# nmap

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FGXymQ7CtpWeyCNp7WRo8%2Fimage.png?alt=media&#x26;token=5b19c406-f5be-42fd-aadc-5aafa690d6d7" alt=""><figcaption></figcaption></figure>

```
nmap -sL -n 10.10.12.13/29
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FxThJP95uw6MnJEuDLMpm%2Fimage.png?alt=media&#x26;token=933d840a-63ed-4eed-b635-0119fb615ddf" alt=""><figcaption></figcaption></figure>

```
nmap -sL -n 10.10.0-255.101-125
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FX7VpGvwufK40KP2Zyg2W%2Fimage.png?alt=media&#x26;token=112d5899-d8ae-469b-a9bf-c635e67f61f3" alt=""><figcaption></figcaption></figure>

The <mark style="color:blue;">-PR</mark> command will only scan for ARP scan.&#x20;

(Remember to add `-sn` if you don’t want to follow that with a port scan.)

* Tryhackme nmap live host discovery

```
nmap -PR -sn $IP/24
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FG1iIzTp65sk6k9oXfM2P%2Fimage.png?alt=media&#x26;token=58215781-fe9d-4adf-ab6b-6bbc3270229f" alt=""><figcaption></figcaption></figure>

The <mark style="color:blue;">-PE</mark> command will only scan using ICMP echo request (ICMP Type 8)

(Remember to add `-sn` if you don’t want to follow that with a port scan.)

```
sudo nmap -PE -sn $IP/24
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FxoH38NH0NsCSFrCiqbTO%2Fimage.png?alt=media&#x26;token=81a7f50e-a047-4248-8fa7-ccd699e68f00" alt=""><figcaption></figcaption></figure>

The <mark style="color:blue;">-PP</mark> option tells Nmap to use ICMP timestamp requests. (ICMP Type 13)

```
sudo nmap -PP -sn 10.10.68.220/24
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2F1rHWl27lo7Z1CdQNP50X%2Fimage.png?alt=media&#x26;token=d1ecf8cb-0b39-4522-8f6c-1dcaff1b4b8c" alt=""><figcaption></figcaption></figure>

The -PM option tells Nmap to use address mask queries (ICMP Type 17)

```
sudo nmap -PM -sn $IP/24
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2Fq5a8yPWYEFEyyoL8BcSY%2Fimage.png?alt=media&#x26;token=38d689f8-4091-4b00-91c5-90c498f2d44d" alt=""><figcaption></figcaption></figure>

The -PS option will use TCP SYN ping.

```
sudo nmap -PS -sn $IP/24
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2F1jxuvBb3urR6Ea2Oh6hO%2Fimage.png?alt=media&#x26;token=a0d65c37-0ba3-4727-aab4-86ee64c92ee2" alt=""><figcaption></figcaption></figure>

The -PA option will use ACK flag set

```
sudo nmap -PA -sn 10.10.68.220/24
```

The -PU option will use UDP packet to check if the host is online

```
sudo nmap -PU -sn $IP
```

The -sT option will establish the 3-way handshake of TCP

```
nmap -sT -oN nmap-connect 10.10.245.44
```

The -sS option will use the half-open or stealth scan

```
sudo nmap -sS -oN nmap-syn 10.10.202.54
```

The -sU will scan for the UDP ports and -F will enable fast mode it will scan fewer ports

```
sudo nmap -sU -F -oN nmap-udp 10.10.110.233
```

The -sN option will sent a TCP packet with all six flag bits are set to zero

```
sudo nmap -sN -oN nmap-null 10.10.97.213
```

The -sF option will only send the fin flag bit&#x20;

```
sudo nmap -sF -oN nmap-fin 10.10.97.213
```

The -sX option or the xmas scan will use the fin/ack flag&#x20;

```
sudo nmap -sX -oN nmap-xmass 10.10.97.213
```

The -sM option will also use fin/ack flag

* It exploits a vulnerability in some older Unix systems, causing them to respond with a RST (reset) packet if the port is closed, rather than ignoring the packet as expected.

```
sudo nmap -sM -oN nmap-maimon 10.10.97.213
```

The -sA option will use the ACK flag&#x20;

```
sudo nmap -sA -oN nmap-ack 10.10.19.144
```

The -sW option or Window Scan uses the ACK flag

```
sudo nmap -sW -oN nmap-window 10.10.19.144
```

This will give you a spoof IP address

* where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address.

```
sudo nmap -S SPOOFED_IP 10.10.13.210
nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.243.16
```

The -sI will use the Idle scan or Zombie Scan

```
nmap -sI 10.10.5.5 $victimIP
```

Custom Scan

```
sudo nmap --scanflags URGACKPSHRSTSYNFIN 10.10.13.210
```

Decoy Scan

```
nmap -D DECOY_IP,ME 10.10.13.210

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
```

The -O option will detect the operating system of the system

```
sudo nmap -O -oN nmap-os 10.10.121.80
```

The -oN option will save the current nmap scan to a file

```
sudo nmap -oN nmap $IP
```

The -oX option will save the current nmap scan as a XML file

```
sudo nmap -oX nmap $IP
```

The -oS option will save the current nmap scan as a Script Kiddie file

```
sudo nmap -oS nmap $IP
```

The -oG option will save the current nmap scan to a grepable format

```
sudo nmap -oG nmap $IP
```

The -iL options will read the ips in the list provided

```
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
```

Just scanning multiple IP at a time

```
sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5

sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
```

Just using the vuln script

```
nmap 10.129.223.9 -p 80 -sV --script vuln
```

Showing the time out&#x20;

```
sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
```

* `-T 0` / `-T paranoid`
* `-T 1` / `-T sneaky`
* `-T 2` / `-T polite`
* `-T 3` / `-T normal`
* `-T 4` / `-T aggressive`
* `-T 5` / `-T insane`

```shell-session
sudo nmap 10.129.2.0/24 -F -oN tnet.T5 -T 5
```

The -S option will be using different IP

```
sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
```

Using DNS as source port

{% code overflow="wrap" %}

```
# This first one gonna show the port is filtered
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

# This second one gonna show the port is open since we have the source IP as 53/DNS
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

# Then we can verify this
ncat -nv --source-port 53 10.129.2.28 50000
```

{% endcode %}

Enumerating NFS protocol with nse

```
sudo nmap 10.129.14.128 -p111,2049 -sV -sC
sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049
```

Enumerating SMTP protocol with nse

```
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
```

Enumerating MySQL protocol with nse

```
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
```

Will bruteforce for SID in Oracle TNS

```
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
```

Enumerating IPMI protocol with nse checking version

```
sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local
```

Enumerating Rsync with nse

```
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
```

Enumerating RDP with nse&#x20;

```
nmap -sV -sC 10.129.201.248 -p3389 --script rdp*
```