Member-only story
Nmap Tips and Tricks
Nmap (Network MAPper) is a network port scanner with service version and operating system detection engines. The tool was originally developed by Fyodor and published in Phrack Issue 51 in 1997. The tool is command line although a number of GUIs exist. Nmap runs on a variety of platforms including Linux, *BSD, Windows, and others.
Port Scanning
Nmap uses several port scanning approaches. Table below summarizes “canned” scan types and corresponding command line flags:
- -sT: TCP Connect() Scan
- -sS: SYN Scan
- -sA: ACK Scan
- -sW: Window
- -sN: Null Scan
- -sF: FIN Scan
- -sX: XMas Scan
- -sU: UDP Scan
- -sM: Maimon Scan
- -sO: IP Protocol Scan
- -sI: host:port Idle Scan
- -b: FTP Bounce Scan
Using the above table, we can quickly generate a simple SYN scan on a Windows box:
nmap -sS 192.168.1.100Interesting ports on 192.168.1.100:
Not shown: 1692 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
MAC Address: 00:11:22:33:44:55Nmap finished: 1 IP address (1 host up) scanned in 1.347 seconds
It is often useful to know the reason for nmap’s decision on port’s state. Use option --reason to get detailed explanation:
nmap -sS 72.14.207.99 -p22,80 --reason
...
Interesting ports on eh-in-f99.google.com (72.14.207.99):
PORT STATE SERVICE REASON
22/tcp filtered ssh no-response
80/tcp open http syn-ackNmap done: 1 IP address (1 host up) scanned in 2.028 seconds
With the command line above, only default set of ports will be scanned. To scan all ports on the machine use -p flag:
nmap -sS 192.168.1.100 -p1-65535To scan a large number of machines, you may use ranges and wildcards:
nmap -sA 192.168.*.1-10,250-254The above will scan everything beginning with 192.168 and ending with either 1–10 or 250–254. The less flexible CIDR notation may also be used. Below is an example on how to perform a UDP scan on a Class C subnet:
