# nmap

``` nmap -sL -n 10.10.12.13/29 ```

``` nmap -sL -n 10.10.0-255.101-125 ```

The -PR command will only scan for ARP scan. (Remember to add `-sn` if you don’t want to follow that with a port scan.) * Tryhackme nmap live host discovery ``` nmap -PR -sn $IP/24 ```

The -PE command will only scan using ICMP echo request (ICMP Type 8) (Remember to add `-sn` if you don’t want to follow that with a port scan.) ``` sudo nmap -PE -sn $IP/24 ```

The -PP option tells Nmap to use ICMP timestamp requests. (ICMP Type 13) ``` sudo nmap -PP -sn 10.10.68.220/24 ```

The -PM option tells Nmap to use address mask queries (ICMP Type 17) ``` sudo nmap -PM -sn $IP/24 ```

The -PS option will use TCP SYN ping. ``` sudo nmap -PS -sn $IP/24 ```

The -PA option will use ACK flag set ``` sudo nmap -PA -sn 10.10.68.220/24 ``` The -PU option will use UDP packet to check if the host is online ``` sudo nmap -PU -sn $IP ``` The -sT option will establish the 3-way handshake of TCP ``` nmap -sT -oN nmap-connect 10.10.245.44 ``` The -sS option will use the half-open or stealth scan ``` sudo nmap -sS -oN nmap-syn 10.10.202.54 ``` The -sU will scan for the UDP ports and -F will enable fast mode it will scan fewer ports ``` sudo nmap -sU -F -oN nmap-udp 10.10.110.233 ``` The -sN option will sent a TCP packet with all six flag bits are set to zero ``` sudo nmap -sN -oN nmap-null 10.10.97.213 ``` The -sF option will only send the fin flag bit ``` sudo nmap -sF -oN nmap-fin 10.10.97.213 ``` The -sX option or the xmas scan will use the fin/ack flag ``` sudo nmap -sX -oN nmap-xmass 10.10.97.213 ``` The -sM option will also use fin/ack flag * It exploits a vulnerability in some older Unix systems, causing them to respond with a RST (reset) packet if the port is closed, rather than ignoring the packet as expected. ``` sudo nmap -sM -oN nmap-maimon 10.10.97.213 ``` The -sA option will use the ACK flag ``` sudo nmap -sA -oN nmap-ack 10.10.19.144 ``` The -sW option or Window Scan uses the ACK flag ``` sudo nmap -sW -oN nmap-window 10.10.19.144 ``` This will give you a spoof IP address * where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. ``` sudo nmap -S SPOOFED_IP 10.10.13.210 nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.243.16 ``` The -sI will use the Idle scan or Zombie Scan ``` nmap -sI 10.10.5.5 $victimIP ``` Custom Scan ``` sudo nmap --scanflags URGACKPSHRSTSYNFIN 10.10.13.210 ``` Decoy Scan ``` nmap -D DECOY_IP,ME 10.10.13.210 sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5 ``` The -O option will detect the operating system of the system ``` sudo nmap -O -oN nmap-os 10.10.121.80 ``` The -oN option will save the current nmap scan to a file ``` sudo nmap -oN nmap $IP ``` The -oX option will save the current nmap scan as a XML file ``` sudo nmap -oX nmap $IP ``` The -oS option will save the current nmap scan as a Script Kiddie file ``` sudo nmap -oS nmap $IP ``` The -oG option will save the current nmap scan to a grepable format ``` sudo nmap -oG nmap $IP ``` The -iL options will read the ips in the list provided ``` sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5 ``` Just scanning multiple IP at a time ``` sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5 sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5 ``` Just using the vuln script ``` nmap 10.129.223.9 -p 80 -sV --script vuln ``` Showing the time out ``` sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms ``` * `-T 0` / `-T paranoid` * `-T 1` / `-T sneaky` * `-T 2` / `-T polite` * `-T 3` / `-T normal` * `-T 4` / `-T aggressive` * `-T 5` / `-T insane` ```shell-session sudo nmap 10.129.2.0/24 -F -oN tnet.T5 -T 5 ``` The -S option will be using different IP ``` sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0 ``` Using DNS as source port {% code overflow="wrap" %} ``` # This first one gonna show the port is filtered sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace # This second one gonna show the port is open since we have the source IP as 53/DNS sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 # Then we can verify this ncat -nv --source-port 53 10.129.2.28 50000 ``` {% endcode %} Enumerating NFS protocol with nse ``` sudo nmap 10.129.14.128 -p111,2049 -sV -sC sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049 ``` Enumerating SMTP protocol with nse ``` sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v ``` Enumerating MySQL protocol with nse ``` sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql* ``` Will bruteforce for SID in Oracle TNS ``` sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute ``` Enumerating IPMI protocol with nse checking version ``` sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local ``` Enumerating Rsync with nse ``` nmap -sV --script "rsync-list-modules" -p ``` Enumerating RDP with nse ``` nmap -sV -sC 10.129.201.248 -p3389 --script rdp* ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kyou00.gitbook.io/xyz/commands/view/linux/nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.