about summary refs log tree commit diff stats
path: root/tools/nmap.html
blob: c3d53168fb7a381e4a5cbb4120916b0816682574 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>Nmap</title>
    </head>
    <body>
        <a href="index.html">Tools Index</a>
        <h1>Nmap</h1>

        <p>Nmap is powerful network analysis tool, information described
        was mostly taken from hackertarget.com 
        <a href="https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/">nmap cheatsheet</a>,
        they also have <a href="https://hackertarget.com/nmap-tutorial/">nmap tutorial</a>.</p>

        <h2>Target selection</h2>

        <p>Scan single ip address;</p>

        <pre>
        # nmap -v 192.168.1.67
        </pre>

        <p>Or by hostname;</p>

        <pre>
        # nmap -v c9.root.sx
        </pre>

        <p>Check OS and version detection;</p>

        <pre>
        # nmap -A 192.168.1.67
        # nmap -v -A 192.168.1.67
        </pre>

        <p>Discover other hosts on local lan, try -sn and -sP,
        not sure if both only disable port scan.</p>

        <pre>
        # nmap -sn 192.168.1.0/24
        </pre>

        <p>Scan a range of IPs;</p>

        <pre>
        # nmap 192.168.1.1-20
        </pre>

        <p>Scan targets from a text file;</p>

        <pre>
        # nmap -iL list-of-hosts.txt
        </pre>

        <h2>Port selection</h2>

        <p>Scan single port;</p>

        <pre>
        # nmap -p 22 192.168.1.1
        </pre>

        <p>Scan a range of ports;</p>

        <pre>
        #nmap -p 1-100 192.168.1.1
        </pre>

        <p>Scan all 65535 ports;</p>

        <pre>
        # nmap -p- 192.168.1.1
        </pre>

        <h2>Port scan types</h2>

        <p>TCP connect;</p>

        <pre> 
        # nmap -sT 192.168.1.1
        </pre>

        <p>TCP syn scan;</p>

        <pre>
        # nmap -sS 192.168.1.1
        </pre>

        <p>UDP ports;</p>

        <pre>
        # nmap -sU -p 123,161,162 192.168.1.1
        </pre>

        <p>Selected ports - ignore discovery;</p>

        <pre>
        # nmap -Pn -F 192.168.1.1
        </pre>

        <h2>Service and OS detection</h2>

        <p>Detect OS and services;</p>

        <pre>
        # nmap -A 192.168.1.1
        </pre>

        <p>Standard service detection</p>

        <pre>
        # nmap -sV 192.168.1.1
        </pre>

        <p>Aggressive service detection</p>

        <pre>
        # nmap -sV --version-intensity 5 192.168.1.1
        </pre>

        <p>Lighter banner grabbing detection;</p>

        <pre>
        # nmap -sV --version-intensity 0 192.168.1.1
        </pre>

        <h2>NSE Scripts</h2>


        <p>Check for vulnerabilities on host;</p>

        <pre>
        # nmap --script=vuln 127.0.1.1

        Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-20 22:07 UTC
        Nmap scan report for dev.box (127.0.1.1)
        Host is up (0.000028s latency).
        Not shown: 998 closed ports
        PORT   STATE SERVICE
        25/tcp open  smtp
        | smtp-vuln-cve2010-4344:
        |   Exim version: 4.85
        |   Exim heap overflow vulnerability (CVE-2010-4344):
        |     Exim (CVE-2010-4344): NOT VULNERABLE
        |   Exim privileges escalation vulnerability (CVE-2010-4345):
        |     Exim (CVE-2010-4345): NOT VULNERABLE
        |_  To confirm and exploit the vulnerabilities, run with --script-args='smtp-vuln-cve2010-4344.exploit'
        53/tcp open  domain

        Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
        #
        </pre>

    </body>
</html>