NMAP
Switches
nmap -sL
List scan, lists each host of the network specified, without sending any packets to the target hosts. Nmp does a reverse-DNS resolution on the hosts to learn their names.
nmap -sL 192.168.100.0-20
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:35 EDT
Nmap scan report for 192.168.100.0
Nmap scan report for 192.168.100.1
Nmap scan report for raspberrypi (192.168.100.2)
Nmap scan report for 192.168.100.3
Nmap scan report for 192.168.100.4
Nmap scan report for 192.168.100.5
Nmap scan report for 192.168.100.6
Nmap scan report for 192.168.100.7
Nmap scan report for 192.168.100.8
Nmap scan report for 192.168.100.9
Nmap scan report for 192.168.100.10
Nmap scan report for 192.168.100.11
Nmap scan report for 192.168.100.12
Nmap scan report for 192.168.100.13
Nmap scan report for 192.168.100.14
Nmap scan report for 192.168.100.15
Nmap scan report for 192.168.100.16
Nmap scan report for 192.168.100.17
Nmap scan report for 192.168.100.18
Nmap scan report for 192.168.100.19
Nmap scan report for 192.168.100.20
Nmap done: 21 IP addresses (0 hosts up) scanned in 8.50 seconds
nmap -sn
No port scan, performs host discovery but no port scan. This is usually known as a "ping scan".
nmap -sn 192.168.100.0-20
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:37 EDT
Nmap scan report for 192.168.100.1
Host is up (0.0031s latency).
Nmap scan report for raspberrypi (192.168.100.2)
Host is up (0.0027s latency).
Nmap scan report for 192.168.100.3
Host is up (0.0025s latency).
Nmap scan report for 192.168.100.4
Host is up (0.0023s latency).
Nmap scan report for 192.168.100.5
Host is up (0.0078s latency).
Nmap scan report for 192.168.100.7
Host is up (0.0015s latency).
Nmap scan report for 192.168.100.8
Host is up (0.0012s latency).
Nmap scan report for 192.168.100.10
Host is up (0.00075s latency).
Nmap scan report for 192.168.100.11
Host is up (0.0017s latency).
Nmap scan report for 192.168.100.12
Host is up (0.0015s latency).
Nmap scan report for 192.168.100.13
Host is up (0.0036s latency).
Nmap scan report for 192.168.100.16
Host is up (0.0030s latency).
Nmap scan report for 192.168.100.17
Host is up (0.0027s latency).
Nmap scan report for 192.168.100.18
Host is up (0.0025s latency).
Nmap scan report for 192.168.100.20
Host is up (0.0018s latency).
Nmap done: 21 IP addresses (15 hosts up) scanned in 1.27 seconds>
nmap -Pn
No ping, this option skips the discovery stage. Nmap will perform the port scans on all hosts that have been passed to Nmap regardless if the host is up or down.
nmap -Pn 192.168.100.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:38 EDT
Nmap scan report for 192.168.100.1
Host is up (0.0012s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds
nmap -sS
TCP SYN scan. SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection
nmap -sS 192.168.100.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:39 EDT
Nmap scan report for 192.168.100.1
Host is up (0.00074s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: 6E:10:17:D1:4C:A7 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds
nmap -sT
TCP Connect scan. TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.
nmap -sT 192.168.100.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:40 EDT
Nmap scan report for 192.168.100.1
Host is up (0.00086s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: 6E:10:17:D1:4C:A7 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
nmap -p
Specifies which ports to scan
nmap -p 80,443 192.168.100.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:41 EDT
Nmap scan report for 192.168.100.1
Host is up (0.00064s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: 6E:10:17:D1:4C:A7 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
nmap -O
OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.
nmap -O 192.168.100.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 09:42 EDT
Nmap scan report for raspberrypi (192.168.100.2)
Host is up (0.00066s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
5900/tcp open vnc
MAC Address: B8:27:EB:7C:E1:2F (Raspberry Pi Foundation)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/2%OT=22%CT=1%CU=36249%PV=Y%DS=1%DC=D%G=Y%M=B827EB%TM
OS:=5F4FA166%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.16 seconds
nmap -T
Sets timing of the scan. The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe. T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes. T3 is Nmap's default behavior, which includes parallelization. T4< does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds. T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --script-timeout 10m as well as setting the maximum TCP scan delay to 5 ms.
-T0 Paranoid
-T1 Sneaky
-T2 Polite
-T3 Normal
-T4 Aggressive
-T5 Insane
nmap -oN
Requests that normal output be directed to the given filename (txt).
nmap -oX
Requests that XML output be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on.
nmap -oG
This output format is covered last because it is deprecated. The XML output format is far more powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens of excellent parsers are available, while grepable output is my own simple hack. XML is extensible to support new Nmap features as they are released, while I often must omit those features from grepable output for lack of a place to put them.
nmap -oA
As a convenience, you may specify -oA <basename> to store scan results in normal, XML, and grepable formats at once. They are stored in <basename>.namp, <basename>.xml, and <basename>.gnmap, respectively. As with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/corp/ on Unix or c:\hacking\sco on Windows.