>Port scan types</h2>

        <p>TCP connect;</p>

        <pre> 
        # nmap -sT 192.168.1.1
        </pre>

        <p>TCP syn scan;</p>

        <pre>
        # nmap -sS 192.168.1.1
        </pre>

        <p>UDP ports;</p>

        <pre>
        # nmap -sU -p 123,161,162 192.168.1.1
        </pre>

        <p>Selected ports - ignore discovery;</p>

        <pre>
        # nmap -Pn -F 192.168.1.1
        </pre>

        <h2>Service and OS detection</h2>

        <p>Detect OS and services;</p>

        <pre>
        # nmap -A 192.168.1.1
        </pre>

        <p>Standard service detection</p>

        <pre>
        # nmap -sV 192.168.1.1
        </pre>

        <p>Aggressive service detection</p>

        <pre>
        # nmap -sV --version-intensity 5 192.168.1.1
        </pre>

        <p>Lighter banner grabbing detection;</p>

        <pre>
        # nmap -sV --version-intensity 0 192.168.1.1
        </pre>

        <h2>NSE Scripts</h2>


        <p>Check for vulnerabilities on host;</p>

        <pre>
        # nmap --script=vuln 127.0.1.1

        Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-20 22:07 UTC
        Nmap scan report for dev.box (127.0.1.1)
        Host is up (0.000028s latency).
        Not shown: 998 closed ports
        PORT   STATE SERVICE
        25/tcp open  smtp
        | smtp-vuln-cve2010-4344:
        |   Exim version: 4.85
        |   Exim heap overflow vulnerability (CVE-2010-4344):
        |     Exim (CVE-2010-4344): NOT VULNERABLE
        |   Exim privileges escalation vulnerability (CVE-2010-4345):
        |     Exim (CVE-2010-4345): NOT VULNERABLE
        |_  To confirm and exploit the vulnerabilities, run with --script-args='smtp-vuln-cve2010-4344.exploit'
        53/tcp open  domain

        Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
        #
        </pre>

    </body>
</html>